It’s only a matter of time.

Although it has not happened yet, eventually a major Enterprise Resource Planning (“ERP”) system will get hacked. An ERP system can reveal scads of data about manufacturing processes, trade secrets, or banking information that would be incredibly valuable to a foreign power or corporation.

For example, it’s possible to envision that an official Chinese, Russian or North Korean state agency or private enterprise with ties to the Kremlin, Z’hong Non Hai or Kim Jong-Un would be eager to get their hands on defense systems or other critical information. By reverse engineering an ERP program’s source code at an arms manufacturer (for example), a hacker could very easily access sophisticated weapons information that it might otherwise take years to develop on its own. The scenario is not hard to imagine, the United States government widely uses software developed by the German company SAP. Indeed, in May 2016, the Department of Homeland Security passed along intelligence that Chinese researchers were sharing details in online forums about which systems have a vulnerability.

Indeed, it was widely reported in mid-March that officials in the FBI, Department of Homeland Security (DHS) and several intelligence agencies said Russian hackers broke into computer systems and conducted what was called “network reconnaissance” of critical control systems. DHS said the Russian effort was part of an effort across a range of economic sectors including industrial infrastructure. ERP could be considered part of the definition of “industrial infrastructure.”

Yet few organizations have thought about investing in security – especially mobile security despite there being something close to 12-million mobile devices in the U.S. infected with malicious code which can become a gateway to the data contained in a company’s ERP system. Meanwhile, a 2017 survey of ERP users found that 88% of the respondents believe the number of cyber attacks against ERP software and systems will grow in 2018.

Just as troublesome, even among people responsible for ERP security only some 33-percent have heard of any security incident and fewer that about one-in-20 (4-percent) knew it was a serious breach. And to cap off the problem, nearly half (43-percent) simply assume that a Chief Information Officer has taken responsibility for ERP security.

Yet the list of serious incidents is growing, including:

  • The Greek Ministry of Finance was attacked in 2012 through an SAP vulnerability, proving that hackers – in this case, the group Anonymous – wanted to exploit SAP systems more than five years ago.
  • The first malware attack against an ERP system was launched more than four years ago and had special coding to see if any infected workstations had SAP client applications installed.
  • Less than a year ago, the U.S. Department of Homeland Security issued an alert warning that an “invoker servlet app” was used to penetrate ERP systems of 26 multinationals between 2013 and 2016.

So, it is only a matter of time before a hacker can exploit a weakness after a new system is configured. The chain could very well run from an ERP system to a CRM system and from there into accounting and billing data. When it happens, the business that’s hacked will look to a vendor and the implementer for compensation – especially if the hack provokes the ire of European officials charged with monitoring and enforcing the about-to-become effective General Data Protection Regulations (GDRP).

To protect against this, a vendor’s attorney needs to insert language in contracts that will address the range of potential security scenarios. Indeed, the more parties who are involved in implementation, the more defendants whose names will be listed in a lawsuit. The contract needs to protect each of them as much as possible.

When it comes to enterprise security, by forming the backbone of the vast majority of business processes, ERP systems are especially vulnerable to hidden risks and dangers. Senior executives need to ensure that the risks are minimized and the dangers understood throughout the C-suite.

Marcus Harris’ practice focuses on negotiating and drafting ERM contracts, and litigating disputes when they arise. Reach him by email at MHarris@TaftLaw.com or by phone at 312.840.4320.