This article is more than 1 year old
Mixing ERP and production systems: Oil industry at risk, say infosec bods
There will be pwnage
Weights and measures
The specific issues the oil and gas industry might face because of problems from internet-facing ERP systems is a fresh field of research, even though a small numbers of researchers including ERPScan and others have looked at the general problem in some depth.
Polyakov has previously identified scores of vulnerabilities and misconfigurations in SAP deployments in general enterprises that left sensitive databases open to attack by hackers.
Back in May, Onapsis chief executive Mariano Nunez estimated that 95 per cent of ERP installations contained "high-severity" errors in a finding based on tests of 250,000 SAP customers.
SAP and Oracle serves business processes such as Digital Oilfield Operations, Hydrocarbon Supply Chain and Operational Integrity that are both critical and vulnerable to attacks. For example, hydrocarbon volumes, which are the basis for pricing, excise duty, and transportation fees, fluctuate depending on environmental temperature and pressure conditions.
An attacker can easily modify these conditions. As the process requires masses and weights for product valuation, and weighing is not possible, suppliers must derive hydrocarbon stock levels from volumes at ambient temperature and pressure conditions, requiring complex conversion calculations of the observed volumes at each custody transfer point.
These complex features put all infrastructure at high risk if an attacker can get access to that data.
ERPScan’s research is based partly on work undertaken during its professional services business, which offers advice to oil and gas companies as well as guidelines and processes on how to avoid them, and can be found here (PDF).
SAP said in a statement that it frequently collaborates with research firms like ERPScan and that the vulnerabilities disclosed at the conference had been fixed with patches available for download. "We strongly advise our customers to secure their SAP landscape by applying the available security patches from the SAP Service Marketplace immediately," a spokesperson said. ®