Why Auto Manufacturing Security Starts with ERP Protection

Research found more than 1,000 zero-day vulnerabilities within ERP applications.

Automobile Cockpit, Various Information Monitors And Head Up Displays

In a sense, every cybersecurity incident represents a domino effect: Just one sole vulnerability – within the cloud, on-premise or in the supply chain – can topple and spread to multiple components and systems overseeing sales, customer data, business operations, internal processes and compliance. 

The automobile manufacturing industry proves no exception, as the sector faces challenges in keeping the dominoes from falling because there is no shortage of adversaries seeking to knock them down. And – as is the case for many verticals across-the-board – automakers must start by protecting their SAP/enterprise resource planning (ERP) applications. 

Why? Because a failure to properly monitor and defend SAP applications leaves openings which cyber criminals leverage as entry points to stay active on the inside indefinitely and compromise additional areas within. In our research, we found more than 1,000 zero-day vulnerabilities within ERP applications. Six of them prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to issue “critical” alerts due to their capacity for impact. 

Large Target, Widespread Attacks

The concerns are quite valid, given that adversaries have breached nearly two-thirds of ERP systems over the past two years, with businesses subsequently losing an estimated $50,000 per hour in downtime. 

These criminals are keenly focused on SAP/ERP applications because they represent a big target with highly interconnected impact points: Ninety-nine of the 100 largest companies in the world are SAP customers, as SAP customers generate 84 percent of total global commerce. Because the applications serve such a vital role in our economy, CISA has added at least 10 SAP vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog since 2021. 

The Known Exploited Vulnerabilities are still under attack, meaning education about the real-world effects on affected businesses – and all other ones relying on those businesses – is needed. As indicated, SAP does not exist in a vacuum. It is part of a greater ecosystem in which a seemingly infinite number of dominoes are linked and can fall. 

Advancements in artificial intelligence (AI) are swiftly accelerating this, collapsing the time from an adversary’s discovery of a vulnerability to exploiting it from weeks to minutes, with the bad guys weaponizing AI models to rapidly reverse-engineer public patches into functional next-day exploits. 

Last year’s attack on England-based Jaguar Land Rover (JLR) serves as a clear warning sign and call for an urgent response. A group named “ShinyHunters” publicly boasted that they targeted the same SAP vulnerability for which they weaponized a public exploit, forcing JLR to shut down its global IT systems, halt manufacturing for more than six weeks and send 30,000 employees home. 

Considered the costliest cyber attack in British history, the incident amounted to $1.9 billion in impact to the United Kingdom economy, affecting some 5,000 organizations- almost one year later, many are still feeling the ramifications of of the attack, waiting for safety compontents of their vehicle. 

Defending the Entire Line 

When we think of car factories, we envision lengthy, interconnected production lines in which parts are assembled to create a greater whole – a shiny, new model ready for the showroom. But in a broader sense, that line extends to the ERP applications, cloud solutions and third-party supply chain parts which make the production possible. 

Data flows across all of these systems and components, requiring the protection of transactions, data in transit and data at rest. 

Because safety-minded handoffs and acknowledgments prove so critical here, auto industry leaders must ensure that the right SAP defense requirements/recommendations are firmly in place, with optimal vulnerability management, log monitoring and incident response. Without this, cyber criminals will be free to compromise systems and stay there indefinitely to damage the auto manufacturer and supply chain. Security teams would remain unaware of the breach and, thus, unable to find and eliminate the root cause. 

Essential Resources for Security Teams

So where should industry leaders begin? We advise the review of SAP-published guides as a solid starting point. These materials cover the fortifying of products, cloud assets, infrastructure, platforms and data. They underscore the importance of identity and access management; monitoring, detection and response; employee training/culture building; and resilience and recovery … SAP understands its system very well. 

The company wrote it, maintains it and patches it. Its team members work with customers in a variety of unique production and regulatory environments. They support and back up their requirements and recommendations, establishing security as a foundational organizational value. 

SAP has further demonstrated its commitment by implementing the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), achieving Tier 3 alignment. This means SAP has formally established and documented risk management practices as policy that is defined, conducted and routinely reviewed/updated as part of a comprehensive, enterprise-wide approach to cyber defense. 

In addition, our Onapsis Research Labs regularly publishes news/threat updates and actionable resources, such as a 2026 checklist specifying steps for SAP platform/architecture hardening, patch/vulnerability/threat intelligence, identity/access/privilege controls, monitoring/detection/incident response, compliance/audit readiness and other areas of prioritization. 

Security team members are tasked with defending the entire cyber ecosystem, including the application layer. That’s why the successful safeguarding of SAP/ERP tools has emerged as a big win, especially when these team members nurture an environment which encourages the understanding of ongoing changes, and routine assessments of what needs more attention … We are at our best when we grasp what we are protecting and why we are protecting it. 

This knowledge speaks to the roots of our operations and customer focus, and how the best teams are trusted by every member of their organization and most effectively address everything sitting at the intersection of business goals and uptime – the assembly line, the support systems, the supply chain.  

Armed with the right incident response playbooks, telemetry, tools and monitoring, teams will ensure the dominoes stay upright and they will, indeed, hold that line.

More in Cybersecurity