Applying static security controls in a layered approach can be expensive and require regular updates to ensure they remain effective. Investment in a Security-as-a-Service offering is often seen as a countermeasure to expensive static security controls by reducing potential risk through improvements in detection and responding to a potential threat before the threat escalates and becomes high impacting. A Security-as-a-Service offering can often provide a train operating company with an intrusion detection service which will detect potentially malicious activity and feed it back to a centralised point where it can be investigated and the necessary action deployed to mitigate potential risk.
An effective detection and response service will use a signature-based detection mechanism to detect known malicious activity, have security trained staff ready to review and respond and use other sources of information to identify any irregular activity. For example, if an intrusion detection system flagged a logon attempt to a CCU in the middle of the night whilst the train is out of service whilst no maintenance was scheduled, this would be classed as a potentially malicious activity which needs to be investigated.
Data protection laws such as the GDPR and regulations such as the EU Security of Networks & Information Systems (NIS) state that security controls need to offer an adequate level of protection against the potential threats identified. A Security-as-a-Service offering can include the necessary controls and processes to assist train operating companies with their compliance with laws and regulations and to provide evidence of effective security controls.