SAP landscapes and the Industrial Internet of Things

Industrial Internet of Things in corporate environements

The Internet of Things, the IoT, as it has recently come to be abbreviated, the “Internet of Things” is a central theme that makes hobbyists’ hearts beat faster and makes the strategists of big data and digital transformation rejoice.
The term “Industrial IoT”, also referred to as IIOT for short, refers to industry with its industrial networks and production systems.
SAP systems that integrate and drive an ICS, an “Industrial Control System” or a “Shop Floor Control” in such environments are often an integral part of such “industry automation systems” commonly known in the art. But “Industry 4.0” has more chic.

Dangers of industrial production networking

With automation and networking, however, there are also significant dangers to the plants, which are often decades old.
Because there is a lot of commercial promise behind the IIoT, especially in connection with new manufacturing techniques, new manufacturing design in the diverse industries and the distribution of products with completely new skills.

The networking of things and the communication of things among each other via the Internet are the basic components, the “building blocks” from which old products can be transformed and renewed, and new products that were previously not possible can be brought onto the production plan.

But above all, the security of the systems is a problem. At all levels, from manufacturing to operations, security is a highly neglected factor throughout the IoT value chain.

Like all enthusiasm for new worlds, so should in the current “hype”, the media excitement about the possibilities of the IIoT, creep in a significant amount of skepticism.

Protection reaches from design through production to sales

Protection of development during design, use of secured cryptographic components, protection of manufacturing against internal and external attacks, encryption of communication in operation and protection of the resulting metadata against misuse of big data stocks are basic safeguards that should be present in every system.

But all these are factors that are rarely discussed, because the measures require investment and do not bring any visible productivity. “After all, the systems are the same as before – only more expensive” is one of the standard arguments against IIOT security projects. As in the case of the jeep, which is hacked while driving, cryptography will not appear on the design slip until it comes to the current slump or the daily press overflows with a new hack. The fact that even in the first design, one should look at such a critical infrastructure as the control of a car from the perspective of a hacker, one is probably not pursued for cost reasons.

Companies with critical infrastructure KRITIS

And then there is another category of European and above all, of course, here in Germany, national companies, which are classified as critical by state institutions such as the Federal Office for Information Security (BSI), as important for the critical infrastructure of Germany.
These include, of course, utilities, banks, clinics and high technology, both civilian and military. Again, security issues in industrial production and operating environments are known but often neglected. We once made a pentest on a very large hospital, with a high amount of critical vulnerabilities found, commonly known as “vulnerabilities”.
In response, the management did not want to accept the report of the “pen test”. Only when we pointed out that nevertheless the manager liability ((§ 43 Abs. 1 GmbHG) intervenes, BSI guidelines are violated and some of the errors are falling into the category in the category  “Gross Negligence”, the executives agreed for the meeting.
In defense had argued that the approval procedures of technical equipment, especially if they have a US FDA approval, are highly regulated, especially in the health sector. One can not simply upgrade the controlling PC of the equipment, such as a CT or a dialysis unit, from Windows XP to Windows 10. This would require a complete new collection, in an emergency for a few million dollars. Of course that is not acceptable.
But there are also such plants in the production engineering field of conventional heavy industry. Who wants to patch a hydraulic press that has been installed since 1970, weighs 30 tons and can only be operated directly with a power plant connection? Once start after a patch? Then the power plant burns, as the power is turned off and on, which is hardly feasible with such a power connection.

The SAP & IIOT trade fair hacks

In the scenario shown at the annual DSAG 2019 congress and it-sa 2019, we are abusing an SAP PLM system for such an attack. We take advantage of the fact that SAP systems are connected to an industrial control system for production control and feedback, which gives direct access to the machine.

More worldwide target systems for such hacks?

And who still considers this hypothetical:
A visit to the website of “Google for Hackers” called then shows how many thousands of Siemens S7 systems are directly accessible worldwide and can be “shot down” with this hack directly.

Note that Siemens systems willingly also announce their serial number – another issue of the attacks.

Why has not everything been known so far? Or, to put it another way, why have not there been spectacular “hacks” to this end? Like PETYA and Non-PETYA, which have effectively paralyzed entire corporations like MAERSK or Beiersdorf?

The attackers – or called “Threat Actor”

The answer may sound like a spy thriller by John LeCarre, but it’s likely. For one thing, there have always been attacks that have shown that entire regions can be paralyzed. There was, to select only two out of countless examples, on the one hand, the big blackout in the eastern US in 1998 or, recently, the days-long blackout in South and Central America.
Both can be seen as a “chain of adverse circumstances,” but there is also a different geopolitical explanation for both, similar to the PETYA Trojan that arose in the context of the Ukraine crisis.
That would also explain the reluctance of current attacks. Because if you have such powerful tools that can paralyze entire countries, why not let the enemy know in advance?

Incidentally, these are not homemade conspiracy theories There are well-informed circles that publish the prestigious magazine of the American conservative think tank “Foreign Affairs”. Very worth reading, because many prominent politicians and scientists from foreign and geopolitics publish here – also and currently a lot about IT security and IT information policy.

All these attacks show that a destructive attack is possible at any time. And that the threat posed by organized crime such as PETYA and its commercial successor, “Non-PETYA,” from classic industrial espionage to targeted attacks on critical infrastructure, is omnipresent in these times.

One speaks of “Threat Actors”, if it concerns hackers or organized criminality and of “State Actors”, if state organizations stand behind it.

The opinion that there is no need to do anything to safeguard your own industrial production and that it’s all safe enough has never been sound – and is less than ever today.

Visit us at DSAG and it-sa and discuss with us this hazard potential. We are on the action area at the booth of IBS Schreiber

Get free consultation