ERP systems expose firms to industrial espionage

Unpatched ERP systems leave critical hole in corporate security

IT chiefs have been warned that it is their mission-critical systems that pose one of the greatest security risks in the enterprise, with the complexity of patching enterprise resource planning (ERP) applications presenting an opening to cyber thieves.

Speaking at the Black Hat DC security conference this week, Alexander Polyakov of the Digital Security Research Group and Val Smith of Attack Research told delegates that the customisations made to, and complexity of, ERP systems increased the risk that attackers would be able to bypass authentication processes or exploit misconfigurations.

While ERP vendors such as SAP and Oracle had robust patch management programmes, firms were still at risk until they install those patches, Polyakov told Computing.

“Not many people implement patches quickly and not many people understand deeply all security configurations for ERP systems,” he said. “That’s why when we make a security assessment of ERP we see many problems.”

Many firms are reluctant to patch mission-critical systems until those patches have been tested extensively. But firms' failure to appreciate the risk was also a danger, Polyakov added.

Given the ubiquity of ERP systems within the enterprise, the scale of the problem is “huge”, Polyakov added: “Not every company can have a skilled professional who understands ERP security in depth.”

To outline the extent of the threat, the researchers demonstrated weaknesses they had discovered in enterprise application systems including JD Edwards, SAP and in an OpenEdge database from Progress Software, which was being used in a custom-based ERP system within a Fortune 100 company.

This showed attackers could gain access to – and even change – business-critical data without the company being able to detect them, said Polyakov, increasing firms’ risk of becoming victims of industrial espionage and fraud.

That warning was given additional gravitas by the recent high-profile case of industrial spying at French car maker Renault.