The Internet of Things: What’s the Risk to SAP Systems?

Aug 21, '18 by Joerg Schneider-Simon

The internet has come a long way since the days of screeching dial-up modems. We’ve become used to quick and reliable internet access from our computers and smartphones.

The new frontier? Connected appliances, vehicles, equipment, and more. The Internet of Things (IoT) is transforming how we live and do business, providing greater connectivity and data than ever before. IoT technology can be as simple as a wireless printer, and as complex as a complete manufacturing process.

However, this technology is far from risk-free. What are the cybersecurity implications to having everything from our refrigerator to our supply chain connected to the internet? And how do these implications affect your SAP system and vital data?


SAP and IoT

When thinking of SAP, many companies may only consider how they use SAP either in-office or via SAP Fiori. However, IoT is making it possible for SAP’s reach to spread much farther.

For example, a supply chain logistics management system could collect and analyze data from connected vehicles, cargo containers, traffic control systems, road sensors, and rail systems. This data would be stored in the SAP ERP system, helping companies manage production efficiency.

SAP even offers solutions for IoT, helping their customers manage their own IoT and machine-to-machine applications. Companies can develop IoT programming for devices like beverage coolers and vending machines, for fleet vehicles, for production equipment, and more.

This technology is incredibly valuable, allowing companies to remotely monitor equipment, trigger alerts, gain insight into usage, and identify new opportunities.

But, it raises the question: How secure are all these connected items?

IoT and Cybersecurity

The big selling point of IoT is its connectivity. After all, what is not to like about a machine that can immediately inform your ERP system about how many tons of material it hauled on any given day?

That connectivity, however, is a double-edged sword.

Companies have a hard enough time as it is to secure their regular SAP system (and SAP Fiori) from cyberattack, due to a fundamental lack of awareness and expertise around SAP cybersecurity. However, add in the IoT and that’s when things really get muddled.

A March 2018 study conducted by the Ponemon Institute and sponsored by Shared Assessments revealed a disturbing trend: Respondents who report their organization experienced a data breach specifically because of unsecured IoT devices or applications increased from 15 percent to 21 percent. Cyberattacks increased from 16 percent to 21 percent of respondents.

When an IoT device gets synced to a smartphone, tablet, or computer, that device, if hacked, can become a conduit for cyberattack. Even if the IoT technology is not handled through SAP, it’s still very possible for a cyberattacker to hack the IoT device, use it to gain access to a user’s smartphone or computer, and from there, obtain their login credentials for SAP.

Once the IoT device has been infiltrated, the sky is the limit. Many of these cyberattacks have been DDoS attacks. In fact, DDoS attacks increased 91 percent in 2017, partially thanks to IoT. The Mirai botnet attacks that took place earlier this year used at least 13,000 infected IoT devices to launch a series of DDoS attacks.

In addition, a hacked IoT device can wreak havoc all on its own, with equipment shutting down, operating incorrectly, or otherwise turning against its owner. Think of healthcare facilities and IoT-connected equipment, and the potential for disaster is chilling.

With that in mind, one would think that companies would be on top of their cybersecurity as it pertains to IoT. As it turns out…they’re not.

What Companies Are and Aren’t Doing About IoT Cybersecurity

Unfortunately, securing IoT devices is proving to be a significant challenge for companies.

A primary reason for this is that companies simply don’t know what IoT devices they have. The Ponemon study reports that:

  • A surprising 56 percent of respondents do not inventory their IoT devices.
  • The primary reason, according to 88 percent of respondents, is a lack of centralized control over IoT devices and applications in the workplace.
  • Fewer than 20 percent of survey respondents say their organizations can identify a majority of the IoT devices.
  • Thirty-four percent of respondents say their organizations have no understanding of which physical devices are connected to the Internet.

Fortunately, they’re still taking the risk somewhat seriously:  More organizations are using penetration testing (60 percent of respondents) and application scanning (45 percent) in addition to security software and firewalls. That being said, the devices themselves are often still insecure. In a twist of irony, their importance is what makes them so vulnerable: Many companies simply cannot afford halt operations long enough to take their IoT devices offline to install needed updates.

In addition, many companies may not be aware that standard anti-malware programs are ineffective at securing SAP from cyberattack, leading them into a false sense of security.

As our world becomes increasingly connected, organizations are poised to take advantage of the transformative opportunities IoT can bring. However, they also need to be fully aware of the potential risks and must also commit the necessary time and resources to mitigate those risks, allowing them to reap the benefits of IoT while keeping their system, operations, and equipment problem-free and secure.

Visit the SAP FIORI Cybersecurity Page