In-brief: the energy sector is particularly vulnerable to attack via ERP and other mission critical systems, according to a report.
For your weekend required reading, check out Jonathan Keane’s story over at Vice’s Motherboard. Keane takes a look at the impact that connected machinery (aka “the Internet of Things”) is having on risk within the oil and gas industry.
From the article:
“Oil and gas is one of the industries “most plagued” by cyberattacks, according to Alexander Polyakov, founder of ERPscan, a security firm specializing in enterprise software security. ‘It’s a juicy target for cyberattacks as oil and gas companies are responsible for a great part of some countries’ economy,’ he told Motherboard.”
That’s nothing new. We’ve written about it before and firms like Verizon have noted that cyber attackers focus on the energy industry.
What is interesting is that Polyakov and ERPscan are focused on the way that sophisticated hackers are getting to industrial equipment through more mundane targets: ERP (or enterprise resource planning) platforms that have become ubiquitous at global firms in the last 15 years.
“Polyakov and his colleague Mathieu Geli presented a talk at Black Hat Europe last week that examines vulnerabilities in enterprise business systems in oil and gas, namely SAP and Oracle, and how they can provide a route inside a company to alter its processes. ERPscan’s talk also looked at potentially infiltrating operational technology (OT) networks, which are the control systems that run physical processes like pumps, if they are connected with enterprise systems.”
ERP systems are among the most critical IT assets on a corporate network – and also the most vulnerable. In October for example, Oracle released a quarterly patch update fixing 154 vulnerabilities affecting 57 different Oracle products.
An analysis by the firm Onapsis concluded that more than 37% of vulnerabilities directly affect business critical applications including: Fusion Middleware, Hyperion, E-Business Suite, Supply Chain Products Suite, PeopleSoft, Siebel CRM, Oracle Industry Applications, and Oracle Retail Applications.