A couple of months ago, we had an emergency meeting with our process control engineers concerned by the announcement of the “Stuxnet” virus, which targeted Siemens PLC’s. For those of you who don’t know what a PLC is, it’s essentially a PC used in industrial operations to control machinery on a production line, AC Systems, elevators and even used in amusement park rides, to name a few. Unlike a regular PC with a couple inputs (mouse/keyboard etc.) and outputs (display), generally PLC’s have hundreds of real-time input and output possibilities and often control physical objects like motors, actuators, hydraulics and solenoids. The target of the virus has not been confirmed, but after much speculation it was thought that it was targeting Irans nuclear power program. In a nut shell this virus has the ability to change process parameters and possibly cause major havoc. (Imagine overriding the temperature cut off controls in a reactor?).
Security in general has always been a priority for me, both hardware and software, but sometimes certain aspects are not always in the limelight, in this case a ERP platform. Does this make us ignorant? I hope not. We do user audits, external audits, strict quality control on custom code and a host of other quality and security related tasks to ensure integrity and access to the system is well controlled. SQL exploits are catered for, cameras in server rooms, firewalls and policies are in place. But the question should be … is this enough?
Lets put it into context what the general possible exploits are for a company like ours (Automotive Industry) : code vulnerabilities, data theft, trade secrets, malicious damage, financial manipulation and a host of others which could have a crumbling effect. In our line of business we know who our competitors are, we know what products they produce and since the its a fairly mature product line – have a reasonably good idea of what the margins are. Even in a somewhat “exposed” industry, if you had to take our ERP’s data and give it to our competitors – we would be in serious trouble, simply having our BOM’s siphoned could lead to trade sectrets being exposed, formulation and routings could be used to then copy and reproduce the products to compete directly. Purchasing data could be used for competition between suppliers, and a form of insider trading. All by simply “reading” the system. Lets not get into a malicious attack situation and things could go pear shaped very quickly.
SAP specifically have addressed this potential risk avenue and provided us with products like the SAP VSI Interface, but how many companies actually use it? The VSI is simply an interface and not a product, and allows companies like Symantec to produce products which have the ability to “scan” the system for potential threats and exploits. How does a virus scanner scan custom ABAP code if it has nothing to compare it to? How does the scanner know that this SQL UPDATE statement is not maliciously changing code willy-nilly? How does the scanner know that the non standard open port on the ERP system is for legacy system integration and not to a SQL updating command for changing vendors payment addresses to somewhere in Nigeria? – Far fetched I know ;). Hueristic scanning can potentially pick up unknown or variations of viruses based on statistical analysis, but is also fairly inaccurate when the virus utilizes unknown code. SAP recently started a “Patch Day” similar to Microsoft’s, where new patches are released on the second Tuesday of each month to combat these new threats.
Even if we do use a AV product and patch the system, what about groups such as the stuxnet crowd who can fly under the radar – for close to a year – before being detected are out there watching the “systems” every move. Coming from an architecture background, and being a bit of a rogue spokesperson for “open architecture”, SOA, ES and various other new wave technologies has made me think about the potential negative impact all this openess has created. Not only is all the openness a potential hole, but so are highly customizable systems like SAP in general. Mobile devices, which I am extremely fond of, are another potential gaping security risk. Since the recent Sybase acquisition Smart Phones/Mobile have been the hot topic, and moving forward, will be one of the new end users of the enterprises data. But aside from logical attacks, dont forget to think about the physical risks. Consider a SAP HR app running in multitasking mode on a iPhone 4, forgotten in a canteen. The screens blank but after some easy investigating some pretty sensative data is loose. What about the same situation and they forget a smartphone at the customer, showing our sales margins? Another great example was the early iPhone 4 debut thanks to a irresponsible apple employee.
Getting back to more sinister aspects … past SAP specific viruses have gotten their fair share of exposure. The last one (and only one?) I am aware of was in 2002 and went by the names SAP.VSoft.A, SAP.Willi.A and ABAP/Rivpas. This was simply a proof of concept and not even a major threat. You can read more about it the SAP Note 512595 (Login Required). I am fairly surprised that this is the only well known and well documented virus. Please comment if I am wrong?
So how can we prevent these types of situations? In my opinion, its impossible. Why? We dont have control of foundation level systems which ERP platforms interact with and rely on for functionality. Think about windows 49 patches due to be released on Tuesday – a new record by the way. But what we can do, is ensure that we have the right (QA) experts and systems in place to mitigate as much risk as possible. We have to work as a team to be responsible architects, admins and developers when evolving and expanding our systems to meet expectations. We also need to do strict source code reviews periodically. Lastly, we need to not cave into pressure from internal customers insisting that the data they need is a necessity without putting the right measures in place to ensure its integrity. SAP also making an effort by providing a host of security guides (Login Required) which can be reviewed and utilized to reduce the potential risk.
In wrapping this up, we all spend a considerable amount of time give the right data, to the right people and now in the right place. What about the potential for the wrong people in the wrong place?