Connect with us

Hi, what are you looking for?



UK Government Releases Cloud SCADA Security Guidance

UK’s NCSC releases security guidance for OT organizations considering migrating their SCADA solutions to the cloud.


The UK’s National Cyber Security Centre (NCSC) released security guidance on Monday to help organizations that use operational technology (OT) determine whether they should migrate their supervisory control and data acquisition (SCADA) systems to the cloud.

SCADA systems have traditionally been isolated from the internet and even the local enterprise network for security reasons, but the cloud can offer numerous benefits and many organizations are taking the cloud into consideration.

The guidance published by the NCSC aims to help OT organizations identify the benefits and challenges of cloud-hosted SCADA, and enable them to make a risk-based decision before moving to the cloud.

The NCSC believes “cloud migration must be informed by each organisation’s unique risk profile and specific technical requirements”, highlighting that OT organizations, particularly critical infrastructure entities, face an increased risk of sophisticated cyberattacks.

Organizations that are considering the implementation of cloud SCADA should first decide whether they want a full migration, the use of the cloud only as a stand-by or recovery solution, or a hybrid deployment.

The agency noted that the cloud provides increased flexibility, resilience to cyberattacks and other disruptive events, improved remote access, and centralized identity and secret management.

However, each of these benefits can also introduce security risks. For instance, the software defined networking (SDN) component associated with the cloud, which provides greater flexibility, needs to be monitored for unauthorized changes. The cloud may offer greater resilience, but organizations also need to take into consideration that the cloud can also suffer from an outage. Remote access can also significantly increase the attack surface if not managed properly.

When deciding whether they are ready to move their SCADA products to the cloud, organizations need to determine if they have the skills, people and policies to support the shift. Organizations lacking the necessary skills might turn to the help of a managed service provider, but the NCSC pointed out that these types of companies can have a lot of experience with the cloud in general, but may not be experienced when it comes to SCADA systems specifically. 

Advertisement. Scroll to continue reading.

Lastly, organizations should assess the suitability of their technology for cloud migration. This includes software suitability for the cloud, existing legacy hardware, latency impact, and the protection of sensitive SCADA data. 

The government security agency also pointed out that SCADA and general IT have a lot in common, and urged organizations to also review and apply its general cloud security guidance

“Operational downtime is now the driving force behind many cyberattacks. Cybercriminals know that by targeting SCADA systems, they can cause operational downtime in key critical infrastructure sectors such as energy and manufacturing, which could cause mass societal chaos,” said Trevor Dearing, director of critical infrastructure at Illumio. 

“It’s good the NCSC has recognised the risk posed to operational resilience when SCADA systems are connected to the cloud. Many SCADA systems were originally designed years ago without security in mind and were therefore never intended to be connected to the cloud. This of course means they are vulnerable to an attack and operational downtime.

“We fully endorse the NCSC’s message of ‘organisational readiness’ when it comes to migrating SCADA systems to the cloud. Organisations should look into a Zero Trust approach, one of the most effective ways to improve cyber resilience. Adopting a ‘never trust, always verify’ approach can help organisations contain attacks at the point of entry and limit lateral movement to SCADA systems,” Dearing added.

Related: CISA’s OT Attack Response Team Understaffed

Related: Cyber Insights 2024: OT, ICS and IIoT

Related: Cisco Releases Open Source Backplane Traffic Visibility Tool for OT 

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

Certificate lifecycle management firm Sectigo has hired Jason Scott as its CISO.

The State of Vermont has appointed John Toney as the state’s new CISO.

More People On The Move

Expert Insights

Related Content


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...


Municipal Water Authority of Aliquippa in Pennsylvania confirms that hackers took control of a booster station, but says no risk to drinking water or...


Mandiant's Chief analyst urges critical infrastructure defenders to work on finding and removing traces of Volt Typhoon, a Chinese government-backed hacking team caught in...


Energy giants Schneider Electric and Siemens Energy confirm being targeted by the Cl0p ransomware group in the campaign exploiting a MOVEit zero-day.


Wago has patched critical vulnerabilities that can allow hackers to take complete control of its programmable logic controllers (PLCs).


Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.