Decoding the NCSC’s New Guidance for Cloud-Hosted SCADA
Table Of Contents:
Operational Technology (OT) systems automatically monitor and control processes and equipment running everything from power plants to smart hospitals. Failure or malfunction in OT presents physical dangers absent from IT systems. Safety, reliability and availability are prioritised in the former.
That’s why new National Cyber Security Centre (NCSC) guidance has been broadly welcomed. It’s designed to help OT organisations determine the suitability of various cloud platforms for hosting their supervisory control and data acquisition (SCADA) systems.
Why SCADA Security Matters
Security breaches in OT systems like SCADA can result in system unavailability and the exposure of sensitive data. Hacks on industrial plants have resulted in power outages in Ukraine, disabled safety systems at a petrochemical plant, and released untreated sewage into parks and rivers. None of these attacks relied on hacking into cloud-based controls. But by migrating these systems to the cloud, organisations may unwittingly give their adversaries another pathway to compromise.
Yet cloud migration is increasingly what OT organisations are doing. Cloud-based SCADA controls offer several benefits, including scalability to meet changing needs, centralised authentication for improved security, DDoS protection against less sophisticated denial of service attacks, and lower upfront costs.
A Tentative Welcome
This is where the NCSC’s guidance comes in. It emphasises a risk-informed approach, acknowledging the unique security needs and legacy constraints of different organisations. The advice outlines options ranging from a simple standby/recovery setup for connecting existing applications to new systems that are running in the cloud, through to full replacement of those existing applications with cloud-based alternatives. In so doing, it provides a high-level overview of what needs to be done to use a cloud or SaaS solution securely.
Independent security experts quizzed by ISMS.online praised the guidance for offering a useful roadmap, while arguing that further details on specific security measures could strengthen the framework.
“Expanding on security architecture best practices would be beneficial,” APIContext CEO, Mayur Upadhyaya, tells ISMS.online. “This could include guidance on network segmentation strategies tailored for SCADA systems, along with robust identity and access management (IAM) protocols specifically designed for these critical control environments.”
Upadhyaya adds: “Additionally, a more detailed analysis of the cyber-threat landscape specific to cloud-based SCADA could refine risk assessments and inform mitigation strategies.”
Operational Risks
Moving SCADA-based applications into the cloud promises to make the infrastructure easier to manage, while reducing the overhead for internal IT teams. But this has to be considered alongside security and operational management risks. These include heightened risk from data breaches, unauthorised access, exploitation of vulnerabilities and denial-of-service attacks, according to GuidePoint Security’s head of OT security, Pat Gillespie.
“Cloud solutions will add latency when accessing the applications, databases, and services,” he tells ISMS.online. This is a major issue because SCADA controls and industrial applications rely on real-time data.
With safety and availability as the highest priorities for any SCADA system, unplanned outages in the cloud solution, the local ISP or any ISP in between will cause these safety systems to fail.
Some risk can at least be mitigated or managed, according to Gillespie.
“There are use cases where having SCADA data in the cloud can help businesses make better decisions by having SCADA controls, IIoT devices, or industrial applications push data to the cloud for data analysis,” he explains. “However, in the event of high latency or an outage, the SCADA controls must be able to perform their processes and functions to ensure safety and availability.”
Other options include AWS Outpost, where organisations can host an AWS instance at a local facility, Gillespie adds.
A Secure Migration Path
“Organisations must be careful though they are not just moving their current on-premises issues to the cloud. They need to take a breath and ensure they embrace the new operating model fully,” Qualys EMEA MD, Mat Middleton-Leal tells ISMS.online.
A number of challenges inherent in the cloud-based migrations of OT controls could also trip up the unwary, adds Chris Doman, Cado Security CTO.
“Firstly, cloud expertise differs from SCADA expertise, so a joined-up approach is needed,” he tells ISMS.online. “Secondly, legacy SCADA systems may not integrate with cloud-native solutions seamlessly. Finally, implementing granular access controls can be difficult in legacy environments.”
For example, traditional SCADA systems are typically run on-premises and protected using techniques like internal firewalls and air-gapping. As these systems move to the cloud, they have to be implemented with full cloud-native security models in place from the start.
“This can be problematic when those applications and systems have run in environments that do not require the same security models that are in place around cloud deployments,” explains Qualys’ Middleton-Leal.
Moving critical infrastructure to the cloud also requires careful planning due to the shared responsibility model between cloud providers and customers. While the cloud provider secures the infrastructure, customers are responsible for data security and configuration.
Securing critical infrastructure in the cloud requires a multi-pronged approach, according to Cado Security’s Doman.
Collaboration between cloud providers, government agencies, and critical infrastructure operators, investment in cloud expertise within critical infrastructure organisations, and modernisation of legacy SCADA systems to improve integration with cloud solutions are all required, he argues.
Keeping Up Standards
ISO standards like ISO 27001 (Information Security Management) and IEC 62443 (Security for Industrial Automation and Control Systems) provide valuable frameworks for managing OT risk in the cloud, according to APIContext’s Upadhyaya.
“These standards offer structured approaches to security, outlining guidelines for establishing and maintaining a robust security management system,” Upadhyaya explains.
“This includes risk assessment and mitigation strategies specifically adaptable for both cloud and OT environments. However, organisations should remember that ISO standards offer adaptable frameworks, not a one-size-fits-all solution.”
The success of organisations in securely migrating their SCADA solutions to the cloud may well depend on their ability to adapt such guidelines to their unique demands.