Topics:
There was a time when connecting operational technology (OT) and supervisory control and data acquisition (SCADA) systems to the cloud—or perhaps connecting them to any network at all—was unthinkable. Or, at the very least, operators liked to tell themselves that these critical systems were "air-gapped." Not anymore, not since increased digital transformation efforts, the growth of cloud adoption, and the convergence of IT/OT systems.
"These systems have historically not been networked with other systems, but that's now changing rapidly," Michael Farnum, advisory CISO at technology consultancy Trace3, says.
The UK's National Cyber Security Centre (NCSC) has noticed. The UK's cybersecurity watchdog has observed a "clear shift" in the attitude toward using cloud within industrial environments. "Where this has previously been a commonly dismissed topic due to the potential risks, many operational technology (OT) organizations are now looking to the cloud for solutions," the NCSC says in a statement.
"Cyber risks to cloud environments are valid, but as with any type of system, you have to apply the proper controls to mitigate those risks," says Chris Sistrunk, Mandiant technical leader, ICS/OT at Google Cloud. "The concerns for moving OT/ICS to the cloud are that the skill sets, training, operations and maintenance, and defensive strategies for on-premises OT/ICS are well defined, well known, and at a mature state, whereas OT/ICS in cloud environments and security of those systems still very new," warns Sistrunk.
The shift to cloud computing for SCADA systems has caused the NCSC to be concerned that organizations aren't properly managing the change this move brings to these systems.
"Moving to the cloud doesn't simply change where a SCADA system is hosted; it fundamentally alters the traditional management, security boundaries, connectivity model, and access control mechanisms, as the system is now internet-connected," the NCSC warns.
Specifically, the NCSC notes:
Legacy SCADA solutions were designed to be “air-gapped" and isolated from the public internet and the organization's enterprise networks.
Current SCADA solutions are designed to be logically separated and protected, with controlled and limited access across zone boundaries.
A cloud SCADA solution must ensure this controlled and limited connectivity is maintained and monitored.
"Moving to the cloud doesn't simply change where a SCADA system is hosted; it fundamentally alters the traditional management, security boundaries, connectivity model, and access control mechanisms, as the system is now internet-connected."
—NCSC statement
The NCSC's guidance aims to help OT organizations make more risk-informed decisions on migrating SCADA to the cloud and ensuring that cybersecurity remains a core consideration. The guidance covers several key areas organizations need to assess:
Identify the specific use case for cloud SCADA, whether a full migration, hybrid cloud, and on-premises environment, or for backup and recovery purposes to identify sufficient cybersecurity defenses.
Ensure that the organization has the necessary skills and policies, processes, and controls to manage a migration to the cloud securely.
Ensure complete understanding of cloud service provider capabilities and work with them and SCADA vendors.
Implement SCADA-specific security measures along with cloud security best practices.
Implement strong security controls such as encryption, access controls, and secrets management.
Review the suitability of the environment for cloud migration: legacy hardware, software compatibility, and latency issues.
The guidance from the NCSC doesn't just point out the potential increased exposure to additional cybersecurity threats that target critical infrastructure. It also acknowledges the cloud's possible business and management benefits. It stresses that critical infrastructure operators must learn to balance that risk with the reward before migrating SCADA systems to the cloud.
It used to be that cloud systems were harder to keep secure and typically provided less mature options than on-premises systems. That's no longer the case. Experts say that due to how cloud services have matured in recent years, the balance of risk depends on the architecture of the organization's on-premises systems and the maturity of the cloud security provider's offerings.
"While the type and design of on-premises systems matter, I also believe that some cloud systems can be more secure than on-premises," says Sistrunk. "Cloud environments are designed with built-in security controls, and many OT/ICS servers and architecture had to have them added later. Also, cloud solutions have more dedicated security skills and resources than some OT/ICS on-premises solutions," he adds.
Farnum agrees. "None of these systems [older OT/ICS devices) were designed with security in mind," he says. "Security Nirvana would be to redesign their control systems from the ground up to be cloud native. That would be the ultimate way to control your risk," he says.
"Cloud environments are designed with built-in security controls, and many OT/ICS servers and architecture had to have them added later. Also, cloud solutions have more dedicated security skills and resources than some OT/ICS on-premises solutions."
—Chris Sistrunk
Farnum adds that it's essential that operators build availability into their plans.
"You have to plan to have the most redundancy possible. That's the No. 1 consideration. After that, it's controlling your access and ensuring you're taking advantage of modern security posture management tools that will show you if you've got misconfigurations and more traditional forms of security management," says Farnum.
Soon, as OT/ICS devices that were deployed years, or even decades ago, continue to age, the number of organizations facing serious cloud migration challenges will grow.
"Asset owners face a lot of challenges, such as aging systems, reduced support for older systems, and the cost of maintaining on-prem systems," says Sistrunk. "Many are facing or could be facing the cloud migration question sooner than later.”
George V. Hulme is an award-winning journalist and internationally recognized information security and business technology writer. He has covered business, technology, and IT security topics for more than 20 years. His work has appeared in CSOOnline, ComputerWorld, InformationWeek, Security Boulevard, and dozens of other technology publications. He is also a founding editor at DevOps.com.
