The National Cyber Security Centre (NCSC) in the UK has recently issued new guidance on securely migrating supervisory control and data acquisition (SCADA) systems to cloud environments for operational technology (OT) in the UK’s critical national infrastructure (CNI).


SCADA systems [1] [2] [3] [4] [5] [7], traditionally isolated for security reasons [4], are now being considered for migration to the cloud, presenting both opportunities and challenges [5] [7]. The NCSC’s guidance emphasizes the importance of risk assessments, informed decision-making [1] [2] [5], and evaluating organizational readiness for cloud migration. Cloud-hosted SCADA systems are at high risk of cyberattacks [3], prompting the NCSC to enhance security measures to prevent breaches by cybercriminals or state-backed groups [3]. The guidance highlights the need for collaboration with cloud service providers and SCADA vendors [7], as well as investing in internal expertise or engaging managed service providers with cloud-specific skills [7]. Organizations moving from the traditional ‘air-gapped’ model to a cloud environment must implement robust controls and continuous monitoring of connectivity and access to CNI. The guide underscores the benefits of cloud migration, such as enhanced flexibility, resilience [5] [6], and scalability [1] [3] [5] [6], while also emphasizing the importance of possessing the necessary skills, updated cybersecurity policies [5], and considering the security implications. The NCSC advises integrating general cloud security principles with SCADA-specific measures to address evolving cyber threats [2], particularly those targeting critical national infrastructure [2]. Various migration options are discussed, ranging from full cloud migration to using the cloud as a standby/recovery solution [6], each with its own advantages [3], disadvantages [3] [6], and associated risks. Experts caution about the risks of connecting SCADA systems to the cloud [5], as many were not originally designed with security in mind and are susceptible to attacks that could lead to operational disruptions in critical infrastructure sectors [5]. A joint advisory with the US CISA highlights the urgency of bolstering SCADA security measures in the face of escalating cyber threats [2]. Migration to the cloud should be evaluated on a case-by-case basis [3], with specific guidance tailored to each organization’s use case [3]. Cloud environments provide increased observability and scalability [3], allowing organizations to adapt to emerging threats and changing infrastructure needs [3].


In conclusion, the NCSC’s guidance on securely migrating SCADA systems to cloud environments highlights the importance of robust security measures, collaboration with stakeholders [7], and careful evaluation of risks and benefits. As organizations transition to the cloud, they must prioritize cybersecurity [1], invest in expertise, and consider the implications for critical national infrastructure. By integrating cloud security principles with SCADA-specific measures [2], organizations can better protect against evolving cyber threats and ensure the resilience of their operations in the face of increasing risks.