Close search

Security-as-a-Service (SaaS) – why businesses should take it seriously

In the rail industry, the majority of equipment installed tends to have a long product lifecycle. Take for example your central Communications Control Unit (CCU), they will last up to 10 years on average and are considered to be a valuable asset, handling the communication between the train and shoreside infrastructure. Although the CCU and other on-train devices come equipped with static security controls built-in, not one single security control can be considered effective and therefore, a layered approach known as defence in depth is required to protect important assets. Businesses are now looking for new ways to protect critical assets and essential services from malicious actors by ensuring that threats are quickly identified, reviewed and effectively controlled.

Protecting against a list of potential threats which at times seems to change daily as newly discovered vulnerabilities are announced is a challenge for companies in all industries. Managing this in the rail industry on devices that can move across the country and even into other counties on varying schedules adds further complexity and cost when it comes to updating security controls. Considering a ‘Security-as-a-Service’ approach where a third party takes on more of the threat and vulnerability management tasks allows train operating companies to focus on their core operations and enhancements to improve the overall passenger experience. A Security-as-a-Service offering can include a number of services to provide an effective cybersecurity management system so that controls remain effective and provide an adequate level of protection throughout the asset lifecycle.

Applying static security controls in a layered approach can be expensive and require regular updates to ensure they remain effective. Investment in a Security-as-a-Service offering is often seen as a countermeasure to expensive static security controls by reducing potential risk through improvements in detection and responding to a potential threat before the threat escalates and becomes high impacting. A Security-as-a-Service offering can often provide a train operating company with an intrusion detection service which will detect potentially malicious activity and feed it back to a centralised point where it can be investigated and the necessary action deployed to mitigate potential risk.

An effective detection and response service will use a signature-based detection mechanism to detect known malicious activity, have security trained staff ready to review and respond and use other sources of information to identify any irregular activity. For example, if an intrusion detection system flagged a logon attempt to a CCU in the middle of the night whilst the train is out of service whilst no maintenance was scheduled, this would be classed as a potentially malicious activity which needs to be investigated.

Data protection laws such as the GDPR and regulations such as the EU Security of Networks & Information Systems (NIS) state that security controls need to offer an adequate level of protection against the potential threats identified. A Security-as-a-Service offering can include the necessary controls and processes to assist train operating companies with their compliance with laws and regulations and to provide evidence of effective security controls.


Train operators can expect to find themselves exposed to both hardware and software threats from hackers and even terrorists. As train operators strive to provide the digital journey for their passengers, trains have never been more reliant on digital solutions. It is important to find a solution which protects all assets across the digital solution so that both on-train and shoreside systems are effectively secured.

If a malicious user defaces the landing page it has the potential to ruin a train operator’s reputation and brand, with social media being at the forefront of our digital society. An attack to the shoreside infrastructure can impact a full fleet as this is often where centralised functions are hosted to maintain the on-board services and more importantly, where data is stored. Data breaches are hot in the media – big companies are getting broadcasted on the news for having data leaked (a PR disaster waiting to happen). The more digital solutions you connect to your fleet (and in some cases present to passengers), in theory, the harder it will be to protect as the threat landscape increases as the number of components increases. It is important to find a provider who will provide complete digital security.

blurry train leaving the platform

Below is a list of consequences a train operator can expect to inherit should they become the victim of a successful attack:

  • Passenger safety at risk
  • Passenger data & services at risk
  • Public relations disaster
  • Train management systems at risk
  • Company reputation ruined
  • Service delays
  • Regulatory fine


It is important to stay proactive in terms of security when protecting your shoreside and on-train services as new threats are emerging each day. A Security-as-a-Service offering which includes regular reviews of a solution through vulnerability assessments and audits can help to proactively identify areas of improvement to prevent a potential incident. When combined with the trend data obtained from an intrusion detection system, train operating companies can be provided with reporting data which can be used when deciding where to invest their security budget to maximise its effectiveness.

Security controls cannot stay static; it must evolve during the asset lifecycle as new threats emerge and new digital systems are added to the network. Processes and tools must be put into place to allow the train operator to react quickly to an incident and minimise impact to both themselves and passengers. An investigation should be launched, and lessons should be learned to improve procedures for the future. A Security-as-a-Service offering provides a security management package which the train operator can use to:

  • Identify a threat
  • Respond to the threat
  • Contain the threat within an effective time frame
  • Learn from the threat
  • Improve policies, procedures and controls to prevent a repeat incident
  • Demonstrate effective cybersecurity

Furthermore, Nomad Secure Intrusion Detection Service provides the train operator with a mechanism to identify an actual or suspected cyber-attack and provides real-time alerts of an on-going incident which is monitored by our 24/7 Service Desk.

Final Thoughts

The days of implementing security controls at the start of the product lifecycle and not reviewing them until selecting the replacement product at the end of its lifecycle is no longer a viable option. What might be seen as secure today might not be secure tomorrow as new vulnerabilities are discovered and unknown weaknesses are exploited. Security needs to be proactive with data patterns monitored to predict potential threats and prevent it from impacting the business. As the digital train evolves, so does the security measures put in place to protect the train operating company, and more importantly its passengers.

Credit to our technical expert David Dove for supporting on this piece.