The UK’s National Cyber Security Centre (NCSC) released security guidance on Monday to help organizations that use operational technology (OT) determine whether they should migrate their supervisory control and data acquisition (SCADA) systems to the cloud.
SCADA systems have traditionally been isolated from the internet and even the local enterprise network for security reasons, but the cloud can offer numerous benefits and many organizations are taking the cloud into consideration.
The guidance published by the NCSC aims to help OT organizations identify the benefits and challenges of cloud-hosted SCADA, and enable them to make a risk-based decision before moving to the cloud.
The NCSC believes “cloud migration must be informed by each organisation’s unique risk profile and specific technical requirements”, highlighting that OT organizations, particularly critical infrastructure entities, face an increased risk of sophisticated cyberattacks.
Organizations that are considering the implementation of cloud SCADA should first decide whether they want a full migration, the use of the cloud only as a stand-by or recovery solution, or a hybrid deployment.
The agency noted that the cloud provides increased flexibility, resilience to cyberattacks and other disruptive events, improved remote access, and centralized identity and secret management.
However, each of these benefits can also introduce security risks. For instance, the software defined networking (SDN) component associated with the cloud, which provides greater flexibility, needs to be monitored for unauthorized changes. The cloud may offer greater resilience, but organizations also need to take into consideration that the cloud can also suffer from an outage. Remote access can also significantly increase the attack surface if not managed properly.
When deciding whether they are ready to move their SCADA products to the cloud, organizations need to determine if they have the skills, people and policies to support the shift. Organizations lacking the necessary skills might turn to the help of a managed service provider, but the NCSC pointed out that these types of companies can have a lot of experience with the cloud in general, but may not be experienced when it comes to SCADA systems specifically.
Lastly, organizations should assess the suitability of their technology for cloud migration. This includes software suitability for the cloud, existing legacy hardware, latency impact, and the protection of sensitive SCADA data.
The government security agency also pointed out that SCADA and general IT have a lot in common, and urged organizations to also review and apply its general cloud security guidance.
“Operational downtime is now the driving force behind many cyberattacks. Cybercriminals know that by targeting SCADA systems, they can cause operational downtime in key critical infrastructure sectors such as energy and manufacturing, which could cause mass societal chaos,” said Trevor Dearing, director of critical infrastructure at Illumio.
“It’s good the NCSC has recognised the risk posed to operational resilience when SCADA systems are connected to the cloud. Many SCADA systems were originally designed years ago without security in mind and were therefore never intended to be connected to the cloud. This of course means they are vulnerable to an attack and operational downtime.
“We fully endorse the NCSC’s message of ‘organisational readiness’ when it comes to migrating SCADA systems to the cloud. Organisations should look into a Zero Trust approach, one of the most effective ways to improve cyber resilience. Adopting a ‘never trust, always verify’ approach can help organisations contain attacks at the point of entry and limit lateral movement to SCADA systems,” Dearing added.
Related: CISA’s OT Attack Response Team Understaffed
Related: Cyber Insights 2024: OT, ICS and IIoT
Related: Cisco Releases Open Source Backplane Traffic Visibility Tool for OT
