UK’s NCSC guides migrating SCADA systems to cloud for OT organizations, enabling risk-informed decisions

On Monday, the UK’s National Cyber Security Centre (NCSC) issued security guidance to assist organizations utilizing operational technology (OT) in assessing the feasibility of migrating their supervisory control and data acquisition (SCADA) systems to the cloud. The move encourages OT organizations to make a risk-informed decision on migrating SCADA solutions to the cloud, with cybersecurity as a key consideration.

Organizations are increasingly looking towards the cloud to solve the challenges of ever more connected infrastructure. The guidance aims to identify some of the key considerations required before deciding on migrating SCADA to the cloud. However, it does not aim to provide a definitive view on whether SCADA in the cloud is the correct route for every OT organization. However, it will help organizations identify the benefits the cloud can bring (as well as some of its unique challenges), and make a risk-based decision before implementing cloud-hosted SCADA (of which cybersecurity is a core consideration). 

Last November, the NCSC acknowledged in its Annual Review 2023 that due to the changing geopolitical environment, including the ongoing war in Ukraine, the rise of state-aligned groups from around the globe, and an increase in aggressive cyber activity, it is highly likely the cyber threat to the U.K. critical national infrastructure (CNI) has heightened in the last year.

The NCSC also assessed that ransomware remains one of the greatest cyber threats to the U.K. CNI sectors. This has been evidenced by international incidents, including attacks against Colonial Pipeline and the Irish Health Executive, and within the U.K., against South Staffordshire Water, Royal Mail International, and even one impacting NHS 111. Some of these attacks have also highlighted the possibility of disrupting CNI through attacks on key suppliers, who may have weaker security and thus present an attractive opportunity for adversaries.

The agency recognizes that this persistent and elevated threat means cybersecurity needs to be at the forefront of all decisions in CNI and wider cyber-physical systems, and that organizations should understand the challenges that a shift to the cloud will involve.

It outlines that moving to the cloud doesn’t simply change where a SCADA system is hosted – it fundamentally alters the traditional management, security boundaries, connectivity model, and access control mechanisms, as the system is now internet-connected.

Additionally, legacy SCADA solutions were designed to be ‘air-gapped’, isolated from both the public internet and the organization’s enterprise networks. Current SCADA solutions are designed to be logically separated and protected, with controlled and limited access across zone boundaries. A cloud SCADA solution needs to be able to ensure this controlled and limited connectivity is maintained and monitored.

The agency details that organizations must identify and understand their use case for ‘cloud-hosted SCADA’ so that adequate controls can be put in place. This can cover several use cases including full migration with control and telemetry both being actioned from the cloud environment, and hybrid deployments without cloud-based control to enable the use of advanced data analytics where only telemetry data is ingested for processing, but control remains in an on-premises SCADA solution. 

It also covers hybrid deployments with cloud-based control where the cloud is used for part of the functionality or the resiliency designed into the overall solution. It also uses the cloud as a cold standby and/or recovery solution where which is deployed as an addition to an on-premise SCADA solution as part of a business continuity and disaster recovery plan. 

OT organizations will need to consider how critical functions would be recovered in the event of a cloud (or cloud connectivity) outage. As with safety-critical functions, organizations will need to consider break-glass recovery solutions to ensure local control can be regained. OT organizations that are ‘operators of essential services’ (OES) will also need to specifically consider their requirements under The Network and Information Systems Regulations 2018, and guidance from their competent authorities.

Where OT organizations are planning on using cloud for cold-standby use cases they should also consider how they will use cloud-native features to add to the resilience of this solution. In particular, this should look to use infrastructure as code and automation to bring systems online, and to establish critical connectivity to the network as part of your disaster recovery plan. This environment should be periodically tested to ensure it will function correctly during an incident.

The NCSC’s using a cloud platform secure guidance discusses best practices on authenticating users, and services and how to apply access controls in detail. Administrator access should be protected as described in the secure system administration guidance. Where single sign-on (SSO) or centralized role-based access control (RBAC) is not possible (due to legacy devices within the infrastructure), centralized secrets management may be considered. 

Additionally, cloud-native secrets management can play a key role in ensuring that organizations take a consistent approach to protecting secrets across the organization. Secrets management is a major issue in the OT sector due to the number of local accounts that are required in existing infrastructure.

The guidance also addressed whether the organization has the skills, people, and policies to support a shift to the cloud. It identified that ownership of the cloud environment and the root administrator account should be clearly understood by the organization. If the MSP owns the underlying cloud accounts, then there is a much greater risk of an MSP compromise being able to affect the customer environments that they service. CNI organizations are already an attractive target from advanced adversaries; a single MSP or third-party service/integration, servicing multiple CNI organizations can further increase the risk.

Lastly, the NCSC document also covered an understanding for organizations of the technology suitable for migration and how cloud solutions should be architected with considerations for its new environment. A key part of the decision to move to the cloud is understanding if your technology is suitable for migration. Your cloud solution should be architected with considerations for its new environment and avoid following a lift-and-shift pattern where possible. Organizations should also seek internal expertise (including from the staff operating the SCADA solution) to inform these design decisions.

The latest NCSC guidance follows a report released by the U.K. Joint Committee on the National Security Strategy by the authority of the House of Commons and the House of Lords, which identified that there exists a high risk that the government will face a ‘catastrophic ransomware attack at any moment and that its planning will be found lacking.’ The majority of ransomware attacks against the U.K. are from Russian-speaking perpetrators, and the Russian Government’s tacit (or even explicit) approval of this activity is consistent with the Kremlin’s disruptive, zero-sum-game approach to the West.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.