March 18, 2024 at 11:03AM
The UK’s National Cyber Security Centre (NCSC) has released guidance for organizations using operational technology (OT) to assess the potential migration of their supervisory control and data acquisition (SCADA) systems to the cloud. The guidance highlights the need for a risk-based decision, considering unique technical requirements and the increased cybersecurity risk to critical infrastructure. The NCSC also emphasizes the importance of assessing organizational readiness and technology suitability before considering migration.
Based on the meeting notes, the UK’s National Cyber Security Centre (NCSC) has released security guidance to assist organizations in determining whether they should migrate their supervisory control and data acquisition (SCADA) systems to the cloud. The guidance aims to help identify the benefits and challenges of cloud-hosted SCADA and make a risk-based decision before moving to the cloud. It emphasizes that cloud migration should be informed by each organization’s unique risk profile and specific technical requirements, particularly for critical infrastructure entities.
The guidance highlights that the cloud provides increased flexibility, resilience to cyberattacks, improved remote access, and centralized identity and secret management but also introduces security risks, such as unauthorized changes in software defined networking (SDN) and potential outages. It further notes that organizations need to assess their readiness, including skills, people, policies, and technology suitability for cloud migration.
Additionally, it recommends that organizations review and apply general cloud security guidance, as well as consider a Zero Trust approach to improve cyber resilience, as operational downtime is a driving force behind many cyberattacks targeting SCADA systems.
Furthermore, Trevor Dearing, director of critical infrastructure at Illumio, endorses the NCSC’s emphasis on organizational readiness and recommends adopting a ‘never trust, always verify’ approach to contain attacks and limit lateral movement to SCADA systems.
If you have any specific questions or need further analysis on the meeting notes, please let me know how I can assist you.