I hope you did not forget the previous article about espionage . Just in case, I would like to remind you once again that traditional IT security deals with Confidentiality, Integrity, and Availability, which transform into Espionage, Sabotage, and Fraud while talking about SAP Systems, especially with C-level executives. These risks bother every top manager.
If a hacker gets access to SAP system, he or she can exploit some DoS vulnerabilities and stop SAP operations. For companies such as banks or retail, it inevitably leads to millions of dollars of losses per minute. More dangerous is the fact that SAP systems are usually connected with other company’s systems such as plant floor, asset management systems or even ICS and SCADA devices.
Sabotage attacks on SAP systems were promised as a today’s topic, so, let’s look at potential sabotage vectors.
Sabotage in SAPThere are several categories an attacker can focus on:
Product (intentional product quality deterioration or production spoilage) Process (significant reduction of service and deliverability) Assets (equipment corruption,falsification of equipment health information) People (mass casualtiesor delayed salary payout) Finances (tampering with financial reports, manipulation of credit limits) Reputation (official websites or technical support services compromise, clients’ compliance violations) Data (destruction or encryption of critical data about customers, employee, suppliers’ strategy, etc.) Intentional product quality deterioration [Product]The first and foremost aim of every company is producing goods; so, the most common sabotage attack vector is a product quality disruption. Unfortunately, the risks are underestimated.
There are numerous examples of product recalls due to production defects, here are some of them just to give you an idea:
The FDA recalled the whole production batch of 1200 tracheostomical devices because of three deaths caused by technical problems. [1] IKEA had to recall the entire batch of 10000 beds with steel rods, claiming it to be a design mistake that had caused physical trauma to kids. [2] Toyota was obligated to recall 3 large batches of passenger cars totaling up to 500000 each time because of wide-ranging construction problems, with airbags, throttle, and other parts of the car not working properly. USA statistics from FDA tells about such recalls occurring frequently. The same situation can also be observed with consumer products. [3]Even strict quality checks do not prevent production from defects happened occasionally. The same flaws can be made intentionally as a sabotage attack against a competitor.
It is well-known that many manufacturing companies (e.g. Aviation, Aerospace, Automotive, Transportation, and Electronics) use SAP to monitor the production of components. Traditionally, manufacturing, planning, and designing processes are managed in enterprise business applications like MES, PLM, or CAD systems. For a successful attack, a cybercriminal needs to get access to these applications and make minor changes in the following systems: in CAD during construction, in PLM system during product lifecycle management configurations, or directly in the MES system during manufacturing. The level of MES and PLM integration and automation provides opportunities for attackers to implement some modifications into these highly connected systems unnoticeably.
The article “ Car recalls and MES/SCADA attacks ” provides more information on this topic. Another representative example how hackers modified manufacturing systems to produce drones with defects can be found here [4]. As for another potential attack vectors against automotive institutions, here is a simple example. What will happen if somebody modifies the melting temperature and time for certain vehicle body components in the PLM system during product lifecycle management configurations or directly in the MES during manufacturing? The point is that the changes will not yield visible results: welding seams would not be different. Thus, by changing the melting temperature one can cause major changes in the durability of structure, whereas the visual features will remain the same. Of course, additional checks (if in place) may identify this problem. However, in some cases, it leads to a car accident. For instance, you ride 120 mph on the highway, and the vehicle body is cracking. It is an imaginary case, but I found out the real example of a recall because of the suspension bolt failure affected almost 6 million Buick cars in 1981. [5]Also, the financial losses caused only by different traumas is about one trillion dollars per year.
Disruption or significant reduction of service and deliverability [Process]Regarding retail industry, the weakest link here is SCM (Supply Chain Management). For the retail industry, the key feature of the business optimization and cost reduction is logistics. The whole company’s business is built on process optimization, thereby, big companies can take small price margins. What if this system gets stuck? The mere SCM may easily put a company at risk.
If an attacker gains control over SAP SCM, he or she could change the information about supplies causing financial losses. It is easy to imagine that goods were sent to the warehouse with no empty space or the information was changed so that these goods would not reach the destination as being incorrectly represented as overloaded.
Equipment corruption or damage [Assets]Regarding other examples of data falsification, let’s talk about material resources and asset management in particular. Every big company manages its assets using EAM (Enterprise Asset Management). Access to this system may allow an attacker to modify data related to equipment conditions in different ways.
For better optimization of Business Processes, EAM systems are integrated with CBM (Condition Based Maintenance) where the state of the equipment is observed and continually monitored in real time. If a perpetrator gets access to these systems, he or she can modify data about equipment health. Deviations from a standard range of tolerance will cause an alarm and recognition of the need to repair or replace devices. Technically, it is possible to conduct an attack on EAM system or CBM system or modify traffic between them.
An attacker may change data passing from CBM in such way that it will be necessary to replace different elements of facilities. Such an act will thus force the company to spend money and time on new equipment while it is not required.
Mass casualties or significant health effect [People]What is more critical than equipment? Industrial networks, that’s right. How is SAP related to this layer? Quite simple, by SAP xMII systems. A system can have technical connections to facility management systems, thus, breaking into EAM system makes it possible to hack facility management/SCADA/Smart Home/Smart Grid systems as well. In short, an access to SAP EAM leads to getting access to facility management and industrial systems through trust connections. Most security measures are concentrated on a secure perimeter. Being inside the system makes you a king so that you can change critical parameters. The change of the heat or pressure might lead to disaster and even human losses.
As a rule, technology systems are not secure and based on obsolete operation systems. The only security measure for them is a firewall that totally i