SCADA is heading to the cloud — here's why security experts are worried

IT technician operating a SCADA industrial control system at a computer station.
(Image credit: Getty Images)

The NCSC has issued guidance for organizations moving SCADA (Supervisory Control and Data Acquisition) systems into the cloud, as more companies are considering the shift.

These systems are used for running and monitoring industrial systems and processes everywhere from power stations to factory assembly lines and wind farms.

SCADA industrial control systems have been around for decades, but were rarely connected to the open internet, which kept them relatively protected from attack.

In recent years however, these systems have been connected to the internet to make them easier to access. With this shift, the NCSC believes there is evidence of a clear change in attitudes towards using cloud computing for these industrial applications.

“Where this has previously been a commonly dismissed topic due to the potential risks, many operational technology (OT) organizations are now looking to the cloud for solutions,” the security agency said. Operational technology refers to any hardware or software that runs or monitors industrial systems.

As a result, the NCSC has published new guidance on cloud-hosted SCADA systems, and said that cyber security should be a key consideration.

The agency said it would not dictate whether the cloud was the right or the wrong approach - but said cloud-hosted SCADA has some “unique” risks.

“The current state of play in OT can make the path to securely implementing a cloud migration challenging,” the NCSC warned.

Keeping SCADA systems safe is a particular concern because they often form the basis for control across critical national infrastructure (CNI) and other cyber-physical systems.

That means hacking into and meddling with a SCADA system can have dangerous real-world consequences, something that governments have been worried about for a number of years.

Critical infrastructure is at constant risk of targeted cyber attack, something that’s increased in the last couple of years. Last year, the NCSC warned that hackers backed by China have been making efforts to target critical infrastructure in the UK and elsewhere.

“This persistent and elevated threat means cyber security needs to be at the forefront of all decisions in both CNI and wider cyber-physical systems, and you should understand the challenges that a shift to the cloud will involve,” the NCSC said.

Protecting SCADA systems

The guidance lists some of the key considerations for moving SCADA into the cloud.

Large industrial control systems are often put in place for 20 or more years. While a cloud migration project means a chance to re-think those systems and make them more secure, it can also introduce risks by exposing legacy infrastructure to external threats it was never designed to deal with.

SCADA systems were often designed to be ‘air-gapped’, disconnected from the public internet and broader enterprise networks.

The agency also warned that firms need to consider how critical functions would be recovered in the event of a cloud (or cloud connectivity) outage.

“As with safety critical functions, organizations will need to consider break glass recovery solutions to ensure local control can be regained,” it said.

Cloud migration should not be executed in isolation, and needs to be considered as part of the organization’s wider cyber security strategy.”

Organizations considering making the switch also need to consider the impact of other issues with operational technology, such as the reliance on legacy equipment, as well as on-premises and monolithic software packages.

They were urged to consider whether their SCADA software is even supported in a cloud deployment, the trust model between on-premise and cloud components and issues such as latency, as well as the sensitivity of the data that is being sent to the cloud.

“SCADA data is sensitive, and provides the necessary information required to control physical infrastructure. Ensuring that this data is adequately protected should be a priority both on-premises and in a cloud deployment,” the NCSC said.

Steve Ranger

Steve Ranger is an award-winning reporter and editor who writes about technology and business. Previously he was the editorial director at ZDNET and the editor of silicon.com.