Author: Elijah Pichler
DMS Operational Architecture Overview
A typical Dynamic Message Sign (DMS) deployment consists of a centralized Traffic Management Center (TMC), field-based sign controllers, a communications layer, and central control software. These components interact primarily through NTCIP 1203, which defines the standardized objects and messaging structure used to control and monitor DMS devices.
The TMC serves as the central authority for issuing commands, monitoring device status, and managing message operations. It communicates with field controllers using Simple Network Management Protocol (SNMP)-based protocols, where NTCIP 1203 object definitions (such as message tables, control modes, and status indicators) are exchanged through structured queries and commands.
The field controller is responsible for interpreting NTCIP 1203 objects and executing commands on the sign. It manages message display logic, including message activation, prioritization, and status reporting. While the controller communicates externally using NTCIP, its interface with the physical sign housing (e.g., pixel modules and power systems) is internal and not governed by NTCIP standards.
The communications layer connects the TMC to field devices and represents the most critical operational and cybersecurity boundary. Communication paths include central system-to-controller interactions, typically over IP-based networks, and local access via maintenance laptops. Local interfaces, while necessary for maintenance, introduce significant risk if not properly secured.
Central software, often part of an Advanced Traffic Management System (ATMS), provides the operator interface for message control and system monitoring. This software must support NTCIP-compliant operations, configurable polling of device status, and secure SNMPv3 communication sessions.
Operator’s Responsibilities and System Requirements
Access Control Polices
Operators are responsible for enforcing strict access control policies to ensure that only authorized users can perform sensitive DMS operations. Administrators should have full configuration privileges, while operators should be limited to message creation and activation functions. All access should follow the principle of least privilege. Below outlines the applicable NIST SP 800-53 security controls operators should implement to enforce these access restrictions.
AC-2 Account Management
- The DMS owner/operator should establish role-based accounts aligned to operational functions and restrict access based on job title or operational role. Accounts must be provisioned, modified, and removed in accordance with the Account Management Policy, with Security Admins, domain admins, and HR notified within 24 hours of any changes. Vendor and contractor accounts should be uniquely identifiable and limited strictly to authorized maintenance activities.
AC-5 Separation of Duties
- The DMS owner/operator shall enforce separation of duties by maintaining distinct roles for message creation and scheduling, system configuration, access administration, and audit monitoring. System operators who approve messages, system admins who configure hardware, and security personnel who monitor access logs should operate independently to prevent unauthorized modifications to displayed traffic information.
AC-6(1) Least Privilege | Authorize Access to Security Functions
- The DMS owner/operator should define and restrict access to security functions, including user account management, controller configuration, firmware updates, audit log access, and network settings, based on authenticated role. Local Administrators, Remote Administrators, Field Technicians, and Vendors should only be authorized to perform functions explicitly assigned to their role, such as device setup and diagnostics, firmware verification, and loading organization-approved images.
Network Segmentation
Network segmentation is required to isolate DMS devices from enterprise IT systems and external networks. Firewalls and access control lists (ACLs) must restrict communication so that only authorized TMC systems can interact with field controllers. Public exposure of DMS devices should be eliminated. Below outlines the applicable NIST SP 800-53 security controls operators should implement to develop a segmented network.
AC-4 Information Flow Enforcement
- The DMS owner/operator should define and enforce information flow control policies by restricting communications between the DMS control software, sign controllers, and connected networks to authorized IP addresses, ports, protocols, and encrypted tunnels.
SC-7(21) Boundary Protection | Isolation of System Components
- The DMS owner/operator should define and implement segmentation requirements to isolate field-deployed DMS controllers and pixel boards from other field devices, ensuring boundary protection mechanisms are configured to restrict unauthorized lateral communications within the field environment.
Secured Remote and Local Connection
DMS devices must securely support both remote and local message control. Remotely, the system must process only valid NTCIP 1203-compliant messages and enforce proper authentication and authorization. For portable or locally accessed DMS devices, a secured mechanism must be in place to authenticate users and prevent unauthorized overrides when connected to central systems. Below outlines the applicable NIST SP 800-53 security controls operators should implement to secure connections made to the DMS.
CA-9 Internal System Connections
- The DMS owner/operator should document all authorized internal connections, including DMS controllers, central management software at the TMC, and authorized maintenance interfaces. The owner should capture the purpose, permitted protocols, security requirements, and responsible authority for each. Connections should be reviewed at least annually and reauthorized or removed upon device setup, network reconfiguration, detection of a security incident, or when no longer operationally required.
AC-17 Remote Access | Monitoring and Control
- The DMS owner/operator should establish procedures to monitor and control remote access sessions to the DMS control environment, including logging of session establishment, authentication events, privilege escalation, and session termination.
Secure Software Updates and Lifecycle Management
Secure software update procedures must be implemented to ensure that firmware updates are controlled, validated, and consistently applied across all devices. In addition, operators must maintain a complete asset inventory that includes device configurations, firmware versions, and network information. Below outlines the applicable NIST SP 800-53 security controls operators should implement to develop secure update procedures and maintain asset inventory.
CM-11 User-installed Software
- The DMS owner/operator should establish and enforce policies governing software and firmware installation within the DMS control environment, restricting installation privileges to explicitly authorized roles to prevent unauthorized or unvetted software from being introduced into the system.
MA-3(6) Maintenance Tools | Software Updates and Patches
- The DMS owner/operator should maintain a documented process for applying firmware updates, patches, and software revisions to DMS devices, validating each update for authenticity and integrity through digital signature verification or checksum validation prior to installation. Updates should be tested in a controlled or pilot environment where feasible, and all maintenance actions should be coordinated and documented to minimize disruption to operational messaging and roadway safety.
Key Takeaways
NTCIP 1203 provides a standardized framework for DMS control, but secure and reliable operation depends on proper implementation. The adoption of SNMPv3 is essential to protect communications and prevent unauthorized access. Most operational failures are the result of weak access controls, poor configuration management, and insufficient monitoring. By enforcing strong security practices and aligning them with operational requirements, agencies can significantly improve both the reliability and security of their DMS deployments.