close
close

The hidden risk to production will be outdated SAP systems

Posted on by darion

The manufacturing industry is facing a ticking time bomb in the form of outdated SAP Enterprise Resource Planning (ERP) systems. While SAP, the No. 3 ERP vendor after Microsoft Dynamics and Workday, is rapidly innovating and migrating its software to the cloud and implementing Business AI, many manufacturers are sticking with on-premises implementations of older SAP versions, particularly SAP ECC (ERP Central Component). This poses a significant security risk as these legacy systems become increasingly vulnerable after 2027, when Business Suite 7 ends its major maintenance support.

The problem is compounded by the slow pace of migration to SAP S/4HANA, the next-generation cloud-based ERP system. Research from Basis Technologies reveals that fewer than 60% of companies running an on-premises ECC SAP software application are on track to fully migrate by the 2027 deadline, due to the complexity of the system and the potential costs associated with the migration process. In addition, today’s growing technical talent shortage and skills gap are expected to further complicate migration efforts for many manufacturers.

The consequences of inaction are significant. With nearly three-quarters of SAP customers yet to make the transition, much of the manufacturing industry remains vulnerable. Companies that fail to address this challenge risk running unsupported software, exposing themselves to critical security holes and growing cyberattacks. These attacks can paralyze production lines, cause significant financial losses, and damage a company’s reputation. Manufacturers must prioritize modernizing their SAP infrastructure and implementing robust security measures to protect their critical operations and sensitive data.

The producer must prepare

If enterprises do not prepare for the transition, they will suffer from technical debt, which will be exacerbated by SAP’s discontinuation of ECC models over the next three years. Because these systems manage the most valuable data, they attract a diverse set of threats, motivated either by financial gain or disruption—and will have a clear attack surface.

The manufacturing industry is of particular interest to cybercriminals, with 260 data breach incidents in 2023 in the United States alone. In fact, North America accounted for 40% of ransomware attacks on industrial organizations and infrastructures worldwide, and in 2022, the global average cost of an industrial data breach was approximately $4.73 million.

Research has shown that ransomware incidents that compromised SAP systems increased by 400% between 2021 and 2023. During the same period, discussions about exploiting SAP vulnerabilities increased by a whopping 490% on the open, deep, and dark web.

Supply chain disruption, loss of intellectual property and product tampering were real threats that 39% of manufacturers faced as a result of breaches in the last 12 months.

This worrying trend clearly indicates that SAP applications are high-value targets, connecting various key aspects of manufacturing and supply chain operations, and their security is a top priority.

The pace of adoption poses a risk

Driven by global competition and the need to bounce back from disruptions like COVID-19, many manufacturers have embarked on digital transformations at breakneck speed. While this rapid integration of technologies has brought efficiency gains, it has often come at the cost of security. Companies that prioritize speed over security have left their systems with huge gaps that are open to exploitation.

This problem is compounded by the increasing complexity of ERP systems. As manufacturers adopt sustainable practices and Industry 4.0 principles, their ERP software must not only support traditional functions but also integrate with new “green” processes and service-based models. This increased complexity creates blind spots in these systems, making them even more difficult to secure.

This problem is compounded by the ongoing cybersecurity skills gap. With security teams stretched thin as they juggle digitalization initiatives, product innovation, and supply chain protection, critical tasks like ERP security often fall by the wayside. The World Economic Forum reports that a full 95% of cybersecurity leaders believe more effort is needed to recruit and develop cybersecurity professionals. This shortage of skilled personnel makes implementing robust security measures even more difficult, especially with the threat of mainstream maintenance ending for one of the top ERP software products.

In addition, a key defense mechanism, multi-factor authentication (MFA), is often not enforced, further weakening the overall security posture. This combination of factors—increased complexity, talent shortages, and lax security practices—creates the perfect storm for cyberattacks to target these vulnerable organizations.

Modern solutions and strategies

Addressing the complex threats that manufacturing ERP systems face today requires a multi-faceted approach. This includes:

  1. Automated security processes: Automation plays a key role in modern cybersecurity strategies. By automating security measures, companies can minimize human error, speed up response times, and ensure critical systems are always protected.
  2. Man in the loop: Human expertise must also be incorporated into automated processes. This ensures that results remain consistent and companies can reduce entropy. Having rich, relevant, and structured data is still key to success.
  3. Research-based conclusions: Leveraging the latest findings from cybersecurity research is essential. Continuous threat intelligence allows companies to stay ahead of cybercriminals, especially those who target specific vulnerabilities in SAP systems. This approach is key to developing a proactive defense strategy that adapts to new threats as they emerge.
  4. System integration: Security must be integrated into the ERP architecture from the very beginning. A holistic approach ensures that every component of the ERP system is designed with security in mind, increasing the overall resilience of business operations.
  5. Joining MFG-ISAC: Join communities like the Manufacturing Information Sharing and Analysis Center (MFG-ISAC) to participate in advocacy for the manufacturing sector and stay informed.

Risk management requires a holistic approach

Implementing advanced security measures requires more than just implementing technology; it requires a strategic approach to risk management. Best practices include continuous system monitoring, regular security assessments, and proactive integration of security features into the design and development phases of a system—such as SAP S4/HANA.

By understanding the specific threats that have historically targeted SAP systems, companies can better prepare and mitigate potential risks. Proactive security not only helps manage immediate threats, but also prepares the organization for future challenges. Industry leaders in the manufacturing sector cannot underestimate the importance of advanced ERP security strategies and must reassess existing security frameworks that are quickly becoming outdated.

Paul Laudański Is Director of Security Research at Onapsis.