General security

SAP Risks: Sabotage

Alexander Polyakov
February 8, 2017 by
Alexander Polyakov

I hope you did not forget the previous article about espionage. Just in case, I would like to remind you once again that traditional IT security deals with Confidentiality, Integrity, and Availability, which transform into Espionage, Sabotage, and Fraud while talking about SAP Systems, especially with C-level executives. These risks bother every top manager.

If a hacker gets access to SAP system, he or she can exploit some DoS vulnerabilities and stop SAP operations. For companies such as banks or retail, it inevitably leads to millions of dollars of losses per minute. More dangerous is the fact that SAP systems are usually connected with other company's systems such as plant floor, asset management systems or even ICS and SCADA devices.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

Sabotage attacks on SAP systems were promised as a today's topic, so, let's look at potential sabotage vectors.

Sabotage in SAP

There are several categories an attacker can focus on:

  • Product (intentional product quality deterioration or production spoilage)
  • Process (significant reduction of service and deliverability)
  • Assets (equipment corruption, falsification of equipment health information)
  • People (mass casualties or delayed salary payout)
  • Finances (tampering with financial reports, manipulation of credit limits)
  • Reputation (official websites or technical support services compromise, clients' compliance violations)
  • Data (destruction or encryption of critical data about customers, employee, suppliers' strategy, etc.)

Intentional product quality deterioration [Product]

The first and foremost aim of every company is producing goods; so, the most common sabotage attack vector is a product quality disruption. Unfortunately, the risks are underestimated.

There are numerous examples of product recalls due to production defects, here are some of them just to give you an idea:

  • The FDA recalled the whole production batch of 1200 tracheostomical devices because of three deaths caused by technical problems. [1]
  • IKEA had to recall the entire batch of 10000 beds with steel rods, claiming it to be a design mistake that had caused physical trauma to kids. [2]
  • Toyota was obligated to recall 3 large batches of passenger cars totaling up to 500000 each time because of wide-ranging construction problems, with airbags, throttle, and other parts of the car not working properly.
  • USA statistics from FDA tells about such recalls occurring frequently. The same situation can also be observed with consumer products. [3]

Even strict quality checks do not prevent production from defects happened occasionally. The same flaws can be made intentionally as a sabotage attack against a competitor.

It is well-known that many manufacturing companies (e.g. Aviation, Aerospace, Automotive, Transportation, and Electronics) use SAP to monitor the production of components. Traditionally, manufacturing, planning, and designing processes are managed in enterprise business applications like MES, PLM, or CAD systems. For a successful attack, a cybercriminal needs to get access to these applications and make minor changes in the following systems: in CAD during construction, in PLM system during product lifecycle management configurations, or directly in the MES system during manufacturing. The level of MES and PLM integration and automation provides opportunities for attackers to implement some modifications into these highly connected systems unnoticeably.

The article "Car recalls and MES/SCADA attacks" provides more information on this topic. Another representative example how hackers modified manufacturing systems to produce drones with defects can be found here [4].

As for another potential attack vectors against automotive institutions, here is a simple example. What will happen if somebody modifies the melting temperature and time for certain vehicle body components in the PLM system during product lifecycle management configurations or directly in the MES during manufacturing? The point is that the changes will not yield visible results: welding seams would not be different. Thus, by changing the melting temperature one can cause major changes in the durability of structure, whereas the visual features will remain the same. Of course, additional checks (if in place) may identify this problem. However, in some cases, it leads to a car accident. For instance, you ride 120 mph on the highway, and the vehicle body is cracking. It is an imaginary case, but I found out the real example of a recall because of the suspension bolt failure affected almost 6 million Buick cars in 1981. [5]

Also, the financial losses caused only by different traumas is about one trillion dollars per year.

Disruption or significant reduction of service and deliverability [Process]

Regarding retail industry, the weakest link here is SCM (Supply Chain Management). For the retail industry, the key feature of the business optimization and cost reduction is logistics. The whole company's business is built on process optimization, thereby, big companies can take small price margins. What if this system gets stuck? The mere SCM may easily put a company at risk.

If an attacker gains control over SAP SCM, he or she could change the information about supplies causing financial losses. It is easy to imagine that goods were sent to the warehouse with no empty space or the information was changed so that these goods would not reach the destination as being incorrectly represented as overloaded.

Equipment corruption or damage [Assets]

Regarding other examples of data falsification, let's talk about material resources and asset management in particular. Every big company manages its assets using EAM (Enterprise Asset Management). Access to this system may allow an attacker to modify data related to equipment conditions in different ways.

For better optimization of Business Processes, EAM systems are integrated with CBM (Condition Based Maintenance) where the state of the equipment is observed and continually monitored in real time. If a perpetrator gets access to these systems, he or she can modify data about equipment health. Deviations from a standard range of tolerance will cause an alarm and recognition of the need to repair or replace devices. Technically, it is possible to conduct an attack on EAM system or CBM system or modify traffic between them.

An attacker may change data passing from CBM in such way that it will be necessary to replace different elements of facilities. Such an act will thus force the company to spend money and time on new equipment while it is not required.

Mass casualties or significant health effect [People]

What is more critical than equipment? Industrial networks, that's right. How is SAP related to this layer? Quite simple, by SAP xMII systems. A system can have technical connections to facility management systems, thus, breaking into EAM system makes it possible to hack facility management/SCADA/Smart Home/Smart Grid systems as well. In short, an access to SAP EAM leads to getting access to facility management and industrial systems through trust connections. Most security measures are concentrated on a secure perimeter. Being inside the system makes you a king so that you can change critical parameters. The change of the heat or pressure might lead to disaster and even human losses.

As a rule, technology systems are not secure and based on obsolete operation systems. The only security measure for them is a firewall that totally isolates them from the corporate network, except the systems the connection with which is needed for data transfer like SAP EAM. Such connections as RFC Connections that are traditionally used to connect SAP with non-SAP systems can be an attractive target. Even if there is no direct link between applications, you may have a network connection allowing an attacker to exploit some ICS/SCADA vulnerabilities remotely.

Are you sure that your IT team implemented appropriate security measures? Do you want to be responsible for a potential breach?

Delayed Payout [People]

Another example also deals with a salary. It is an important share, and I hope you will not use this knowledge for criminal actions (please promise me). I am talking about sabotage in HCM systems. A simple denial of service attack on this system results in jeopardous situations.

On payday, a DoS attack could lead to holding up salary payouts, which, in its turn, results in employee disgruntlement, thereby negatively impacting productivity. This attack implementation with a certain periodicity could even lead to strikes and bankruptcy.

Technically vulnerabilities leading to DoS attacks are relatively easy to identify in comparison to remote control issues. For the last years, DoS vulnerabilities were found in almost every SAP service. Moreover, a perpetrator can execute some heavy functionality without administrator authorizations. Thus, he or she does not need a vulnerability for such attack.

Manipulation with credit limits [Finance]

An access to any system somehow associated with money creates unlimited opportunities for a hacker.

Among the SAP ECC modules, there is SD-Sales and Distribution. If an attacker gets access to it, he or she will have an opportunity to change limits for operations with credit, thus disabling any limits on credit purchasing with the help of FD32 or F.34 transactions that could result in huge money losses.

DoS attacks on public sources [Reputation]

The notoriously common attack, which could be performed to harm a company, is again a simple DoS. It is worth emphasizing that a cybercriminal can exploit this attack remotely with a network access.

Many companies expose SAP SRM or SAP CRM systems to the Internet, or it could be a partner or support sites. One of the common systems is SAP Enterprise Portal (EP). Denial of service vulnerabilities in SAP EP that can be exposed remotely can lead to downtime with portal operations. If it is a customer portal, the company may have huge monetary and reputation losses. Such an attack was performed against the NVIDIA Company in 2014. [6]

SAP Portal is probably the second most vulnerable SAP module after ERP. SAP Portal has about 600 Vulnerabilities (both the platform and application itself). Some of them can be exploited without authentication. More serious issues such as verb tampering authentication bypass can also be used to obtain full control on a system and allow critical actions such as creating users, assigning roles or even executing OS commands.

A Denial of Service attack may be dangerous. However, it is the most easily executed type of attacks. If somebody can gain at least an access to SAP Portal via vulnerabilities, he or she will prefer more serious attacks than just a simple crashing of a service. For example, espionage. Different vulnerabilities on SAP Portal can lead to unauthorized access not only to SAP Portal itself but also to company's internal resources.

SAP Portal is usually accessible online. According to the latest statistics from the SAP Cyber Threat Report [7], more 10000+ of them are available online. Using vulnerabilities on a portal, an attacker can escalate his or her privileges on the network in multiple ways, such as exploiting Single-Sign-On, via SSRF vulnerabilities, or information gathering such as looking for passwords stored in Portal Knowledge Management.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

Conclusion

That is it for today. Hopefully, this article shed light on the various risks associated with sabotage attacks. Keep reading these series of articles, as soon you will know examples of fraud attacks on ERP Systems and business applications.

References

  1. https://books.google.co.uk/books?id=xp_cBAAAQBAJ&printsec=frontcover#v=onepage&q&f=false ISSE 2014 Securing Electronic Business Processes by Helmut Reimer, Norbert Pohlmann, Wolfgang Schneider
  2. http://www.ikea.com/us/en/about_ikea/newsroom/product_recalls - IKEA Product recalls
  3. http://www.dailymail.co.uk/news/article-2654899/Toyota-recalls-ANOTHER-650-000-cars-defective-airbag-explode-Honda-Nissan-affected-too.html - Toyota recalls
  4. https://www.hackread.com/crashing-drone-by-hacking-3d-system/
  5. http://www.businessinsider.com/the-10-biggest-car-recalls-of-all-time-2013-2?op=1
  6. http://www.pcworld.com/article/2086080/nvidia-takes-customer-site-offline-after-sap-bug-found.html
  7. https://erpscan.com/sap-cyber-threat-report/
Alexander Polyakov
Alexander Polyakov

Alexander Polyakov is the founder of ERPScan and President of the EAS-SEC.org project. Recognized as an R&D professional and Entrepreneur of the year, his expertise covers the security of enterprise business-critical software like ERP, CRM, SRM and industry specific solutions for Oil and Gas, Manufacturing, Retail and Banking; as well as other verticals developed by enterprise software companies such as SAP and Oracle. He has received numerous accolades and published over 100 vulnerabilities.

Alexander has also published a book about Oracle Database security, numerous white papers, such the award winning annual "SAP Security in Figures”; plus surveys devoted to information security research in SAP.

Alexander has presented his research on SAP and ERP security at more than 50 conferences and trainings in 20+ countries in all continents. He has also held trainings for the CISOs of Fortune 2000 companies, and for SAP SE itself.

He is the author of numerous whitepapers and surveys devoted to information security research in SAP like "SAP Security in figures." Alexander was invited to speak and train at international conferences such as BlackHat, RSA, HITB and 30 others around globe as well as in internal workshops for SAP and Fortune 500 companies.