The NCSC has published guidance for organizations moving SCADA (supervisory control and data acquisition) systems to the cloud, as more businesses consider the switch.
These systems are used to run and monitor industrial systems and processes everywhere, from power plants to factory assembly lines to wind farms.
SCADA industrial control systems have been around for decades, but they were rarely connected to the open Internet, which kept them relatively protected from attacks.
However, in recent years, these systems have been connected to the Internet for easier access. With this change, the NCSC believes there is evidence of a clear shift in attitudes towards the use of cloud computing for these industrial applications.
“While this was previously a commonly dismissed topic due to potential risks, many operational technology (OT) organizations are now looking to cloud solutions,” the security agency said. Operational technology refers to any hardware or software that runs or monitors industrial systems.
As a result, the NCSC published new guidance on cloud-hosted SCADA systems and said cybersecurity should be a key consideration.
The agency said it would not dictate whether the cloud was the right or wrong approach, but said SCADA hosted in the cloud has some “unique” risks.
“The current situation in OT may make the path to safely implementing a cloud migration challenging,” the NCSC warned.
Keeping SCADA systems secure is a particular concern because they often form the basis for the control of critical national infrastructure (CNI) and other cyber-physical systems.
That means hacking and intruding into a SCADA system can have dangerous real-world consequences, something that has worried governments for several years.
Critical infrastructure is constantly at risk of targeted cyber attacks, something that has increased in recent years. Last year, the NCSC warned that Chinese-backed hackers have been making efforts to attack critical infrastructure in the UK and elsewhere.
“This persistent and elevated threat means that cybersecurity must be at the forefront of all decisions in both CNI and broader cyber-physical systems, and the challenges that a shift to the cloud will entail must be understood,” the NCSC said.
Protection of SCADA systems
The guide lists some of the key considerations for moving SCADA to the cloud.
Large industrial control systems typically last 20 years or more. While a cloud migration project represents an opportunity to rethink those systems and make them more secure, it can also introduce risks by exposing legacy infrastructure to external threats it was never designed to protect against.
SCADA systems were often designed to be “isolated,” disconnected from the public Internet and broader enterprise networks.
The agency also warned that companies should consider how critical functions would be recovered in the event of a cloud (or cloud connectivity) outage.
“As with safety-critical functions, organizations will need to consider broken glass recovery solutions to ensure local control can be regained,” he said.
“Cloud migration should not be executed in isolation and should be considered as part of the organization's broader cybersecurity strategy.”
Organizations considering making the switch should also consider the impact of other issues with operational technology, such as reliance on legacy equipment as well as on-premises and monolithic software packages.
They were urged to consider whether their SCADA software supports a cloud deployment, the trust model between on-premises and cloud components, and issues such as latency as well as the sensitivity of data being sent to the cloud.
“SCADA data is confidential and provides the information necessary to control the physical infrastructure. Ensuring this data is adequately protected should be a priority both on-premises and in a cloud deployment,” the NCSC said.