NCSC Publishes Security Guidance for Cloud-Hosted SCADA

The UK’s leading cybersecurity agency has published guidance to help organizations make better informed decisions about whether to migrate their supervisory control and data acquisition (SCADA) systems to the cloud.

SCADA is commonplace in cyber-physical systems and especially in critical infrastructure facilities, making it a popular target for attack.

The new guidance from the National Cyber Security Centre (NCSC) aims to show organizations not only the opportunities but also the challenges of migrating such deployments to the cloud.

“Moving to the cloud doesn’t simply change where a SCADA system is hosted; it fundamentally alters the traditional management, security boundaries, connectivity model, and access control mechanisms, as the system is now internet-connected,” it warned.

Read more on SCADA threats: Russian APT Sandworm Disrupted Power in Ukraine Using Novel OT Techniques

Migration could offer greater flexibility to adopt new technologies and solutions, as well as improved resilience and scalability, enhancements to remote access, and the centralization of authentication, secrets and key management, the guidance noted.

However, organizations must first ensure they have access to the right skills, that they’ve updated cybersecurity policies and procedures, and they’ve considered the impact of shared services on security, the NCSC continued.

The guide also provides crucial information to help organizations understand whether their technology is even suitable for migration, and how a cloud solution should be architected for its new environment.

This includes considerations for legacy hardware, software suitability and hybrid connectivity.

Experts welcomed recognition of the potential risks posed by connecting SCADA to the cloud – specifically attacks designed to cause operational downtime in critical infrastructure sectors.

“Many SCADA systems were originally designed years ago without security in mind and were therefore never intended to be connected to the cloud. This of course means they are vulnerable to an attack and operational downtime,” argued Illumio director of critical infrastructure, Trevor Dearing.

“We fully endorse the NCSC’s message of ‘organisational readiness’ when it comes to migrating SCADA systems to the cloud. Organizations should look into a zero-trust approach, one of the most effective ways to improve cyber-resilience.”

Leave a Reply

Your email address will not be published. Required fields are marked *