KRITIS: Think IT-SIG 2.0 with S/4HANA

The renowned AXA Future Risks Report 2021 names the growing risks from cyber attacks as the second most important global threat after climate change and ahead of pandemics and infectious diseases.

In fact, according to the current BKA situation report, these have increased significantly, have become more professional and often focus on critical infrastructures (KRITIS). Last but not least, the new IT Security Act counteracts this threat situation. Ralf Kempf, CTO of the SAP security specialist SAST SOLUTIONS, explains the challenges for a successful S/4HANA project from the point of view of SiG 2.0.

For SAP S/4HANA, the security requirements for KRITIS operators have changed with regard to SiG 2.0, database, user interface, gateway, applications and authorizations have grown closer together, access to important data has become more complex – and therefore also more difficult to monitor. The Security Act requires detailed business continuity planning and disaster recovery scenarios, procedural, directive and reactive measures from all KRITIS companies in order to carry out the hardening of the systems in advance in accordance with the market standard. It is important to comply with specific specifications on how to build KRITIS architectures, because it is always important to ensure that infrastructure and processes are defined in such a way that they can also be tested later as part of a SiG acceptance and are accepted.

This quality of the architecture and processes must be verified cyclically and requires a rethinking: You cannot simply continue to do what you have always done in your own way, but you have to meet specific requirements.

Consider SiG 2.0 aspects in the early phase

A security consideration and holistic strategy that combines all topics and requirements is therefore even more important than before in migration projects. With regard to SAP, the prescribed use of “state-of-the-art” anomaly and intrusion detection systems (IDS) is not sufficient: IDS recognize and specify attacks with the help of log files to be evaluated, whereby SAP, as a largely independent system, is often protected by the The detection grid falls if the expertise of SAP security professionals and special software such as the SAST SUITE are not used. This provides the corresponding SAP SIEM monitoring components and the integrated dashboard enables transparency across all systems. The involvement of a SAP security specialist is therefore essential here, a finding that also applies to non-KRITIS companies with high protection requirements.

Use S/4HANA and SiG 2.0 as an opportunity

But how do operators ensure the interaction between conception and management as well as between monitoring, administration and auditing during the S/4HANA migration? The embedding of an integrated security and authorization concept is still one of the core tasks. Technical system security, but also roles and authorizations are among the greatest challenges in 2022. For this reason, a holistic security strategy should be defined before implementation. A migration project also offers the opportunity to raise IT security to a new level – with a cleanly set up and holistically planned security and compliance strategy. Therefore, the challenge of SiG 2.0 is also to be understood as an opportunity to improve security in SAP systems, to make role concepts more efficient and thus to be able to use S/4HANA with all its advantages.

The example of standardization

Many companies should use SiG 2.0 as an opportunity for standardization. This is necessary for utilities, for example, where the business is highly standardized due to the regulatory requirements, software and processes: things that can be scaled very well, where in the business process with energy, gas and water, with supply and disposal create good templates, harmonize the interfaces and then introduce these template models to the authorizations, users and processes.

You complete the implementation with the first one or two and you will find that in the end they all work in a very similar or identical way. In addition to cost savings, this also means a considerable gain in safety. Although standardization is a challenge, especially since the human factor is also involved and it is not always easy to do, it is absolutely expedient to approach an infrastructure in this way and really bottom-up from the technology, the interfaces to everything at the top standardize as much as possible.

Problem areas of complexity and focus

Anyone who rises to the challenge of S/4HANA and SiG 2.0 must also provide resources on the part of the management, which requires time in recruiting – and of course money. However, it can still be observed in many companies that the focus and financing is mostly neglected, although these are rather small investments here, you need few well qualified employees and additional expertise in SAP security.

With SiG 2.0, it is now really important to understand that these measures are no longer optional: availability and compliance requirements are a requirement to be met – and this initially costs top-down investment.

Companies see the complexity of roles and authorizations in particular as a major challenge of the transformation, although there have long been proven tools such as the SAST SUITE that can be used to manage this well. There is still an increasing need for expertise here, because administrators and technicians are also becoming increasingly concerned about losing control: The world is becoming more and more complicated and, for example, in the KRITIS area of ​​supply and disposal there are very long process chains, such as measuring points, measuring point operators, Billing, the separation of sales and network: very complex systems wherever you look. In addition, outsourcing to the cloud is being promoted, and interfaces are also becoming more and more complex here. When it comes to these problem areas, you have to say clearly that IT governance planning comes from above, it doesn’t have to be a five-year plan, but if this is not clearly regulated, gaps and frustration are inevitable.

Lessons learned from recent projects
    • Plan the transition so that the new security architecture is SiG-approved
    • Include additional SAP SIEM monitoring component
    • Standardize as much as possible
    • Saving of time and gain in security by defining the roles in the template
    • Real-time monitoring for a holistic security concept
    • Ensure sufficient focus and resources
    • Take concerns about growing complexity seriously and use external expertise
    • Ensure IT governance planning