Water utilities face many escalating challenges in today’s dynamic landscape. Amidst these concerns, there is an additional surge in cybersecurity threats.
The U.S. Environmental Protection Agency (EPA) announced it is withdrawing its March 2023 Cybersecurity Rule, which would have required states to report cybersecurity threats in their public water system audits. The withdrawal was due to lawsuits filed by states and non-profit water associations.
In response to this development, the American Water Works Association (AWWA) and the National Rural Water Association (NRWA) issued a press release stating that the initial ruling would create additional cybersecurity vulnerabilities for utilities and there is a “lack of expertise and resources for cybersecurity oversight.”
The importance of cybersecurity for ERP systems
Critical infrastructure, such as the informational technology (IT) and operational technology (OT) systems managed by utilities, is a primary target for cybercriminals.
Cyberattacks targeting utilities can have severe consequences that extend beyond the digital realm. These threats can result in damage to critical infrastructure and vital networks, theft of personally identifiable information (PII), and substantial financial losses due to ransom payments and repair expenses.
A key component of most utility companies is their enterprise resource planning (ERP) implementation. ERP systems can help manage finances, human resources, supply chain management, customer relations, regulatory compliance and even asset management.
Based on the critical nature of ERPs, it is important to stress that the threat landscape surrounding ERP applications has undergone a substantial evolution, marked by an increase in both the frequency and sophistication of cyberattacks.
In efforts to protect business-critical applications, organizations typically adopt a defense-in-depth security approach, which is undeniably crucial. However, this model often falls short when it comes to safeguarding the modern application layer.
Threat actors have adapted common tactics to directly target and compromise ERP systems, capitalizing on reduced visibility and control. This dynamic has led to ERP application security being frequently overlooked in the context of digital transformation initiatives, creating a favorable environment for cyberattacks.
Utility providers, in particular, handle extensive volumes of sensitive customer data, which necessitates stringent security measures. All businesses that store, process or transmit payment cardholder data must adhere to PCI compliance standards. Failure to do so can result in penalties and, in severe cases, the cessation of card processing operations.
Safeguarding sensitive customer and billing information must take precedence for utility companies. Additionally, attackers with access to vulnerable ERP applications pose a significant threat, with the potential to steal sensitive data, disrupt operations, and trigger regulatory compliance violations. This underscores the critical need for robust application-layer security.
The withdrawal of cybersecurity rules for public water systems underscores the broader issue of cybersecurity in critical infrastructure and the importance of securing ERP systems, which are fundamental to many organizations. Cybersecurity is a shared responsibility among governments, organizations, and individuals to protect essential services and systems from cyber threats.
Key steps in safeguarding utilities’ ERP systems
ERP systems are complex — but securing them does not have to be.
The current environment requires a shift in enterprise cybersecurity strategies to better prioritize securing ERP applications (such as SAP and Oracle). This shift in priority will ensure organizations can recover from a potential cyberattack.
Utilities leaders must navigate these complexities while protecting their organizations from ongoing cyberthreats. Organizations should implement these four crucial steps to protect their environment:
1. Gain visibility into ERP landscapes
Organizations need comprehensive visibility into their cloud, on-premises, and hybrid environments to identify, assess and prioritize risks while eliminating system blind spots.
Security teams require tools for real-time monitoring of business-critical applications to preemptively detect threats and vulnerabilities, even before vendor patches are available. ERP applications' complexity demands inclusion in business continuity and incident response plans.
ERP cybersecurity also requires cross-functional response teams and collaboration with government agencies like the U.S. Cybersecurity and Infrastructure Security Agency (CISA) or the German Bundesamt für Sicherheit in der Information- stechnik (BSI). These entities frequently see the larger scope of ransomware infections.
2. Utilize actionable threat intelligence
In addition to collaborating with government agencies, utility organizations should explore solutions that offer a comprehensive perspective on threats affecting their operational systems.
Timely and impactful threat intelligence can provide valuable insights into malicious actors' tactics, techniques and procedures. Such intelligence can also offer early warnings about emerging ransomware campaigns, while delivering actionable information to the security teams entrusted with crafting and enacting security measures.
It is essential for this strategic intelligence to not only enhance awareness but also guide strategic decisions and response strategies.
3. Streamline patch management, cloud migration
Effective management of ERP applications, particularly regarding patching, is paramount for minimizing vulnerabilities.
Given the rapid exploitation threats, especially for SAP systems, a streamlined patch management process is crucial. A dedicated vulnerability management solution focusing on the application layer helps identify missing patches, validates proper application and facilitates prioritization based on severity. Timely patching is vital to fortify ERP application security and safeguard critical assets.
It is imperative to integrate these processes into cloud migration and digital transformation initiatives, such as SAP S/4HANA and SAP RISE projects, to ensure secure operations, compliance adherence and budgetary control during the migration process, resulting in secure cloud-based environments equivalent to on-premises setups.
4. Harmonize security and compliance functions
Ensuring the security and compliance of ERP business applications is crucial as they handle sensitive data, including financial, customer, employee and intellectual property information.
However, identifying risks to these systems is often challenging and manual. Utilities organizations, responsible for delivering critical services and adhering to numerous industry regulations, face legal and financial penalties for non-compliance.
Regulations such as the General Data Protection Regulation (GDPR), Sarbanes-Oxley Act (SOX), and Foreign Corrupt Practices Act (FCPA) impose strict requirements, and non-compliance can result in severe consequences, including substantial fines, data breaches and damage to public trust.
Early cybersecurity empowers compliance
By implementing security early in the development process through DevSecOps, organizations can not only expedite development cycles but also significantly enhance application security.
This proactive approach involves providing direct access for compliance teams, reducing manual processes, and obtaining more accurate audit results. This, in turn, avoids surprises and violations will free up valuable cross-functional resources that can be better allocated to support the business.
By aligning everyone involved in the audit process — IT, InfoSec and audit/compliance — organizations can be more efficient, provide more accurate results and free up resources to focus on business-critical matters.
Addressing threats in ERP applications is essential to mitigate the risk of financial data manipulation and ensure adherence to regulatory standards.
