Trust the command,
not just the connection.
Most traffic signal security asks whether a device was contacted. PacketViper inspects and enforces NTCIP-over-SNMP commands inline, at the wire, so only authorized commands reach the controller.
A connection can be routable and still not be authorized.
Most traffic signal security asks a narrow question: was this device contacted? The question that actually protects the roadway is different. Should that command have been trusted before it changed anything? On a modern signal network, a controller receives an NTCIP-over-SNMP SET, a timing-plan change or a phase adjustment, and acts on it. If the source is routable, the command usually lands. Whether that source was authorized to send it is a separate matter, and most field networks never check.
This is not theoretical. In 2023, CISA published advisory ICSA-23-026-02 covering CVE-2023-0452 in the Econolite EOS signal controller, rated CVSS 9.8. An unauthenticated configuration file exposed administrative credentials protected only by weak hashing, enough for a remote attacker to take control of the signals. In 2024, security researchers demonstrated an authentication bypass in the Intelight X-1 controller (CVE-2024-38944), where NTCIP values could be read in cleartext and, in some cases, written without authentication at all.
The common thread is not a single vendor bug. It is that the command path itself trusts the connection instead of verifying the command.
Inspect the command, not just the port.
PacketViper inspects the NTCIP-over-SNMP command inline, at the wire, before it reaches the controller. It reads the actual operation, the OID and the value, and enforces which commands are allowed to reach which device. Protection sits in the network path, so it does not depend on the controller’s own authentication, which is exactly the layer these incidents defeated.
An out-of-policy SET, a command from an unexpected source, or a wrong community string becomes an attempt to investigate, surfaced to the operator with full context, with a human in the decision before the change takes effect.
Reads the Operation
Decodes the SET, the OID, and the value carried inside the SNMP payload, not just the source and destination port.
Enforces Policy Inline
Compares the command against which sources may change which OIDs on which device, at wire speed, before the device acts.
Keeps a Human in the Loop
Out-of-policy attempts are surfaced to the operator with context. The operator decides before the change takes effect.
The decision has to stay with the operator.
An unverified change to a live signal is not only a security event. It is a reliability and safety event that the traveling public feels at the intersection. Placing integrity on the command path keeps that decision where it belongs, with the operator, and keeps the record of every attempt for the people who need it.
NTCIP command integrity – common questions
Verifying that an NTCIP-over-SNMP command sent to a field device is authorized for that operation before the device acts on it, rather than trusting any routable source.
A firewall decides whether a connection is allowed. PacketViper inspects the command carried inside an allowed connection and enforces policy on the operation itself.
No. Protection is inline on the network path and does not depend on the controller’s own authentication or firmware.
Explore the platform
Agentless Signal Controller Protection
Non-intrusive, agentless, inline protection for legacy field controllers that cannot run security agents, scoped to the device.
Learn moreNTCIP Traffic Protection
Command-level monitoring, detection, prevention, notification, and audit evidence for NTCIP-managed field devices.
Learn moreTraffic Control Systems
Security built for ITS, NTCIP, and SCADA-connected traffic controllers, with enforcement that fits inside a roadside cabinet.
Learn moreVerify the command before it becomes a change.
See command-level enforcement against real NTCIP traffic, scoped to your field devices.