IoT ERP and security: is your mobile software full of holes?
Ah, the Internet of Things (IoT); the current and future motivator of all things technology, and easily ERP-supported and propagated via today’s mobility. However, while a high-concept that offers an ability to connect your car with your coffee pot and your ERP-driven meeting schedule with your refrigerator sounds really cool when your read it on a blog somewhere, have you ever really considered the security impacts of IoT integrated ERP software; not only technically, but personally?
More connections mean more entry points
As a research experience, a recent hackathon lead to identifying 47 IoT security flaws manufactured by major hard-goods and technical brands ranging from the mundane to the sophisticated including “….smart door locks, padlocks, thermostats, refrigerators, wheelchairs and even solar panel arrays…to digital wireless range extenders.”
Even this small demonstration allowed the gray hat ‘players’ to carry on direct passive/active attacks creating all kinds of havoc including; negative impacts executed by applying malformed passwords, entry and the execution of cross-buffer overflows, and the manipulation of various device mechanical and electronic controls’. In many cases, the failure scenarios called for some kind of mobile device involvement.
In one case, associated with a remote HVAC climate control product, a user’s smartphone was used to initiate a threat-penetration that allowed the system to overheat and potentially launch a building fire. In another case, a user’s mobile tablet was used to take control, and drive, a remotely operated wheelchair system unattended.
Taking responsibility for your ERP security
On top of these ‘gremlins at the gates’ kind of impacts, larger and more concerning possibilities existed regarding the employment of extended access to even larger networks that may have been chained to a particular network, thereby, controlling further cascades of devices. So, while it may be a lot of ‘fun’ for technologists to see if they can break the bank; in many cases, not only was the bank breakable, but the city, the region, and the state as well.
The lessons learned for enterprise technology are clear, while an IoT-integrated ERP is a great opportunity for people, developers and enterprises to interact and ultimately create more efficient ways to operate in realtime, you still have to protect yourself, your home, and your business. This newly-heightened sensitivity should also be guided by the fact that, in the main, ERP elements are becoming more the rule rather than the exception when it comes to manufacturing, WMS, HR, and virtually any other commercial product, and additionally, mobile ERP is becoming critical to today’s production loop.
So, there is a clear fly in the ointment here, since as suggested by the DEF CON demonstration; you can’t expect that all players will provide for the most up-to-date ERP security, leading to a final, and quite stark conclusion; if you want your systems to be secure, you are going to have to do it yourself, end-to-end, and without pause, because the bad guys are always lurking, They have an advantage since they don’t play by the same business and personal rules that the rest of us apply. Ultimately your IoT enabled ERP systems are always; always; going to be big juicy targets.
Investigate your ERP security policies, processes, systems, devices and network protocols before something unpleasant happens. Because trust me; they’re out there, and they’re constantly looking for a way to break through your firewalls, not because they have to, but because it’s ‘fun.’
Is BYOD a bad idea for ERP security?
A comprehensive look at the ERP security risks presented by BYOD policies
Four ERP security issues faced by public sector companies
Public sector ERP brings a unique set of security challenges - here’s what to look out for
How to implement a mobile ERP with minimum disruption
Tips to make your mobile ERP implementation as smooth as possible