Cloudy with a Chance of Industrial Cyber Threats, Part 1

I remember the early days of evaluating and piloting cloud in ICS/OT environments—back when I was leading incident response in the electric power sector and helping implement NERC-CIP programs with engineering staff. At the time, we cautiously piloted cloud services for data storage and monitoring. Fast forward to today, and cloud adoption is no longer a side project. It's a growing force in industrial cybersecurity, providing engineering and business case benefits.

But as cloud adoption in ICS/OT accelerates, so do the risks. And it’s important to know that cloud is not for every ICS sector.

What Cloud Means for ICS/OT

Cloud computing in ICS/OT can enable scalable data storage, remote monitoring, analytics, disaster recovery, and even industrial process control capabilities. These benefits are particularly attractive in sectors with geographically distributed assets, like in renewable energy, or where human safety may be a factor. But the move to cloud in ICS is not plug-and-play.

Here's a more depth look at a few common ICS/OT cloud use cases:

• Remote Monitoring & Telemetry Analysis – Enables real-time performance tracking without requiring on-site staff, reducing cost, travel, and in some cases, physical risk.
• Cloud-Based Historians – Stores and processes operational data in scalable cloud platforms, with access controls from both IT and ICS/OT networks to support analysis and process improvement.
• Remote HMIs – Allows operators to securely access interfaces off-premises via cloud-based infrastructure, sometimes region specific.
• Disaster Recovery – Provides scalable options for backup and continuity in the event of major disruptions or incidents.

There’s no one size fits all solution here. While these capabilities can improve efficiency and flexibility, ICS defenders must evaluate cloud integrations through the lens of safety, security, and reliability. And there’s another internal team that should contribute greatly to this conversation and related evaluations!

Collaboration Between IT and ICS Security

Cloud isn’t new to IT. IT teams have been managing secure cloud infrastructure for years—decades even—managing risks like identity access management, encryption, oversight, and full cloud evaluations before deployment. That’s the right approach.

ICS teams should tap into that experience, but not directly copy-paste IT cloud solutions into industrial environments. ICS systems are engineered for stability and safety—not constant change. Connectivity must be monitored and restricted, especially in human machine interface (HMI)-in the cloud deployment, to protect human safety and operational integrity.

That difference matters even more when considering connectivity to off-site systems and shared infrastructure. And let’s be clear—some critical infrastructure sectors have not and likely will not leverage cloud services, for good reason, including compliance.

ICS Cloud Adoption: What the Data Says

According to the SANS 2024 ICS/OT Survey: The State of ICS/OT Cybersecurity, cloud adoption in ICS/OT is growing—but not without hesitation:

• 26% of respondents now use cloud technologies in some part of their ICS/OT operations—a 15% increase from previous years.
• 45% still avoid it—primarily due to concerns around security and reliability.
• In the energy sector, adoption is just 18%, often due to risk, regulatory uncertainty, and strict uptime requirements.

So, risk awareness is generally strong—as 79% of organizations conduct formal risk assessments before deploying ICS workloads to the cloud. Here are some case trends from 2023 to 2024:

• Remote telemetry analysis: Up from 40% to 56%
• Cloud-based HMIs: Up from 22 % to 32% (use caution and prioritize safety)
• Disaster recovery planning: Up from 22% to 34%
• Cloud historians for storage: Down slightly from 39% to 35%
• Connection to Managed Security Service Providers (MSSPs): Down from 33% to 27%

In summary, more engineering teams are using cloud—but selectively and strategically, driven (rightfully so) by safety concerns.

Cloud Risks in ICS/OT

With great power comes great risk. Cloud connectivity introduces:

• Increased Attack Surface: Cloud connections open new vectors for ransomware, data breaches, and remote compromise that could lead to control system mis-operation.
• Reliability Risks: Internet outages or cloud service disruptions are likely to introduce instability in systems that demand 24/7 uptime, as we’ve seen over the years impacting IT services.
• Data Sovereignty and Compliance Issues: Cloud storage can complicate adherence to data residency laws.
• Legacy Integration Challenges: Older ICS components may lack compatibility with modern cloud services.
• Vendor Lock-In: Over-reliance on one provider can reduce flexibility and make future migrations difficult, for IT and ICS/OT.

These aren’t theoretical risks—they’re real-world and have been observed. Adversaries know how cloud architectures and how they’re often misconfigured. Cloud requires tailored mitigations, including segmentation, secure remote access, multi-factor authentication, and encryption. Caution should be given again when it comes to compliance and HMI in-the-cloud control capabilities.

How ICS Teams Can Securely Approach Cloud

Here’s what works when considering cloud for operational and safety requirements in ICS/OT. And know that cloud may not suit some critical infrastructure processes or sectors, and that’s ok!

• Leverage IT cloud expertise, and if cloud is needed for ICS/OT, adapt it for safety-critical environments.
• Conduct risk assessments that consider physical and cyber implications.
• Vet cloud vendors for ICS-specific SLAs, visibility, and support capabilities.
• Evaluate the security posture of cloud instances and how it’s secured for operations.
• Use defense-in-depth, including secure gateways, network segmentation, and anomaly detection, making sure that during incident response, your data and the security events are available to help determine impacts and next steps.

Above all, prioritize safety and reliability over convenience. This conversation and final decision should be led by the engineering team. The reasons for IT adopting cloud may not be the same justification for ICS/OT adopting cloud.

Final Thoughts

Cloud can transform ICS/OT operations—offering visibility, resilience, storage, processing options and efficiency (for some sectors). But it also introduces risk. The key is safety and industrial grade risk management that should be driven by the engineering side of the organization.

To dive deeper into the intersection between cloud security and ICS, join us in person at the ICS Security Summit for our workshop Navigating OT Connectivity & Security in the Cloud Era. Led by Jeffrey Shearer and Gordon Moreau, this session is perfect for those new to ICS/OT and covers essential considerations for securely connecting OT environments to the cloud. Learn more and register for the Summit here.

More coming in Part 2! Stay tuned!