Security

This article is more than 1 year old

Mixing ERP and production systems: Oil industry at risk, say infosec bods

There will be pwnage

Wed 18 Nov 2015 // 16:29 UTC

Weights and measures

The specific issues the oil and gas industry might face because of problems from internet-facing ERP systems is a fresh field of research, even though a small numbers of researchers including ERPScan and others have looked at the general problem in some depth.

Polyakov has previously identified scores of vulnerabilities and misconfigurations in SAP deployments in general enterprises that left sensitive databases open to attack by hackers.

Back in May, Onapsis chief executive Mariano Nunez estimated that 95 per cent of ERP installations contained "high-severity" errors in a finding based on tests of 250,000 SAP customers.

SAP and Oracle serves business processes such as Digital Oilfield Operations, Hydrocarbon Supply Chain and Operational Integrity that are both critical and vulnerable to attacks. For example, hydrocarbon volumes, which are the basis for pricing, excise duty, and transportation fees, fluctuate depending on environmental temperature and pressure conditions.

An attacker can easily modify these conditions. As the process requires masses and weights for product valuation, and weighing is not possible, suppliers must derive hydrocarbon stock levels from volumes at ambient temperature and pressure conditions, requiring complex conversion calculations of the observed volumes at each custody transfer point.

These complex features put all infrastructure at high risk if an attacker can get access to that data.

ERPScan’s research is based partly on work undertaken during its professional services business, which offers advice to oil and gas companies as well as guidelines and processes on how to avoid them, and can be found here (PDF).

SAP said in a statement that it frequently collaborates with research firms like ERPScan and that the vulnerabilities disclosed at the conference had been fixed with patches available for download. "We strongly advise our customers to secure their SAP landscape by applying the available security patches from the SAP Service Marketplace immediately," a spokesperson said. ®

Topics

Special Features

Vendor Voice

Resources

Security

Mixing ERP and production systems: Oil industry at risk, say infosec bods

There will be pwnage

Weights and measures

More about

More about

Broader topics

More about

More about

More about

Broader topics

TIP US OFF

Other stories you might like

UK county council misses deadline for £7.3M RISE with SAP system launch

North American S/4HANA migrations ramping among SAP users

Mega city council's Oracle ERP system still not legally safe, compliant... 2 years after rollout

Getting on board with AI

Microsoft hikes Dynamics 365 prices by around ten percent or more

SAP transformation program a 'euphemism' for job cuts, claims European Works Council

Licensing labyrinth for Power Apps and Dynamics 365 must be clarified, warns expert

SAP users aren't keen on upping spending right now

Microsoft license shuffle means Power Apps users could break the bank

City of London ditches Oracle for SAP in search of ERP enlightenment

City council megaproject to spend millions for manual work Oracle system was meant to do

Unit4 software's budget bungle leaves schools counting the cost

About Us

Our Websites

Your Privacy