ERP systems are seeing growing levels of attack for two reasons. First, many of these systems -- especially in the U.S. -- are now connected to the internet. Second, ERP security is hard. These systems are so complex and customized that patching is expensive, complicated and often put off.

Windows systems are often patched within days, but users may wait years to patch some ERP systems. There are old versions of PeopleSoft and other ERP applications, for instance, that are out-of-date and connected to the internet, according to researchers at two cybersecurity firms, which jointly looked at the risks faced in ERP security.

These large corporate systems, which manage global supply chains and manufacturing operations, could be compromised and shut down by an attacker, said Juan Pablo Perez-Etchegoyen, CTO of Onapsis, a cybersecurity firm based in Boston.

"If someone manages to breach one of those [ERP] applications, they could literally stop operations for some of those big players," Perez-Etchegoyen said in an interview. His firm, along with Digital Shadows, released a report, "ERP Applications Under Fire: How Cyberattackers Target the Crown Jewels," which was recently cited as a must-read by the U.S. Computer Emergency Readiness Team within the Department of Homeland Security. This report looked specifically at Oracle and SAP ERP systems.

Warnings of security vulnerabilities are not new Cybersecurity researchers have been warning for a long time that U.S. critical infrastructure is vulnerable. Much of the focus has been on power plants and other utilities. But ERP systems are managing critical infrastructure, and the report by Onapsis and Digital Shadows is seen backing up a broader worry about infrastructure risks. "The great risk in ERP is disruption," said Alan Paller, the founder of SANS Institute, a cybersecurity research and education organization in Bethesda, Md. If the attackers were just interested in extortion or gaining customer data, there are easier targets, such as hospitals and e-commerce sites, Paller said. What the attackers may be doing with ERP systems is prepositioning, which can mean planting malware in a system for later use. In other words, attackers "are not sure what they are going to do" once they get inside an ERP system, Paller said. But they would rather get inside the system now, and then try to gain access later, he said. The report by Onapsis and Digital Shadows found an increase among hackers in ERP-specific vulnerabilities. This interest has been tracked on a variety of sources, including the dark web, which is a part of the internet accessible only through special networks.

Complexity makes ERP security difficult The complexity of ERP applications makes it really hard and really costly to apply patches. Juan Pablo Perez-EtchegoyenCTO, Onapsis The problem facing ERP security, Perez-Etchegoyen said, is "the complexity of ERP applications makes it really hard and really costly to apply patches. That's why some organizations are lagging behind." SAP and Oracle, in emailed responses to the report, both said something similar: Customers need to stay up-to-date on patches. "Our recommendation to all of our customers is to implement SAP security patches as soon as they are available -- typically on the second Tuesday of every month -- to protect SAP infrastructure from attacks," SAP said. Oracle pointed out that it "issued security updates for the vulnerabilities listed in this report in July and in October of last year. The Critical Patch Update is the primary mechanism for the release of all security bug fixes for Oracle products. Oracle continues to investigate means to make applying security patches as easy as possible for customers." One of the problems is knowing the intent of the attackers, and the report cited a full range of motives, including cyberespionage, which is sabotage by a variety of groups, from hacktivists to foreign countries.