What would happen if your enterprise resource planning (ERP) system were attacked? For many companies, the consequences would be devastating. ERP systems not only contain the crown jewels of the business—customer data, stock levels, order entries, production plans, and contract data—they also manage such essential financial processes as order to cash (OTC), and operational processes such as production planning and steering and cash collection and payments. An ERP system is literally the operating system for the company, without which the company simply could not function.
While cyberattacks continue to be top of mind for executives, many may not fully appreciate how vulnerable their ERP systems are to such attacks. This could become a significant problem as evidence mounts of increasing threats targeting ERP systems.
Supply-chain attacks rose by 42 percent in the United States in the first quarter of 2021, impacting up to seven million people.1 And security threats against industrial control systems (ICS) and operational technology (OT) more than tripled in 2020.2 Hackers are becoming more systemic and discerning in their attacks, shifting from distributed denial-of-service (DDoS) attacks and encryption of databases toward disruption of productive systems, and the threat landscape will likely shift further. The German government published an annual report recently highlighting how the cyberthreat is shifting pronouncedly from the theft of data to the disruption of systems.3 The US Department of Homeland Security has issued multiple warnings against cyberattacks targeting ERP systems.4
With these signs of increased threat levels, ERP businesses have invested in hardening and protecting their systems. But companies may still be vulnerable because of lack of focus, lack of sufficient resourcing, or lack of understanding about how best to address cyber issues. Some companies, for example, have put their main focus on ERP upgrades and cloud migrations, leaving fewer resources available to focus on cyber. Meanwhile, ERP skills are scarce resources and can usually not be replaced by general skills available in the IT organization. We have seen many companies reduce investments in maintaining existing ERP systems, including cyber protections, in preparation for their migration.
For companies upgrading their ERP systems, this could be time to review policies and potentially upgrade security postures to counter cyberattacks.
Protecting ERP systems from cyberattacks has unique challenges
In our experience, one reason companies have not secured their ERP systems as thoroughly as they should is that the sheer size and complexity of the task is overwhelming. ERP systems consist of a wide array of elements, including process and workflow, master data and data warehouse, an underlying computational infrastructure, a large storage network—and dozens if not hundreds of interfaces and integration points with other IT applications inside and outside of the organization.
Exacerbating this complexity is that companies often do not have global transparency into what’s actually happening in their ERP systems, from what data is passing through to what interfaces there are with various other systems to what transactions are happening.
Furthermore, ERP systems have interconnections between internal applications and external data sources and systems, such as a supplier’s supply-chain or logistics system. It may be difficult to understand the various dependencies, which means that protecting any single part of the system may not help, because each interconnection may be a vulnerability.
This interdependency issue is further compounded because the ERP group is often separate from the rest of the company’s applications and infrastructure teams. We often see it split between an operating team within IT and a process-design and process-maintenance team within a business unit, most often finance. This hybrid virtual team is often run like a silo within each organization, which creates yet more interfaces between the security team and the ERP team.
For these reasons, we find that many tech leaders are unclear about where to start and consider the target state dauntingly distant.
Would you like to learn more about McKinsey Digital?
Making your ERP system cybersecure
There are well-established practices to secure systems from cyberattacks. But the scale and complexity of ERP systems mean that companies may need to adjust their cyber recipes. While there is no such thing as a perfectly protected environment, there are seven activities that companies should consider to better detect, defend against, and recover from cyberattacks.
1. Identify your most important information
Businesses rarely have a clear view of what—and where—their most important data and systems are. Companies that follow best practices, however, are systematic in identifying which systems matter most by assessing the varying implications of potential cyberattacks. Will the attack bring down the entire system? Is there a workaround? Is the impact of the attack nominal (such as a delay in sending out bills), or will it result in the loss of revenue (such as lost bills). Customer data is often identified as critical. Because that data tends to be stored in many different places, companies may need to invest the time to track down all the places where it lives and identify the interfaces that provide access to it.
2. Create a road map to identify all interfaces with the system
Mapping the complexity of the system landscape and its interconnection points is a challenge in IT management, and it is no less difficult when it comes to ERP. A map of all the interfaces of the ERP system with related data flows is helpful. In many cases, these interfaces are either relics of legacy programs, little-used one-offs, or duplications. By identifying them and critically challenging which are still needed, companies can start to reduce them.
Creating this map isn’t easy. The scale and complexity of ERP systems could mean that assessments themselves are time consuming, sometimes taking as much as two months. Companies sometimes analyze router-network traffic to track down interfaces. One company built a ring of firewalls around its ERP landscape for the sole purpose of reading the messages going in and out. In this way, it was able to gradually build a complete map of the point-to-point connections between the ERP system and other parts of the IT domain.
Other companies use scanners to observe their own systems and use the results to build a map of the underlying systems. Some companies we know have used the scans to build digital twins for process optimization in ERP systems and also for cybersecurity purposes.
3. Install middleware to monitor data flows
Companies could consider putting in place a service bus, or middleware, to reroute all the identified interfaces to it. This step is instrumental in enabling management of data flow between the ERP system and the legacy environment. By collecting and organizing system interfaces in one place, the middleware layer makes them easier to monitor and quickly shut off when an interface is under attack.
Rerouting each interface connection to the middleware can be arduous, but it’s crucial. The rerouting process is generally not complex, though that depends on the kind of data passing through or what conversions are necessary. The complexity comes in managing the scale of this interface-by-interface rerouting process, which may require discipline in systematically executing, tracking, and testing each change.
Ransomware prevention: How organizations can fight back
4. Reduce vulnerabilities and data flows where possible
With the middleware in place, a company could systematically start to eliminate or remediate at-risk interfaces. In some cases, it may make the most sense to “cut off” the data flowing through certain interfaces, either because it is no longer needed or is redundant. This essentially reduces the number of vectors that can introduce an attack.
When it comes to remediating at-risk interfaces, many companies are tempted to focus on those that are the most complex, but they could instead consider focusing on those interfaces that are easiest to remove—for example, where standard interfaces are available or the data is simple and doesn’t need to be converted. Many ERP systems use vulnerable legacy technologies such as file transfer protocol (FTP) or clear text exchanges, which are easy to hack. Phasing out legacy technologies could allow the company to make quick progress in shutting down vulnerabilities and building momentum.
For any remaining interfaces that are difficult to migrate, companies could consider a thoughtful risk assessment that accounts for how often each one is used and what type of data is going through it—and then decide whether to keep it with additional monitoring or simply remove it.
5. Stop backing up ‘hacked’ systems
Most modern ransomware attacks start with encrypting backup data to prevent it from being restored. That means when companies run their backups, they are in effect backing up an already corrupted system. Exacerbating the issue is the fact that companies often run instant backups, making it hard to separate uncorrupted systems from corrupted ones.
An alternative approach has emerged. First, companies should consider running backups daily or weekly. This could increase the chance to spot an attack and keep it from being backed up. In fact, software is available to run ransomware-detection checks across the network on a daily basis. When the system is certified as clean, it can be safely backed up. Similarly, there is software available now to monitor backup systems as well for any unusual backup activity, often a sign of an attack.
One company stopped real-time backups. Instead, it opted for daily backups and kept 30 days’ worth of historic images. Keeping a historic image in a separate storage network was expensive, but it allowed the company to better protect its systems. The company runs regular restore exercises in which a random sample of historic backup images is restored. If parts of the sample can no longer be restored, the company initiates the emergency plan to fight the attack attempt, thereby also limiting loss of data to a maximum of just 30 days’ worth.
6. Make ERP teams an integral part of cyberattack-response exercises
Practicing how to respond to ERP cyberattacks works only if the ERP teams are actively part of the exercises. Too often, ERP teams are treated as adjuncts to cyberattack exercises or not even consulted at all. But their knowledge is crucial to ensure that the exercises are realistic and test systems across the business.
For example, ERP teams could help to make sure that response exercises test ERP systems’ end-to-end processes rather than isolated databases or parts of the systems; that they are based on an understanding of the potential effects of an attack on the business and the processes that are in place to respond; and that they include ways to prioritize responses during an attack. Without a clear set of well-documented and easy-to-access reaction protocols, the inevitable confusion of a cyberattack will be exacerbated by the potential scale of its impact.
7. Be more systematic in hardening ERP systems
A number of best practices have been established to improve cybersecurity that can be applied to an ERP system. One of them is restricting access to the ERP system to users with multifactor authentication (MFA) and through virtual private networks (VPNs); another is conducting regular vulnerability scans and pen tests to measure how long it takes to spot and respond to attacks. Since ERP systems are so large, automated scans can take more than two days, so a best practice is to do them on a rolling basis for targeted parts of the system, process by process or module by module.
Companies could also use their efforts to migrate their apps and systems to cloud as an opportunity to improve how they address cybersecurity. Security as code (SaC) has been the most effective approach to securing cloud workloads with speed and agility. SaC defines cybersecurity policies and standards programmatically, so that they can be referenced automatically in the configuration scripts that provision cloud systems. If the business, for example, sets up a policy that all personally identifiable information (PII) must be encrypted when it’s stored, that policy could be applied through a process that is automatically launched whenever a developer submits code, prompting the rejection of any code that violates the policy.
During ERP migrations to the cloud, there is a tendency to focus on the migration and reduce attention paid to the parts of the ERP system that remain on premises. Companies may need to combat that tendency and continue to allocate resources to regular patching and maintenance updates to on-premises ERP systems.
No ERP system is hacker proof. But by implementing sound cyber practices, heightening collaboration with government (for example, with the National Institute of Standards and Technology and the task forces on global supply-chain security established by the US Department of Homeland Security), and actively monitoring ERP systems, companies could potentially reduce the threat to their most vital business systems.
