Numerous SAP system vulnerabilities were among the leading cyberattack risks for oil and gas companies detailed by ERPscan researchers at the recent Black Hat conference in Amsterdam.
Researchers Alexander Polyakov and Mathieu Geli identified many business application vulnerabilities that could put control of about 75 per cent of the world’s oil production at risk if cyberattacks were successful.
Since SAP systems are implemented in 85 per cent of Fortune 2000 oil and gas companies and 86 percent of Forbes 500 and they control many business critical applications, the risks, which include espionage, sabotage and fraud, are indeed far-reaching.
The researchers identified more than 3500 vulnerabilities in SAP products, most of which would provide attackers with access to business-critical applications. SAP Business Suite products including SAP xMII and SAP HANA as well as SAP Plant Connectivity (PCo) were highlighted as particular areas of risk.
One of the vulnerabilities highlighted would allow cyberattackers to gain access to devices that control such processes as oil and gas separation, burner management, fiscal metering and tank inventory management.
The SAP vulnerabilities create additional risks including:
• Oil market fraud,
• Plant destruction, and
• Plant equipment sabotage.
The researchers told attendees that cyberattackers could exploit SAP xMII and SAP PCo solutions that transfer data from tank information management systems to systems such as SAP IS-OIL in order to modify oil in-stock parameters. SAP systems connected with tank inventory systems such as Emerson Rosemount TankMaster also allow commands to PLC devices to adjust values such as the maximum fill limit of tanks, meaning a cyberattack could lead to an oil explosion.
Some of the Burner Management Systems (BMS) allow remote management through third-party systems such as ERP, EAS and LIMS via intermediate systems SAP PCo and SAP xMII. SAP PCo provides a framework to create custom agents that can send commands to PLC from ERP/MES, enabling an ICS attack even when there are no vulnerabilities in the PLC/SCADA/DCS systems.
According to the researchers, the easiest way for cyberattackers to falsify data about temperature, pressure, and other conditions is to hack an SAP or Oracle Asset Management solution. They outlined ways in which an ERP system can be compromised, including vulnerabilities, misconfigurations, unnecessary privileges and custom code issues. They also stressed that the oil and gas industry is susceptible to attack not just by USB but also remotely via the internet and corporate networks.