Page 22 - Risk Management Bulletin April-June 2022
P. 22
RMAI BULLETIN APRIL - JUNE 2022
used one-offs, or duplications. By identifying them and systematically start to eliminate or remediate at-risk
critically challenging which are still needed, companies interfaces. In some cases, it may make the most sense
can start to reduce them. to “cut off” the data flowing through certain interfaces,
either because it is no longer needed or is redundant.
Creating this map isn’t easy. The scale and complexity This essentially reduces the number of vectors that can
of ERP systems could mean that assessments introduce an attack.
themselves are time consuming, sometimes taking as
much as two months. Companies sometimes analyze When it comes to remediating at-risk interfaces, many
router-network traffic to track down interfaces. One companies are tempted to focus on those that are the
company built a ring of firewalls around its ERP most complex, but they could instead consider
landscape for the sole purpose of reading the focusing on those interfaces that are easiest to
messages going in and out. In this way, it was able to remove—for example, where standard interfaces are
gradually build a complete map of the point-to-point available or the data is simple and doesn’t need to be
connections between the ERP system and other parts converted. Many ERP systems use vulnerable legacy
of the IT domain. technologies such as file transfer protocol (FTP) or
clear text exchanges, which are easy to hack. Phasing
Other companies use scanners to observe their own out legacy technologies could allow the company to
systems and use the results to build a map of the make quick progress in shutting down vulnerabilities
underlying systems. Some companies we know have and building momentum.
used the scans to build digital twins for process
optimization in ERP systems and also for cybersecurity For any remaining interfaces that are difficult to
purposes. migrate, companies could consider a thoughtful risk
assessment that accounts for how often each one is
3. Install middleware to monitor data used and what type of data is going through it—and
then decide whether to keep it with additional
flows monitoring or simply remove it.
Companies could consider putting in place a service
bus, or middleware, to reroute all the identified 5. Stop backing up ‘hacked’ systems
interfaces to it. This step is instrumental in enabling
Most modern ransomware attacks start with encrypting
management of data flow between the ERP system
backup data to prevent it from being restored. That
and the legacy environment. By collecting and
means when companies run their backups, they are in
organizing system interfaces in one place, the
effect backing up an already corrupted system.
middleware layer makes them easier to monitor and
Exacerbating the issue is the fact that companies often
quickly shut off when an interface is under attack.
run instant backups, making it hard to separate
uncorrupted systems from corrupted ones.
Rerouting each interface connection to the
middleware can be arduous, but it’s crucial. The
An alternative approach has emerged. First, companies
rerouting process is generally not complex, though that
should consider running backups daily or weekly. This
depends on the kind of data passing through or what
could increase the chance to spot an attack and keep
conversions are necessary. The complexity comes in
it from being backed up. In fact, software is available
managing the scale of this interface-by-interface
to run ransomware-detection checks across the
rerouting process, which may require discipline in
network on a daily basis. When the system is certified
systematically executing, tracking, and testing each
change. as clean, it can be safely backed up. Similarly, there is
software available now to monitor backup systems as
4. Reduce vulnerabilities and data well for any unusual backup activity, often a sign of an
attack.
flows where possible
With the middleware in place, a company could One company stopped real-time backups. Instead, it
20
