Author: Elijah Pichler
DMS Operational Architecture Overview
A typical Dynamic Message Sign (DMS) deployment consists of a centralized Traffic Management Center (TMC), field-based sign controllers, a communications layer, and central control software. These components interact through NTCIP 1203, which defines the objects and messaging structure for controlling and monitoring DMS devices.
The TMC serves as the central authority for issuing commands, monitoring device status, and managing message operations. It communicates with field controllers using Simple Network Management Protocol (SNMP)-based protocols, where NTCIP 1203 object definitions (such as message tables, control modes, and status indicators) are exchanged through structured queries and commands.
The field controller is responsible for interpreting NTCIP 1203 objects and executing commands on the sign. It manages message display logic, including message activation, prioritization, and status reporting. While the controller communicates externally using NTCIP, its interface with the physical sign housing (e.g., pixel modules and power systems) is internal and not governed by NTCIP standards.
The communications layer connects the TMC to field devices and creates the most critical operational and cybersecurity boundary. Communication paths include central system-to-controller interactions, typically over IP-based networks, and local access via maintenance laptops. Local interfaces, while necessary for maintenance, introduce significant risk if not properly secured.
Central software, often part of an Advanced Traffic Management System (ATMS), provides the operator interface for message control and system monitoring. This software must support NTCIP-compliant operations, configurable polling of device status, and secure SNMPv3 communication sessions.
Operator’s Responsibilities and System Requirements
Access Control Recommendarions for DMS Security
Operators are responsible for enforcing strict access control policies to ensure that only authorized users can perform sensitive DMS operations. Administrators should have full configuration privileges, while operators should be limited to message creation and activation functions. All access should follow the principle of least privilege. Below outlines the applicable NIST SP 800-53 security controls operators should implement to enforce these access restrictions.
AC-2 Account Management
- The DMS owner/operator should establish role-based accounts aligned to operational functions and restrict access based on job title or operational role. Accounts must be provisioned, modified, and removed in accordance with the Account Management Policy, with Security Admins, domain admins, and HR notified within 24 hours of any changes. Vendor and contractor accounts should be uniquely identifiable and limited strictly to authorized maintenance activities.
AC-5 Separation of Duties
- The DMS owner/operator shall enforce separation of duties by maintaining distinct roles for message creation and scheduling, system configuration, access administration, and audit monitoring. System operators who approve messages, system admins who configure hardware, and security personnel who monitor access logs should operate independently to prevent unauthorized modifications to displayed traffic information.
AC-6(1) Least Privilege | Authorize Access to Security Functions
- The DMS owner/operator should define and restrict access to security functions, including user account management, controller configuration, firmware updates, audit log access, and network settings, based on authenticated role. Local Administrators, Remote Administrators, Field Technicians, and Vendors should only be authorized to perform functions explicitly assigned to their role, such as device setup and diagnostics, firmware verification, and loading organization-approved images.
Network Segmentation for Dynamic Message Signs
Network segmentation is required to isolate DMS devices from enterprise IT systems and external networks. Firewalls and access control lists (ACLs) must restrict communication so that only authorized TMC systems can interact with field controllers. Agencies should eliminate public exposure of DMS devices. Below outlines the applicable NIST SP 800-53 security controls operators should implement to develop a segmented network.
AC-4 Information Flow Enforcement
- The DMS owner/operator should define and enforce information flow control policies by restricting communications between the DMS control software, sign controllers, and connected networks to authorized IP addresses, ports, protocols, and encrypted tunnels.
SC-7(21) Boundary Protection | Isolation of System Components
- The DMS owner/operator should define and implement network segmentation requirements that isolate field-deployed DMS controllers and pixel boards from other field devices. Teams should configure boundary protection mechanisms to block unauthorized lateral communications within the field environment.
Securing Remote and Local DMS Connections
DMS devices must securely support both remote and local message control. Remotely, the system must process only valid NTCIP 1203-compliant messages and enforce proper authentication and authorization. For portable or locally accessed DMS devices, a secured mechanism must be in place to authenticate users and prevent unauthorized overrides when connected to central systems. Below outlines the applicable NIST SP 800-53 security controls operators should implement to secure connections made to the DMS.
CA-9 Internal System Connections
- The DMS owner/operator should document all authorized internal connections, including DMS controllers, central management software at the TMC, and authorized maintenance interfaces. The owner should capture the purpose, permitted protocols, security requirements, and responsible authority for each. The DMS owner/operator should review connections at least annually. Teams should reauthorize or remove connections during device setup, network reconfiguration, security incidents, or when operations no longer require them.
AC-17 Remote Access | Monitoring and Control
- The DMS owner/operator should establish procedures to monitor and control remote access sessions to the DMS control environment, including logging of session establishment, authentication events, privilege escalation, and session termination.
Secure Firmware Updates and Lifecycle Management
Secure software update procedures must be implemented to ensure that firmware updates are controlled, validated, and consistently applied across all devices. In addition, operators must maintain a complete asset inventory that includes device configurations, firmware versions, and network information. Below outlines the applicable NIST SP 800-53 security controls operators should implement to develop secure update procedures and maintain asset inventory.
CM-11 User-installed Software
- The DMS owner/operator should establish and enforce software and firmware installation policies within the DMS control environment. Only authorized roles should have permission to install software to prevent unauthorized or unapproved applications from entering the system.
MA-3(6) Maintenance Tools | Software Updates and Patches
- The DMS owner/operator should maintain a documented process for applying firmware updates, patches, and software revisions to DMS devices, validating each update for authenticity and integrity through digital signature verification or checksum validation prior to installation. Teams should test updates in a controlled or pilot environment whenever possible. In addition, teams should coordinate and document all maintenance actions to minimize disruption to roadway operations.
Key Takeaways
NTCIP 1203 provides a standardized framework for DMS control, but secure and reliable operation depends on proper implementation. Transportation agencies should adopt SNMPv3 to protect communications and prevent unauthorized access. Most operational failures are the result of weak access controls, poor configuration management, and insufficient monitoring. By enforcing strong security practices and aligning them with operational requirements, agencies can significantly improve both the reliability and security of their DMS deployments.