2020 Threat Profile: Government and SAP Cybersecurity

May 20, '20 by Joerg Schneider-Simon

In June 2019, Bitcoin hackers penetrated the computer systems of the city government of Riviera Beach, Florida, installing ransomware that cost the city roughly $600,000 to remediate by paying a ransom. In that same year, the government offices of Jackson County, Georgia were hacked, as were the government computer systems of state and federal government departments across the country.

Hacking into government computer systems is big business.

From city to county to state to the federal level, governments — and their SAP systems — are at increasing risks of cyberattack. What are some of these threats and what unique challenges do governments face when it comes to keeping their SAP systems safe?

Threats Facing Government

Government is a prime target for cyberattack, with ransomware and hacktivism being the top two threats, according to Infosec. Bitsighttech confirms that local and state governments in the US have the second highest rate of ransomware attacks, noting in 2019 that ransomware attacks in this sector have more than tripled over the last 12 months.

Hacktivism is another major threat to government cybersecurity. In early 2017, for example, hacktivists attacked the state of Michigan’s website to raise public awareness of the Flint water crisis. In May of that same year, hacktivists defaced multiple North Carolina government websites to protest the state’s controversial transgender bathroom law. And in July, another group of politically motivated hackers compromised the website of the city of Baton Rouge following the fatal police shooting of Alton Sterling.

Governments that use SAP systems need to be aware that cyberattackers are actively attacking ERP applications to disrupt critical business operations and penetrate target organizations. In 2018, Digital Shadows Ltd. and Onapsis Inc. raised the alarm about an increase in attacks targeting ERP systems such as SAP.

Government and SAP Cybersecurity Challenges

There are multiple reasons why government and other public service bodies face unique SAP cybersecurity threats:

They’re High-Profile…With High-Profile Enemies

The malicious actors that federal government departments need to protect themselves against are often nation states. And the battle is a literal war—cyberwarfare. Cyberwarfare uses computer viruses, hacking and other cyber exploits by one country to disrupt the vital computer systems of another, steal intellectual property, damage economies, influence elections and cause civil unrest. In July 2019, for example, Microsoft revealed that it had detected almost 800 cyberattacks during the previous 12 months targeting think tanks, NGOs and other political organizations around the world. The majority of these attacks originated in Iran, North Korea and Russia. And in October 2019, Iranian state-sponsored hackers attacked current and former U.S. government officials. It requires no stretch of the imagination to say that ERP systems will be a significant target of these types of attacks.

They Hold Sensitive Data

In 2013, cyberattackers broke into USIS, a US federal contractor that conducted background checks for the US Department of Homeland Security. They did so by exploiting an unpatched SAP vulnerability. The result? Stolen personal data on more than 27,000 personnel.

In March, the Government of Canada announced that it had selected SAP for a pilot to test a potential HR and pay solution, hoping to replace the controversial and much beleaguered Phoenix Pay System. Should all work out well, Public Services and Procurement Canada’s SAP system will contain in-depth personal data on the roughly 287,000 civil servants who work in that country. A successful cyberattack on that SAP system could expose dates of birth, social insurance numbers, and other highly sensitive data – potentially resulting in a massive spike in identity theft.

The Potential Damage is Great

Just this April, Israel successfully fended off a cyberattack targeting the control systems of water treatment plants, pumping stations, and sewage.

Governments, whether federal or local, are responsible for the functioning of the infrastructure that holds our society together. Whether it’s communications, transportation, or health and safety, many governments rely on ERP systems to manage resources and responsibilities. A successful attack on a government’s SAP system could easily bring a region to its knees.

They’re Not Prepared

Unfortunately, the byzantine nature of bureaucracies and the ever-shifting priorities of party politics often result in glacial response times to emerging cybersecurity threats.

Things are no better at smaller levels of government. Smaller regional and municipal governments often use SAP for day-to-day tasks like procurement and internal management of resources – but they’re working with much smaller budgets and a reduced availability of cybersecurity talent. Add in the cybersecurity threat posed by a revolving door of temporary or summer staff and it’s clear that most levels of government are sitting ducks for any serious SAP cyberattacks.

Government Must Keep Up

At all levels of government, top priority must be given to applying stringent SAP cybersecurity measures. Fortunately, in the US at least, it appears that relevant agencies are aware of the threats and are seeking out the resources to address them. Spending on cybersecurity by the US government will increase by about 5% in FY 2020.

A good start for any region’s government is to develop a strategy to adhere as closely as possible to expert-recommended cybersecurity guidelines. In Germany, the Federal Office for Information Security established enterprise security guidelines in its IT Baseline Protection Catalog. In the US, the National Institute for Standards and Technology has published a guide for security and privacy controls, while in Great Britain, the British Standards Institution has published a range of cybersecurity standards that are aimed at small and medium enterprises, but that provide an excellent baseline for government organizations.

Will it be enough? That remains the question, but the only way government agencies will have a fighting chance is by combining these resources with the right expertise and a strategic, yet flexible planning process that will allow them to prevent threats as much as possible, and react quickly to the ones that do, inevitably, slip through.

bowbridge helps secure the City of Essen's data and systems from cyberattack. Read the case study.