NCSC issues guidance for migrating SCADA systems to the cloud

Operational technology (OT) is a cornerstone of modern society, silently overseeing and managing the processes critical to our daily lives.

From power grids to transportation, OT systems like Industrial Control Systems (ICS), Distributed Control Systems (DCS) and SCADA ensure the smooth operation of infrastructure that is too complex, hazardous or repetitive for manual intervention.

In contrast to information technology, where cybersecurity primarily focuses on data confidentiality, integrity and availability, OT prioritises safety, reliability, and operational continuity. As there are significant physical risks associated with OT failures, cybersecurity measures have to be robust.

The NCSC hopes its new guidance on cloud-hosted SCADA will “encourage OT organisations to make a risk-informed decision on migrating SCADA solutions to the cloud, with cyber security as a key consideration.”

SCADA systems have traditionally operated in isolated environments to ensure security. However, recognising the potential benefits of cloud technology, the NCSC’s guidance addresses the complexities and risks associated with migration.

The guidance underscores the necessity for organisations, especially those in critical infrastructure sectors, to conduct thorough risk assessments tailored to their unique profiles before launching cloud migration efforts.

Highlighting the increased vulnerability to sophisticated cyber threats, the NCSC also emphasises the importance of informed decision-making.

Cloud migration offers enticing advantages such as enhanced flexibility, resilience and centralised management. But, it also introduces new security challenges.

Organisations must carefully consider factors like software-defined networking vulnerabilities, potential outages and expanded attack surfaces resulting from remote access.

Crucially, organisations should also evaluate their readiness for cloud migration, assessing their internal expertise, policies and technology compatibility.

While managed service providers may offer assistance, the NCSC warns against assuming their expertise in SCADA systems.

Additionally, organisations must assess software suitability, hardware compatibility, latency issues and data protection considerations.

The security agency also advises organisations to integrate general cloud security principles alongside SCADA-specific measures, recognising the similarities and differences between SCADA and traditional IT systems.

Escalating cyber threats underline the urgency of bolstering SCADA security measures, as highlighted in the NCSC’s Annual Review 2023. With players like China increasingly targeting critical infrastructure in cyberattacks, there are heightened risks to UK critical national infrastructure.

This sentiment is echoed in a joint advisory issued by the NCSC and the US CISA, emphasising the evolving threat landscape.

“Operational downtime is now the driving force behind many cyberattacks, ” said Trevor Dearing, director of critical infrastructure at Illumio.

“Cybercriminals know by targeting SCADA systems, they can cause operational downtime in key critical infrastructure sectors such as energy and manufacturing, which could cause mass societal chaos.

“It’s good the NCSC has recognised the risk posed to operational resilience when SCADA systems are connected to the cloud. Many SCADA systems were originally designed years ago without security in mind and were therefore never intended to be connected to the cloud. This of course means they are vulnerable to an attack and operational downtime.

“We fully endorse the NCSC’s message of ‘organisational readiness’ when it comes to migrating SCADA systems to the cloud. Organisations should look into a Zero Trust approach, one of the most effective ways to improve cyber resilience. Adopting a ‘never trust, always verify’ approach can help organisations contain attacks at the point of entry and limit lateral movement to SCADA systems,” Dearing added.

Leave a Reply

Your email address will not be published. Required fields are marked *