Older systems are susceptible to software vulnerabilities, incompatibilities with new security technologies, and possible compromised data.
Manufacturing organizations are a popular target for cyber attackers. ERP systems can be a point of vulnerability that should be protected.
By Brian Randle, Director of ERP Solutions, SenecaGlobal
For most manufacturers, an enterprise resource planning (ERP) system is the backbone of their business—driving operations, managing supply chain processes and generating invoices. Even with digital transformation initiatives underway, in its 2022 ERP Report, Panorama Consulting Group noted that 35% of organizations still use on-premises ERP systems.
With higher profile IT projects underway, these trusty workhorse ERPs aren’t likely to be a priority for security hygiene practices. That’s a problem. Failure to protect these systems leaves manufacturers vulnerable to cyberattacks that can cripple operations and leave them open to intellectual property (IP)/data theft.
Manufacturing is an increasingly popular target for hackers. The 2022 “X-Force Threat Intelligence Index” by IBM Security finds that, for the first time, manufacturing is the most cyberattacked industry segment. The report highlights the need for organizations to “prioritize vulnerability management”.
For legacy ERP systems, security vulnerabilities fall in three key areas:
Software vulnerabilitiesIncompatibilities with new security technologiesData integrity
1. Software Vulnerabilities
Issue: Recent high-profile security vulnerabilities like the Log4J exploit alerted many businesses to the importance of responding rapidly to announced open-source security patches. The attack shined a light on a more significant problem—many companies don’t patch systems quickly enough.
ERP vendors do a good job advising clients about security vulnerabilities. Unfortunately, that information is also available to hackers, who are usually two steps ahead. If manufacturers fail to download security patches promptly, they are open to attack. But patching takes time and expertise, and with the current shortage of cybersecurity professionals, many companies don’t have the in-house cybersecurity staff needed to install patches quickly, resulting in patches that are often postponed or overlooked completely.
Recommendation: Manufacturers should implement a system to regularly verify that servers, operating systems and applications are running current release versions. It is also important to proactively monitor the ERP database for security updates or patches, which may highlight any partial versioning for security compliance.
2. Incompatibilities with New Security Technologies
Issue: Legacy ERP systems may be incompatible with the newer security features that protect system access, such as multi-factor authentication (MFA) and single sign-on (SSO). Or they may lack sufficient audit trails or encryption methods, making it nearly impossible to identify a breach. Alternatively, there might not be password policies in place with older applications, leading to further vulnerabilities. Whatever the reason, these systems are unable to accommodate today’s security best practices.
Many modern security tools are cloud-based, making it challenging to integrate them with legacy ERP systems. Application Programming Interfaces (APIs) can enable the security tools to monitor their legacy ecosystem but also introduce new security vulnerabilities by providing new entry points for attackers.
Recommendation: Look to the ERP vendors—be it Oracle, SAP or Microsoft—to define what APIs are compatible with on-premises systems. It’s the best option to take advantage of security best practices that are not native to legacy systems. Manufacturers can implement processes to ensure security patches are applied if vulnerabilities are discovered.
3. Data Integrity
Issue: ERP systems leverage Electronic Data Interchange (EDI) to automate the data exchange between vendors and customers. EDI facilitates invoicing, inventory, accounts receivable, processing orders, making payments to vendors and collecting payments from customers. By leveraging orchestration and automation, EDI reduces the handling costs of organizing, sorting and distributing paper documents by storing and manipulating data electronically.
While EDI is great for improving operational efficiency, over time, access to information can spread widely, introducing security issues. Employees who no longer need access may still have permissions and are susceptible to phishing attacks. Companies are typically good about revoking access from employees that they have fired or laid off, but employees who leave the organization voluntarily may hold onto access for months or even years. Additionally, vendors that are no longer part of the supply chain may still be connected, and their security hygiene (or lack thereof) affects the manufacturers’ risk profile.
Recommendation: Manufacturing organizations must limit access to the information and maintain an audit trail to keep data secure. Businesses should regularly examine data transfer protocols. Are they using secure servers? Who has access to the data? Are they mapping the frequency of when and how that data transfers?
To address data integrity, manufacturers should review all system access points and update the security profiles for any third-party integrations that exchange data. Additionally, organizations should prioritize a user security audit to identify unused profiles, terminations, and possible segregation of duty conflicts to help them identify breaches faster. This audit should give them the necessary insight into all the people and applications accessing their data, making it easier to spot unauthorized users.
Finding Resources to Address Legacy ERP Security Vulnerabilities
Addressing the security vulnerabilities in legacy ERPs can be difficult for some organizations, especially if they don’t have an in-house security team. The ideal scenario includes resources with a deep understanding of ERP systems and security controls. It’s not an easy combination to find in the current hiring market.
To offset these challenges, some manufacturers turn to managed services as a strategic solution. By outsourcing their ERP security management, manufacturers can get the expertise they need with both ERP systems and security at a far lower price than the cost of recruiting and hiring internal resources to create and execute security protocols.
But whether manufacturers handle ERP security themselves or outsource it to a managed services provider, they can’t ignore the dangers that their legacy systems can introduce. In order for the rest of their digital transformations to be successful, they must prioritize the security of their business’s foundation—their ERP system.
Brian is the Director ERP Solutions at Seneca Global. Brian has 25+ years of experience implementing ERP solutions in a variety of industries. He enjoys diving into projects and engagements for a variety of clients and industries covering modernization, application support and advisory services.
The post 3 Security Threats Lurking in Legacy ERP Systems appeared first on Industry Today.