NCSC issues guidance for securing cloud-hosted SCADA systems

The National Cyber Security Centre (NCSC), has issued comprehensive guidance to assist organisations in making informed decisions regarding the migration of their supervisory control and data acquisition (SCADA) systems to the cloud. 

SCADA systems play a critical role in optimising industrial operations, enhancing productivity, ensuring safety, and minimising downtime.

However, they also pose cybersecurity risks, as they are increasingly connected to the internet and may be vulnerable to cyber-attacks if not properly secured.

The NCSC’s new guidance now aims to look at both the opportunities and challenges associated with SCADA deployments to the cloud. 

According to them, migrating SCADA systems to the cloud represents more than just a change in hosting location, but rather fundamentally transforms management practices, security boundaries, connectivity models, and access control mechanisms. 

While there are lots of potential benefits in migration to the cloud, like increased flexibility, resilience, scalability, and centralised authentication and key management, organisations must ensure they possess the necessary skills, update cybersecurity policies and procedures, and assess the impact of shared services on security before undertaking such a transition, the NCSC emphasised.


Recommended reading


The guidance further provides essential insights to help organisations evaluate the suitability of their technology for migration and architect a cloud solution tailored to its new environment. This includes considerations for legacy hardware, software compatibility, and hybrid connectivity.

“This guidance does not aim to dictate that cloud is the right (or wrong) approach for OT organisations. Rather, cloud migration must be informed by each organisation’s unique risk profile and specific technical requirements,” said David G, cyber-physical security architect at the NCSC in a blog post. 

“Although cloud-hosted SCADA has some unique risks, securing a cloud platform is a shared problem with IT. As such this new guidance should be used in conjunction with the existing cloud security guidance.”

Leave a Reply

Your email address will not be published. Required fields are marked *