The UK's National Cyber Security Centre released security guidance on Monday to help organizations that use operational technology determine whether they should migrate their supervisory control and data acquisition systems to the cloud.
SCADA systems have traditionally been isolated from the internet and even the local enterprise network for security reasons, but the cloud can offer numerous benefits and many organizations are taking the cloud into consideration.
The guidance published by the NCSC aims to help OT organizations identify the benefits and challenges of cloud-hosted SCADA, and enable them to make a risk-based decision before moving to the cloud.
Organizations that are considering the implementation of cloud SCADA should first decide whether they want a full migration, the use of the cloud only as a stand-by or recovery solution, or a hybrid deployment.
The agency noted that the cloud provides increased flexibility, resilience to cyberattacks and other disruptive events, improved remote access, and centralized identity and secret management.
Each of these benefits can also introduce security risks.
The software defined networking component associated with the cloud, which provides greater flexibility, needs to be monitored for unauthorized changes.
The cloud may offer greater resilience, but organizations also need to take into consideration that the cloud can also suffer from an outage.
Remote access can also significantly increase the attack surface if not managed properly.
When deciding whether they are ready to move their SCADA products to the cloud, organizations need to determine if they have the skills, people and policies to support the shift.
Organizations lacking the necessary skills might turn to the help of a managed service provider, but the NCSC pointed out that these types of companies can have a lot of experience with the cloud in general, but may not be experienced when it comes to SCADA systems specifically.
Lastly, organizations should assess the suitability of their technology for cloud migration.
This includes software suitability for the cloud, existing legacy hardware, latency impact, and the protection of sensitive SCADA data.
The government security agency also pointed out that SCADA and general IT have a lot in common, and urged organizations to also review and apply its general cloud security guidance.
This Cyber News was published on www.securityweek.com. Publication date: Mon, 18 Mar 2024 15:43:05 +0000