Manufacturers depend on their ERP system to optimize business processes, unify their different functions and platforms, and provide them with information to make decisions. But with ransomware and cyberattacks on the rise, securing the ERP system is now becoming a top priority.
Why are ERP systems attacked?
ERP systems contain very important and confidential information. Successful exploitation could lead to:
- Theft of personally identifiable information about employees, customers, and suppliers
- Access to or loss of financial records
- Disruption of critical business operations by corrupting data, or shutting processes down
- Loss or changes to traces, logs, and other files
For many companies, the consequences of a cyber-attack would be devastating.
The challenge of securing an ERP system
Companies may not secure their ERP systems as thoroughly as they should because of the size and complexity of the task. An ERP application consists of a wide range of elements, including processes and workflow, master data, and hardware and network infrastructure. There are also many integration points with other IT applications inside and outside of the organization.
For their on-premise ERP system, few businesses have the IT resources and skills to provide a high level of security. That is why the cloud is a better security solution.
- Physical security — A server in an office or a factory can be accessed, damaged, or even stolen. Cloud vendors comply with many of the strictest IT security standards.
- Software security — No manufacturer could afford to have the number of IT staff that cloud vendors employ to ensure systems and networks are thoroughly analyzed and protected.
On-premise legacy systems are also open to attack because they don’t have the level of security nor staff with the required depth of skill to protect them from attacks.
Potential vulnerabilities
There are many routes that cyber attackers can use to target a company’s ERP system:
- Network — inception, and modification of network traffic
- Operating system — unpatched vulnerabilities can be used to gain access to applications
- Passwords — weak passwords are commonly an opening for a cyber-attack
- File access rights — poor standards for protecting access to files
- Integration protocols — APIs that don’t have adequate security or encryption
- ERP authentication — inadequate logins such as weak passwords, shared accounts, and a lack of multifactor authentication
There are also organizational aspects that contribute to making an ERP system vulnerable:
- Lack of response planning — there is no set procedure to report and escalate a security problem
- Lack of testing — no regular vulnerability scans and penetration testing that would highlight potential problems
How to protect your ERP system
The standard for modern digital security is the Zero Trust architecture, as defined in NIST SP 800-207. This framework assumes there is no traditional network edge — networks can be local, in the cloud, or a combination — and resources and workers can be located anywhere.
The following key principles form Zero Trust:
- Continuous verification — always verify access, all the time, for all resources; there is no implicit trust granted to assets or user accounts
- Resource protection — the focus is on protecting assets, services, workflows, network accounts, etc.,
- Limit the impact — minimize the impact if an external or insider breach does occur
To protect an ERP system from internal threats, role-based access and separation of duties should be standard access controls. With role-based access, a user is granted access based on their function or role. Separation of duties means a user cannot make a transaction without other users authorizing it. An electronic signature enhances governance and traceability by providing an audit trail of who performed a transaction and when it occurred.
Password hygiene and protection is obviously key area that companies should address to ensure ERP security. Access to the ERP system should be restricted to users with multifactor authentication. An additional protection layer would be to only allow access through a virtual private network.
A standard IT practice should be to update software regularly and implement security patches when they are released. Too often, the potential that an update might take the system offline for a while cancels the plan for the update.
Manufacturers should identify their most important information. Customer data is often identified as critical so strong security standards should be applied to file integrity and access to the information.
Since attackers can get through using an external integration to the ERP system, all interfaces with the system should be identified and mapped. In addition, for manufacturers adopting the Industrial Internet of Things (IIoT), access to devices and sensors needs to be secured, as well as the data transmission to services that collect and consolidate the information.
The Information Systems Audit and Control Association (ISACA) recommends a regular assessment of ERP system security, checking ERP servers for software vulnerabilities, configuration errors, segregation of duties conflicts, compliance with relevant standards, and recommendations from vendors.
Since intrusions occur as much as through psychological trickery as brute force hacking, it is imperative that everyone who has access to the ERP system attends regular briefings and is kept informed about the latest security techniques. The IT team responsible for the ERP application should also be an integral part of practice exercises for cyberattack response.
ERP security is everyone’s responsibility
Protecting an ERP system from an external threat or a malicious internal attack should be regarded as the responsibility of everyone who uses the system. This is because any kind of intrusion can have a crippling effect on the system, which in turn could impact the business in a highly negative way — not just financially but also reputationally. There are obviously IT-related issues and principles that need to be continually used and applied. However, organizational practices also need to be put in place to ensure everyone is aware, knowledgeable, and committed to the security of the ERP system.