NCSC Released an Advisory to Secure Cloud-hosted SCADA – GBHackers on Security

Operational Technology (OT) is a technology that interfaces with the physical world and includes Industrial Control Systems (ICS), Supervisory Control and Data Acquisition (SCADA), and Distributed Control Systems (DCS). 

OT is different from IT in that OT prioritizes safety, reliability, and availability, while IT focuses on information confidentiality, integrity, and availability. 

The convergence of OT and IT increases system vulnerabilities, which can be addressed by adopting sound risk management principles. 

Document

Free Webinar : Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.:

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

AcuRisQ, that helps you to quantify risk accurately:

The NCSC published cyber security design principles to help architects and designers produce secure, resilient OT systems.

Cloud-hosted supervisory control and data acquisition (SCADA)

Critical considerations for OT organizations migrating Supervisory Control and Data Acquisition (SCADA) systems to the cloud while acknowledging the growing adoption of cloud-based SCADA solutions for various functionalities, from data processing to full control of physical assets. 

It emphasizes the importance of a risk-based decision-making process, highlighting cybersecurity as a core concern. 

SCADA systems are critical for monitoring and controlling physical infrastructure, making them prime targets for cyberattacks, especially for organizations managing Critical National Infrastructure (CNI).

Legacy SCADA systems were isolated (air-gapped) from external networks. At the same time, current solutions rely on logical separation and controlled access, whereas cloud-based SCADA requires maintaining and monitoring these limitations in the new environment.

It further aids in decision-making: understanding business drivers and cloud opportunities, assessing organizational readiness for cloud migration, and evaluating technology and cloud solution suitability for the specific use case. 

Understanding the business drivers and cloud opportunities

It emphasizes understanding the different deployment models (full migration, hybrid with/without cloud-based control, cold standby) to assess the unique risks associated with each.

By recommending leveraging cloud-native services for a more secure architecture and to gain a centralized view of hosted services, it highlights the importance of using Software Defined Networking (SDN) and monitoring it for unauthorized changes.

The cloud offers features like automated scaling, failover, and disaster recovery for resiliency, which emphasizes the importance of considering break-glass recovery solutions for critical functions.

Centralized remote access and identity/access management are seen as opportunities offered by cloud-hosted SCADA while  integrating a Privileged Access Management (PAM) solution and using cloud-native secrets management. 

It also discourages relying on lower-trust domains for authentication and recommends using the cloud’s Key Management Service (KMS).

Readiness of Organizations

Before migrating OT to the cloud, organizations need to assess their cloud readiness, including having the proper skills, people, and policies in place.

Cloud migration requires a skill set different from that of on-premises OT management, where organizations can build these skills internally or leverage a managed service provider (MSP).

Migrating to the cloud often involves increased connectivity, so OT security policies need to be reviewed to ensure they can handle this new landscape.

Shared services and third-party integrations used with cloud-hosted SCADA systems need careful consideration to maintain data integrity and security.

Using an MSP introduces another attack surface, so organizations must understand the MSP’s security controls and how they will provision the cloud environment (limited services, tenancy, or separate environment).

Cloud environment ownership and root administrator privileges are crucial, and if the MSP owns the underlying cloud accounts, a compromise could impact multiple customers.

The technical considerations for migrating SCADA systems to the cloud emphasize the importance of understanding software suitability and legacy hardware limitations.

Legacy monolithic architectures and protocols may require additional security measures, like containerization and VPNs. 

The cloud migration decision should consider latency requirements and data sensitivity whereas edge computing and zero-trust architecture principles are also potential solutions.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Leave a Reply

Your email address will not be published. Required fields are marked *