SAP Security for CISO. Part 7: SAP Risks – Sabotage
Hope you remember the previous article about espionage, since sabotage attacks on SAP systems are promised today as a topic.
Traditional IT security deals with Confidentiality, Integrity, and Availability. Talking about SAP Systems (especially with C-level executives) these notions transform into Espionage, Sabotage, and Fraud. These risks can’t but bother every top manager.
Having accessed an SAP system, perpetrators are able to exploit some DoS vulnerabilities and stop SAP operation. It is a worrisome trend that it inevitably leads to millions of dollars losses for companies such as banks or retail. Reinforcing this point, SAP systems are usually connected with other company’s systems such as plant floor, asset management systems or even ICS and SCADA devices.Let’s look at potential attack vectors and closer examples.
Sabotage in SAP
There are several categories on the basis of what an attack can focus on:
- Product ( intentional product quality deterioration/ production spoilage)
- Process (significant reduction of service and deliverability)
- Assets (equipment corruption, falsification of health information)
- People (mass casualties or delayed salary payout)
- Finances (tampering with financial reports, manipulation of credit limits)
- Reputation (official websites, technical support service, clients compliance violations)
- Data (destruction or encryption of critical data about customers, employee, suppliers strategy etc.)
Product: Intentional product quality deterioration
The most widespread sabotage attack vector is a product quality disruption. While the primary aim of every company is producing goods, the risks are definitely underestimated.
The examples of product recalls due to production defects are provided below:
- FDA recalled the whole production batch of 1200 tracheostomical devices because of three deaths caused by technical problems.
- IKEA had to recall the entire batch of 10000 beds with steel rods, claiming it to be a designer’s mistake that had caused physical trauma to kids.
- Toyota was obligated to recall 3 large batches of passenger cars totaling up to 500000 each time because of wide ranging construction problems, with airbags, throttle, and other parts of the car not working properly. USA statistics from FDA tells about such recalls occurring frequently. The same situation can also be observed with consumer products.
The financial losses caused by different traumas reach about one trillion dollars per year. Even strict quality checks do not prevent production from occasional defects. The same flaws can be made intentionally as a sabotage attack against a competitor.
Many manufacturing companies (e.g. Aviation, Aerospace, Automotive, Transportation, and Electronics) use SAP to monitor the production of components. Traditionally, manufacturing, planning, and designing processes are managed in enterprise business applications like MES, PLM, or CAD systems. For a successfully implemented attack, a cybercriminal needs to get access to these applications and make minor changes in the following systems: in CAD during construction, in PLM system during product lifecycle management configurations or directly in the MES system during manufacturing. The level of MES and PLM integration and automation provides opportunities for attackers to seamlessly carry out modifications to the connected systems.
The article “Car recalls and sabotage in MES systems” gives more similar information. Another good example of the ways hackers modified manufacturing systems to produce drones with defects can be found here.
A simple example illustrates another potential attack vector against automotive institutions. What will happen if somebody modifies the melting temperature and time for certain vehicle body components in the PLM system during product lifecycle management configurations or directly in the MES during manufacturing? The point is that the changes will not yield visible results: welding seams will not be different. By changing the melting temperature one can cause major changes in the durability of structure, whereas the visual features will remain the same. Of course, this problem may be identified with the help of additional checks. However, in some cases, it leads to a car accident. For instance, you ride 120 mph on the highway and the vehicle body is cracking. It is an imaginary but vivid illustration, however, I identified the real example of a recall due to the suspension bolt failure affected almost 6 million Buick cars in 1981. The financial losses caused only by different traumas is about one trillion dollars per year.
Process: Disruption or significant reduction of service and deliverability
In terms of retail industry, the weakest link here is SCM (Supply Chain Management). The whole company’s business is built on process optimization, thereby, big companies can take small price margins. What if this system gets stuck? The mere SCM may easily put a company out of business.
For the retail, logistics is the key feature of the business optimization and cost reduction. An attacker could change the information about supplies and thus causing financial losses by gaining control over SAP SCM. Imagine, goods were sent to the warehouse with no empty space, or the information was changed so that these goods would not reach the destination as being incorrectly represented as overloaded.
Assets: Equipment corruption or damage
Let’s talk about material resources and asset management in particular regarding other examples of data falsification. Big companies manage their assets using EAS (Enterprise Alert System). A perpetrator getting access to these systems can modify data about equipment conditions in different ways.
For better optimization of Business Processes, EAM systems are integrated with CBM (Condition Based Maintenance) where the state of the equipment is observed and continually monitored in real time. Deviations from a standard range or tolerance will cause an alarm and recognition of the need to repair or replace devices. By getting access to these systems, a perpetrator can modify data about equipment health. Technically, it is possible to conduct an attack on EAM system, CBM system or modify traffic between them.
An attacker may change data passing from CBM in such way that it will be necessary to replace different elements of facilities. Such an act will therefore force the company to spend money and time on new equipment.
People: Mass casualties or significant health effect
It is well-known that industrial networks are more critical than equipment. How is SAP related to this layer? Quite simple, by SAP xMII systems. A system has technical connections to facility management systems, therefore, breaking into EAM system means high probability to hack facility management/SCADA/Smart Home/Smart Grid systems as well. An access to SAP EAM leads to getting access to facility management and industrial systems through trust connections. They are focused on a secure perimeter as most of the security measures. Being inside makes you a king since you can change critical parameters. The change of the heat or pressure might lead to disaster and even human losses. Are you sure that your IT team implemented appropriate security measures? Do you want to be responsible for a potential breach?
As a rule, technology systems are not secure and based on obsolete operation systems. The only security measure for them is a firewall that totally isolates them from the corporate network, except the systems the connection with which is needed for data transfer like SAP EAM. Such connections as RFC Connections that are traditionally used to connect SAP with non-SAP systems can be an attractive target. Even if there is no direct link between applications, you may have a network connection allowing an attacker to exploit some ICS/SCADA vulnerabilities remotely.
People: Delayed Payout
It’s an important share about the salary and I hope you will not use this knowledge for criminal activities. I’m talking about sabotage in HCM systems. A simple denial of service attack on this system results in jeopardous situations.
On payday, DoS attack leads to holding up salary payouts. It leads to employee disgruntlement, thereby negatively impacting productivity. This attack implementation with a certain periodicity could even lead to strikes and bankruptcy.
Vulnerabilities leading to DoS attacks are easily identified in comparison to remote control issues. For the last years, DoS vulnerabilities were found in almost every SAP service. A perpetrator can execute some heavy functionality without administrator authorizations, thus, he or she does not need a vulnerability for its implementation.
Finance: Manipulation with credit limits
An access to any system somehow associated with money creates unlimited opportunities for a hacker. Among the SAP ECC (Error-Connecting Code) modules there is SD-Sales and Distribution. Having accessed it, an attacker changes limits for operations with credit, thus disabling any limits on credit purchasing with help of FD32 or F.34 transactions that could result in huge money losses.
Reputation: DoS attacks on public sources
The notoriously common attack performed to harm a company is a simple DoS. It is worth emphasizing that any cybercriminal is able to exploit this attack via the Internet.
Many companies expose the systems to the Internet. It can be SAP SRM or SAP CRM systems, partner or support sites. Sabotage attacks against these systems are widely known. One of the common systems is SAP Enterprise Portal. Denial of service vulnerabilities in SAP EP that can be exposed to the internet can lead to downtime with portal operations. If it is a customer portal, the company may have huge monetary and reputation losses. Such an attack was performed against the NVIDIA company in 2014.
SAP Portal is probably the second most vulnerable SAP module after ERP. SAP Portal has about 600 Vulnerabilities (in Platform and Applications). Some of them can be exploited without any authentication. More serious issues such as verb tampering authentication bypass can also be used to obtain full control on a system and allow critical actions such as creating users, assigning roles or even executing OS commands.
A Denial of Service attack may be dangerous, however, it is the most easily implemented type of attacks. If somebody can gain at least an access to SAP Portal via vulnerabilities, he or she will prefer more serious attacks than just a simple crashing a service. For example, espionage. Different vulnerabilities on SAP Portal can lead to unauthorized access not only to SAP Portal itself but also to company’s internal resources.
SAP Portal is usually accessible online. According to the latest statistics from the SAP Cyber Threat Report, more than 10000 such systems are available online. Using vulnerabilities on a portal, an attacker can escalate his or her privileges on the network in multiple ways, such as Single-Sign-On, SSRF vulnerabilities, or information gathering such as looking for passwords stored in Portal Knowledge Management.
You can’t defend your business if you don’t know what threats are coming your way. So, I hope, this article helped and shed light on the various risks associated with Sabotage attacks. It is all for today. Keep reading these series of articles, as you will know soon the examples of fraud attacks on ERP Systems and business applications.