Protect the controllers
you can’t put an agent on.
Field controllers are embedded devices built to run for a decade or more. PacketViper protects them from the network path, agentless, without disrupting the live signal operation they’re running.
A flat field network has no natural stopping point.
Field controllers are built to run for a decade or more. They are embedded devices in roadside cabinets, and they cannot run the endpoint software that protects a laptop or a server. That leaves agencies with a hard question. How do you protect a device that will never accept a protection agent, without disrupting the live signal operation it is running?
The blast radius of a flat field network is documented. In the University of Michigan “Green Lights Forever” study presented at USENIX WOOT 2014, researchers working with a road agency gained control of a live system of roughly 100 intersections. The weaknesses were structural: unencrypted wireless links, default credentials that were publicly known, and an exposed debug port. Reaching one part of the network reached much of it.
When protection has to live on the endpoint, and the endpoint cannot host it, the network path is the only place left to enforce anything.
Non-intrusive, agentless, and scoped to the device.
PacketViper is a non-intrusive, agentless, transparent inline layer for the field network. It installs nothing on the controller and asks nothing of it. It starts in observation, learning the normal command traffic to each device, then narrows to surgical enforcement scoped to the device, never the whole subnet.
That containment is the direct answer to the flat-network problem: enforcement follows the individual device, so one compromised path does not become reach across every cabinet.
Nothing on the Controller
No agent, no firmware change, no dependency on the device’s own authentication or update cycle.
Starts in Observation
Learns normal command traffic to each device before any enforcement is applied.
Scoped to the Device
Enforcement narrows to the individual controller, never the subnet, containing lateral reach.
Meet the equipment where it is.
Agencies do not get to replace the field fleet to make it securable, and they cannot take intersections down to harden them. Agentless, inline protection meets the equipment where it is, protects the command path around it, and stays out of the way of live operations while doing it.
Agentless signal controller protection – common questions
They are long-lived embedded field devices not designed to host endpoint software, so protection has to be applied on the network path instead.
PacketViper starts in observation and narrows to enforcement scoped to the individual device, so normal operations continue while policy is applied surgically.
Enforcement is scoped to the individual device, which contains lateral reach across a flat field network rather than treating the subnet as one trust zone.
Explore the platform
NTCIP Command Integrity
Inspect and enforce NTCIP-over-SNMP commands inline, at the wire, so only authorized commands reach the device.
Learn moreNTCIP Traffic Protection
Command-level monitoring, detection, prevention, notification, and audit evidence for NTCIP-managed field devices.
Learn moreTraffic Control Systems
Security built for ITS, NTCIP, and SCADA-connected traffic controllers, with enforcement that fits inside a roadside cabinet.
Learn moreProtect the controllers already in the ground.
See agentless, inline enforcement scoped to the device, with no changes to your field fleet.