Ogunkoya makes a note
This is not about SAP, but largely
about application security and
the intention is not to criticise a
product. Personally, I think SAP is a
wonderful application for use; if not,
most of South Africa would not be
using it. That said, it has its security
challenges for organisations, just as
any application will either.
Tunde Ogunkoya points out that hackers may not get into the SAP systems
directly, but through trusted connections to SAP or even the SCADA.
Water Sewage & Effluent July/August 2017
or the official US National Vulnerability
Database.
Hackers know that organisations
take a while before they update
their security patches, which could
be a nightmarish exercise for most
organisations that have undergone
certain customisations, as there could
be core issues that come with those
exercises, such as system breaks and
downtimes. It is easy for hackers to
pick on new lethal vulnerabilities and
start exploitation of same.
Now, it may be possible that
hackers may not get into the SAP
system directly, but through trusted
connections to SAP or even the SCADA.
It’s all about getting in one way or the
other and, with an increasing number
of devices and systems interconnected
through the Internet of Things (IOT),
any point is an entry point.
Depending on what the hacker’s
motivation is and how deep the
integration of technologies is (software
and hardware with SCADA), the entire
• http://0day.today/
• www.cvedetails.com/vulnerability-
list/vendor_id-797/SAP.html
Access the following links:
country could be in trouble, or the
treatment utility company could lose
money that it will mostly never be
aware of losing.
Organisations need to have a
formidable cybersecurity framework
that includes its business-critical
applications and stop relying only on
the network side of things, or antivirus
or antimalware. Those are good, but
not good enough anymore. Also, simple
things like updating patches means a
lot and could take care of 70% of the
challenges, but that is usually not done.
Companies often make their software
original
equipment
manufacturer
(OEM) the main means of defence.
This practice may save cost from a
contracting point of view, but it is the
incorrect mindset, as a good system
cannot have the same partner who
owns or implements the software be
the goal keeper, referee, striker, and
defender at the same time.
From a South African perspective,
it is easy for people to know what
applications are running in various
water utilities companies. All that is
needed is to go to the tender board and
see how companies tender for support.
So, if the Department of Water Affairs
(DWA) publishes a tender for support
of SAP, for instance, they will also list
how their landscape is configured in
the tender. This is enough information
for anyone who wants to attack them.
All these aspects give rise to many
questions relating to who is responsible
for security. The software OEM, the
SCADA equipment manufacturers, or
the water treatment plant? I guess we
could say it is everybody’s responsibility
within that ecosystem and that makes it
more difficult to control or for someone
to take ownership, as the blame game
will always come into play with all
parties denying responsibility.
about/customer-testimonials/utilities/
anglianwaterservices.html). You will
notice how the website has stated all
the solutions that the water treatment
company is using. However, while this
is an honest customer success story,
a hacker already has insight to the
applications they are running!
Next step is to go online and look
for zero days’ vulnerabilities or even
old vu lnerabilities affecting these
solutions, either in the dark market
(Dark Web) or the public Web. Google
search/YouTube even shows a step-by-
step hack of public exploits that exist,
which affects some of these solutions.
engine
for
Internet-connected
devices) in South Africa, it is evident
that some companies expose part
of their network/private certificate
keys, which could potentially be in-
roads into their networks. Once in, the
hacker can move laterally from those
systems to their treatment plants,
which may be directly connected or
indirectly connected in a third or even
fourth-degree connection, for the
sole purpose of maybe changing the
composition of certain water treatment
parameters or prolong repair dates of
critical assets.
This could be with the intention
to either sabotage the production
process or mass poison a state — a
state-sponsored cyber war scenario
— not to mention changing financial
data by programming small errors
in fiscal metering, which, in volume,
will lead to a huge loss. For example,
a 0.1% error could lead to millions of
dollars’ loss.
While the information gleaned
from the search engine may not be
profound or critical to most people,
it is important to note that the first
thing companies must do is to try to
prevent a hacker from getting into their
network in the first place. Once in,
that’s the beginning of the end should
the hacker know what he (or she) is
doing or, perhaps even worse, if he
does not know what he is doing, he
could tamper unknowingly, leading to
worse collateral damage.
In the good old days, most OT
networks were air-gapped (physically
segregated
and
incapable
of
connecting wirelessly or physically
with other computers or network
devices) from the business/office
network and the Internet, while
they operated independently using
proprietary hardware, software, and
communications protocols. In recent
years, however, there has been a
huge demand for business insight
about how these treatment plants or
utility companies’ assets (devices
and all) were running, thereby leading
to added requirements for remote
network access by support companies
or even from separate locations.
These types of millennial efficiency
requirements have now caused many
utilities companies to integrate their
control systems and their enterprise IT
systems, and some of them can even
provide access to an OT network from
the cloud.
To address practical terms, learn
from success stories, such as Anglian
Waters in the UK (www.sap.com/
23