Why the Old Way of Securing ERP Systems Are No Longer Sufficient

Traditional SAP security typically focuses on user access controls and permissions. But in today’s hyper-connected environment, that approach no longer provides sufficient protection. Additional complications like Oracle GRC recently reaching the end of life only
adds complexity to these challenges, although GRC solutions need to be complemented with
cybersecurity tools.

Cybersecurity is about bringing together traditional security with ERP security.

ERP Today spoke with JP Perez-Etchegoyen, co-founder of Onapsis, who stated that “Cybersecurity for SAP involves applying traditional cybersecurity or IT security concepts to
SAP landscapes, which is very different from traditional SAP security.”

In other words, you can’t just treat an ERP system like any other business application. And, no matter which ERP system an organization is using, the same adjustments need to be made. It is vital that traditional cybersecurity methodologies be applied to every ERP deployment.

Gaurav Singh, Senior Cyber Security Manager at Under Armour, adds: “Cybersecurity is about bringing together two different worlds. One is traditional security, and the other
is ERP security which, for IT security teams, can often be a black box. To have effective security you need to bring those two different worlds together and tell them that
you are not just SAP security, you are SAP cybersecurity.”

That means understanding not just the ERP solution itself, but the broader technology ecosystem that supports it—especially as more organizations embrace cloud-based platforms. Something that is extremely important for the connections and integration points between cloud-based systems and other critical enterprise solutions.

Cloud Changes the Game—And the Security Rule

The move to the cloud, especially with offerings like RISE with SAP, is transforming how
companies handle ERP. While cloud providers handle the infrastructure layer, the responsibility for securing the application and data layers stays firmly with the customer. This will differ depending on whether the ERP solution is a software-as-a-service solution or is simply leveraging infrastructure provided by the vendor.

As Mariano Nunez, CEO and co-founder of Onapsis, warns: “The main challenge we see today is how organizations protect their ERP applications as they go to the cloud. It’s about understanding the shared security responsibility model.”

Even though ERP vendors have improved their guidance around who does what, confusion still lingers. And in a crisis, clarity matters.

“Even if you’re delegating operational responsibilities to a partner, it’s still the customer’s name on the headlines,” Nunez reminds us.

The Attack Surface Is Growing

As businesses modernize and migrate, ERP systems are no longer protected by traditional on-prem firewalls. They’re more exposed, more interconnected, and require more thoughtful security planning.

New environments and enterprise platforms such as SAP’s Business Technology Platform (BTP) provide fresh possibilities for innovation—but also new risks. According to Nunez: “For some customers, deploying SAP BTP can feel like the ‘Wild West’ because they don’t know what they don’t know.”

If you’re building AI use cases or custom applications in the cloud, securing your configurations, APIs, and development practices is critical to keeping your environment safe.

Common Misconceptions That Put Businesses at Risk

Despite the increased focus on cybersecurity, there are myths that continue to create blind spots for organizations:

• “We’re behind a firewall—we’re safe.” Not anymore.
• “We have a dedicated ERP security team—that’s enough.” Not quite.

As Gaurav Singh explains, siloed thinking continues to plague many organizations: “The infosec guys assumes that, because the SAP guys are so GRC heavy, they have everything covered. At the same time the SAP team can assume that everything is okay because there
is a separate cybersecurity team. This siloing is still common today.”

Breaking down these walls between teams is essential to building a cohesive, end-to-end defense.

Why Attackers Love ERP—and What It Could Cost You

Cybercriminals are increasingly targeting ERP systems because they know that’s where your crown jewels live—your sensitive business data and mission-critical processes.

“Attackers know that the money is in ERP systems,” says Nunez. “That is where the most critical data resides.”

As an example, Nunez worked with a customer where an “SAP security breach” was cited as a “major factor” in a company’s Chapter 11 bankruptcy. This was because the breach disrupted operations and derailed compliance with financial reporting.

The stakes are real. According to Onapsis research, there has been a 400% increase in ransomware incidents affecting SAP systems and a 5X increase on the price of cyber weapons that are designed to target SAP systems.

AI: A Double-Edged Sword

Artificial Intelligence is also changing the cybersecurity landscape—on both sides.
Attackers are using AI to craft more convincing phishing campaigns, while defenders are using it to improve detection and response.

For companies using AI within ERP environments, data security becomes even more crucial. Nunez points out it’s vital to secure the applications that generate the data in the first place because they are the ones housing the data and can be the most vulnerable. This means putting extra focus on enterprise platforms, where many AI use cases are deployed.

Getting Ahead of the Curve: What Leaders Can Do?

So, what should business leaders prioritize? Here’s a simple roadmap:

• Start with visibility. “It absolutely starts with visibility,” Nunez emphasizes. “Know your current security posture—and where it needs to go.”
• Automate wherever possible. Whether you’re on-prem, in the cloud, or running hybrid systems, automation helps manage complexity and enforce consistent security controls.
• Integrate ERP security into your broader enterprise security efforts. No need to reinvent the wheel—just make sure ERP systems aren’t left out of security planning.
• Build in security from the start. Particularly during major shifts like ERP implementations.

Invest in Talent—Or Grow It From Within

There’s a shortage of cybersecurity experts today, but that presents a big opportunity for professionals already working with ERP systems.

“Every company today is struggling with getting SAP cybersecurity experts on their teams,” Nunez says. “It’s much easier to learn security if you already know SAP.”

Resources like the recently published book Cybersecurity for SAP are great for anyone looking to bridge that gap. Singh stresses the importance of taking a deliberate
approach: “It starts with really prioritizing and being purposeful about securing and reducing that gap in your organization.”

Lean on the Partner Ecosystem

You don’t have to go it alone. Partner ecosystems can bring valuable tools, expertise, and services to the table. Onapsis, for example, works closely with SAP to “identify and mitigate vulnerabilities,” and has recently launched the SAP Defenders community. This helps customers stay informed and protected.

Final Word: ERP Cybersecurity Is a Business Priority.

In today’s threat-filled world, securing your ERP systems takes more than just following old security playbooks. It requires a shift in mindset—a holistic, risk-based approach that spans people, process, and technology.

By improving visibility, strengthening collaboration, automating intelligently, and tapping into expert partnerships, organizations can confidently secure their digital core and navigate what’s next.

The post Securing the Digital Core appeared first on ERP Today.

The issue exposes a severe vulnerability in the Metadata Uploader component of SAP NetWeaver Visual Composer. According to SAP’s security advisory the attack requires no unusual user privileges to execute and is not complex for threat actors to initiate. The core issue stems from the absence of proper authorization checks in the Metadata Uploader component. This allows unauthenticated attackers to upload potentially malicious executables to affected systems which can then be triggered remotely. If exploited, the vulnerability could lead to impacted systems being fully compromised.

Any organization using vulnerable versions of SAP NetWeaver Visual Composer are at significant risk. Even organizations running the latest patches on their SAP systems may be vulnerable and should immediately take action to either patch the issue or implement a workaround which SAP has detailed in SAP Note 3593336.

The vulnerability was initially uncovered by the ReliaQuest Threat Research Team during incident response activities that were conducted in April where the organization investigated multiple SAP NetWeaver breaches. ReliaQuest found that attackers had uploaded “JSP webshells” into publicly accessible directories as detailed in their report on the issue. SAP partner Onapsis has since confirmed the issue through their SAP threat intelligence sensors.

What This Means for ERP Insiders

Check to determine whether any of your SAP systems are vulnerable. The initial discovery found that even SAP systems running the latest service packs with patches applied were vulnerable. This makes it critical for any SAP customers to immediately determine whether any systems in their organization are vulnerable. Given that SAP NetWeaver systems are typically running on-premise, they may not have received the same level of cybersecurity attention as those that are running in cloud environments.

Patch the vulnerability, or implement a workaround, as soon as possible. SAPinsiders should implement SAP Note 3594142 as soon as possible. Action should also be taken to restrict access to the Metadata Uploader component to ensure that only authenticated users have upload permissions to SAP components. For those that cannot apply the patch immediately, the temporary workaround described in SAP Note 3593336 should be followed.

Learn about the issue and how to better protect your systems. Multiple SAP security partners are taking action to update their communities on the issue. Some, like Onapsis, have already scheduled webinars to explain the issue and ensure that organizations know how to address it. More importantly, every SAPinsider should ensure that they have and follow plans for regular patching and updating and put in place a cybersecurity response plan that includes SAP systems. Given that the number of cyber attacks continues to increase and more vulnerabilities with a higher severity are being discovered on SAP systems, having a proactive security posture is vital.

The post Critical Zero-Day Vulnerability Impacts SAP appeared first on ERP Today.