The UK’s National Cyber Security Centre (NCSC) has recently issued comprehensive security guidance aimed at assisting operational technology (OT) organizations in evaluating the feasibility of migrating their supervisory control and data acquisition (SCADA) systems to the cloud. This initiative reflects the growing trend of organizations turning to cloud solutions to address the challenges posed by increasingly interconnected infrastructures.

The guidance underscores the importance of making informed decisions based on risk assessments when considering the migration of SCADA solutions to the cloud, with cybersecurity considerations taking center stage. While acknowledging the potential benefits of cloud adoption, the NCSC emphasizes that the suitability of such a transition may vary for each OT organization, depending on their unique circumstances.

Against the backdrop of heightened cyber threats, including ransomware attacks targeting critical national infrastructure (CNI), the NCSC stresses the need for robust cybersecurity measures in all decisions related to CNI and cyber-physical systems. It highlights the evolving nature of cloud-hosted SCADA systems, which necessitates a thorough understanding of the associated management, security boundaries, and connectivity models.

The guidance provides detailed insights into various use cases for cloud-hosted SCADA solutions, ranging from full migration scenarios to hybrid deployments that leverage cloud capabilities for enhanced data analytics while retaining control functions on-premises. It also addresses critical considerations, such as contingency planning for cloud outages and compliance requirements under The Network and Information Systems Regulations 2018.

In addition, the NCSC outlines best practices for authentication, access control, and secrets management in cloud environments, emphasizing the importance of aligning cloud strategies with existing policies and skillsets within organizations. It also underscores the need for clarity regarding ownership and administrative access rights in cloud environments, particularly when engaging with third-party service providers.

Furthermore, the guidance advises organizations to assess the compatibility of their existing technology with cloud migration and to adopt architectural approaches tailored to the cloud environment. By avoiding a ‘lift-and-shift’ mentality and leveraging internal expertise, including SCADA operators, organizations can ensure a smooth and secure transition to cloud-based SCADA solutions.

This initiative by the NCSC aligns with broader efforts to enhance cybersecurity resilience and preparedness in the face of evolving cyber threats, particularly those emanating from state-aligned actors. By providing actionable guidance and insights, the NCSC aims to empower OT organizations to make informed decisions that strengthen their cybersecurity posture and safeguard critical infrastructure against emerging threats.