The UK’s National Cyber Security Centre on Monday released security guidance to help organisations using operational technology assess the feasibility of moving their supervisory control and data acquisition (SCADA) systems to the cloud. The move encourages OT organisations to make a risk-informed decision about moving SCADA solutions to the cloud, with cybersecurity a key consideration.
Organizations are increasingly looking to the cloud to solve their increasingly connected infrastructure challenges. The guidance aims to outline some of the key considerations that need to be considered before making a decision to move SCADA to the cloud. However, it is not intended to provide a definitive view on whether cloud-hosted SCADA is the right path for every OT organization. It will, however, help organizations identify the benefits that the cloud can bring (as well as some of its unique challenges), and make a risk-based decision before implementing cloud-hosted SCADA (of which cybersecurity is a key consideration).
Last November, the National Cyber Security Centre acknowledged in its 2023 annual report that due to the changing geopolitical environment, including the ongoing war in Ukraine, the rise of state-linked groups from around the world, and increased aggressive cyber activity, it was highly likely that the cyber threat to the UK’s critical national infrastructure had increased in the past year.
The National Cyber Security Centre also assesses that ransomware remains one of the biggest cyber threats to the UK’s ICT sectors. This has been demonstrated by international incidents, including attacks against Colonial Pipeline and the Irish Health Executive, and within the UK, against South Staffordshire Water, Royal Mail International, and even one affecting NHS 111. Some of these attacks have also highlighted the potential for disruption to ICT through attacks on key suppliers, who may have weaker security and therefore present an attractive opportunity for adversaries.
The Agency recognizes that this ongoing and growing threat means that cybersecurity must be at the forefront of all decisions in CNI and broader cyber-physical systems, and that organizations must understand the challenges involved in migrating to the cloud.
He explains that moving to the cloud not only changes where the SCADA system is hosted – it fundamentally changes the traditional management, security boundaries, communication model and access control mechanisms, as the system is now connected to the Internet.
Additionally, legacy SCADA solutions were designed to be “air-gapped,” isolated from both the public Internet and the organization’s own enterprise networks. Existing SCADA solutions are designed to be logically separate and protected, with limited and controlled access across area boundaries. A cloud SCADA solution must be able to ensure that this limited and controlled connectivity is maintained and monitored.
The agency explains that organizations should define and understand their use cases for “cloud-hosted SCADA” so that appropriate controls can be put in place. This can include a variety of use cases including full migration with control and telemetry from a cloud environment, and hybrid deployment without cloud-based control to enable advanced data analytics where only telemetry data is ingested for processing, but control remains with the on-premises SCADA solution.
It also covers hybrid deployment with cloud-based control where the cloud is used for part of the functionality or flexibility designed for the overall solution. It also uses the cloud as a cold backup and/or recovery solution where it is deployed as an addition to an on-premises SCADA solution as part of a business continuity and disaster recovery plan.
OT organizations will need to consider how to recover critical functions in the event of a cloud service (or cloud connectivity) outage. As with safety-critical functions, organizations will need to consider rapid recovery solutions to ensure that local control can be restored. OT organizations that act as “essential service operators” will also need to specifically consider their requirements under the Networks and Information Systems Regulations 2018, and guidance from relevant authorities.
When OT organizations plan to use the cloud for backup use cases, they should also consider how to use cloud-native features to add resilience to the solution. In particular, this should aim to use infrastructure as code and automation to connect systems to the internet, and establish critical network connectivity as part of the disaster recovery plan. This environment should be tested periodically to ensure it will function properly during an incident.
The National Cyber Security Center’s Secure Cloud Platform Guidelines discuss best practices for authenticating users and services and how to implement access controls in detail. Administrator access should be protected as outlined in the Secure System Management Guidelines. If single sign-on (SSO) or centralized role-based access control (RBAC) is not possible (due to legacy devices within the infrastructure), centralized secrets management may be considered.
Additionally, cloud-native secrets management can play a key role in ensuring that organizations take a consistent approach to protecting secrets across the enterprise. Secrets management is a major issue in the OT sector due to the number of on-premises accounts required in current infrastructure.
The guidance also addressed whether the organization has the skills, people, and policies to support the transition to the cloud. It specified that cloud environment ownership and root administrator accounts should be clearly understood by the organization. If the MSP owns the underlying cloud accounts, there is a much greater risk that a breach of the MSP could impact the environments of the customers it serves. CNI organizations are already an attractive target for advanced adversaries; having a single MSP or third-party service/integration serving multiple CNI organizations could increase the risk even further.
Finally, the NCSC document also addresses organizations’ understanding of the appropriate technology for migration and how to design cloud solutions with their new environment in mind. A key part of the decision to move to the cloud is understanding whether the technology is appropriate for migration. Your cloud solution should be designed with its new environment in mind and avoid a lift-and-shift pattern where possible. Organizations should also seek internal expertise (including from staff managing the SCADA solution) to inform these design decisions.
The latest NCSC guidance follows a report by the UK’s Joint Committee on National Security Strategy under the authority of the House of Commons and the House of Lords, which identified a high risk that the government could face “a catastrophic ransomware attack at any moment and that planning for it would be inadequate.” The majority of ransomware attacks against the UK come from Russian-speaking ransomware perpetrators, and the tacit (or even explicit) approval of this activity by the Russian government is consistent with the Kremlin’s approach to destructiveness that yields no gains for the West.
