Supply Chain & OT Risks in Major Highway Projects: Threat Modeling for Infrastructure Upgrades

Hook: Your next highway project is an enterprise-class OT rollout — and attackers are already counting on it

Georgia’s newly proposed $1.8B I‑75 expansion is an infrastructure milestone — and, from a security perspective, a major expansion of an attack surface that includes roadside sensors, tolling systems, reversible‑lane controllers and SCADA/ITS integrations. If you are a security engineer, DevOps lead, or IT/OT administrator charged with delivering or protecting this program, your immediate problem is simple: large civil projects bring scores of third parties, temporary systems and new connected field devices that dramatically increase supply‑chain and operational technology (OT) risk.

Opportunity and risk are the same event: new lanes and roadway sensors will improve throughput and revenue — but without procurement controls, secure OTA processes and strict segmentation they will also create new pathways for compromise.

Why 2026 changes the calculus — trends you must plan for now

By 2026, federal and state transportation programs and vendors are shipping more intelligent sensors, edge compute, and over‑the‑air (OTA) update capabilities than ever before. Late‑2025 advisories from government and industry accelerated adoption of SBOMs and vendor security evidence for transportation systems. At the same time, attackers shifted from single‑device exploits to supply‑chain and integrator compromises that use legitimate update channels to persist inside critical infrastructure.

That means a highway upgrade like Georgia’s is not just civil engineering — it’s a multi‑year OT program that must be treated as an enterprise software and hardware supply‑chain risk management (SCRM) exercise.

Threat model: how a highway project expands your attack surface

Below is a prioritized, practical threat model tailored to large roadway upgrades that include tolling, reversible lanes, sensors and ITS/SCADA integration.

Primary assets (what you must protect)

• SCADA masters and control servers (traffic control, lane reversal automation)
• Field devices and RTUs (roadway sensors, vehicle detectors, cameras, VMS — variable message signs)
• Tolling and payment back‑office (PII, payment processors, reconciliation)
• Edge compute nodes and gateways (local analytics, AI/ML models)
• Communications channels (cellular, fiber, satellite, microwave links)
• Third‑party systems (vendor portals, OTA servers, contractor laptops)

High‑probability attack vectors

1. Compromised vendor OTA channel — attackers push malicious firmware via a legitimate vendor update.
2. Integrator/contractor access — temporary credentials and unsegmented remote access give lateral movement into OT.
3. Counterfeit or tampered hardware — compromised modules or supply‑chain insertion during manufacture or transport.
4. Misconfigured segmentation — ITS devices on the same VLAN as back‑office systems or payment networks.
5. Unmonitored telemetry and telemetry spoofing — attackers manipulate sensor feeds to degrade situational awareness.

Case study (illustrative): I‑75 reversible lane control compromise scenario

Imagine temporary contractor devices are installed to manage lane signaling and toll collection. Those devices receive OTA firmware from a vendor that uses a shared signing key across customers. An attacker breaches the vendor’s CI/CD pipeline, signs a malicious image and rolls it out to multiple projects. The compromised field devices accept the firmware because the device only checks the signature chain — and the attacker can now trigger false lane reversals or disrupt tolling reconciliation, causing safety incidents and revenue loss.

This is not hypothetical: the industry has seen identical tactics applied against other critical infrastructure sectors where OTA and shared signing practices existed.

Procurement controls: reduce supply‑chain risk before the first ground‑break

Procurement is your primary lever to change vendor behavior and contractually enforce security. These are practical controls you must include in RFPs, contracts and purchase orders for the I‑75 program or any major highway upgrade.

Mandatory technical evidence and lifecycle requirements

• SBOM delivery and update cadence: require a machine‑readable SBOM for all software and firmware, updated with every release.
• Secure development lifecycle (SDL): require documentation of SDL practices (threat modeling, SAST/DAST, code review, pen testing).
• Signed builds and key separation: require unique device‑scoped signing keys, hardware root‑of‑trust support (TPM/TEE), and anti‑rollback protections.
• Vulnerability disclosure and patch SLA: explicit timelines for vulnerability triage, disclosure and patch deployment (e.g., initial response within 72 hours, mitigations within 14 days for critical CVEs).

Contractual and governance clauses

• Security audit and on‑site inspection rights: allow periodic audits and supply‑chain traceability checks.
• CI/CD transparency and source code escrow: escrow of source for critical components or proof of reproducible builds.
• Indemnity and liability: clear indemnification for supply‑chain compromises and costs related to incident response.
• Subcontractor controls: require the same security terms down the vendor chain; no unilateral subcontracting of critical components.
• Insurance and financial assurance: cyber insurance minimums and performance bonds tied to security deliverables.

Operational vetting

• Background checks for personnel with OT access.
• Minimum certification evidence (ISO 27001, SOC 2, NIST CSF mapping).
• Mandatory incident notification windows (e.g., 24 hours for suspected breach of any code signing or OTA infrastructure).

Segmentation strategies: design that limits blast radius

Effective segmentation is the single most powerful architectural control to prevent lateral movement from field devices to critical back‑office systems.

Practical segmentation blueprint for highway projects

1. OT Zone (SCADA/Control): Hosts SCADA masters, PLC/RTU management consoles — strict inbound restrictions, no direct internet egress.
2. Field Zone: Roadside sensors, cameras, and edge gateways. Allow only specific, authenticated outbound connections to vendor OTA servers or a controlled gateway.
3. Tolling/Payments Zone: PCI‑DSS compliant network for payment processing, fully isolated from OT control plane via firewalls and application proxies.
4. Vendor/Contractor DMZ: Short‑lived jump hosts with Just‑In‑Time (JIT) access, MFA, and session recording; no persistent VPNs that cross zones.
5. Cloud/Analytics Zone: Data ingestion pipelines for telemetry; use one‑way data diodes or controlled API gateways to move sanitized telemetry from OT to the cloud.

Implementation details and hardening

• Network controls: firewalls with protocol filters, explicit allowlists, deep packet inspection for ICS protocols (DNP3, Modbus, IEC 60870).
• Microsegmentation: use host‑level controls (eBPF/iptables, SDN policies) to enforce least‑privilege flows between devices.
• Data diodes: for high‑assurance one‑way telemetry export from OT to analytics platforms.
• Gateway protocol translation: terminate field protocol traffic at hardened proxies that perform authentication, rate limits, and protocol validation.

Secure OTA and device lifecycle management

Roadway sensors and edge nodes will require ongoing updates. Secure the update pipeline with the following:

• End‑to‑end signing: cryptographic signatures validated by hardware root of trust on each device; maintain unique per‑device keys or per‑customer key contexts.
• Mutual TLS plus certificate pinning: for device‑to‑server authentication and to prevent man‑in‑the‑middle updates.
• Rollback protection and staged rollouts: enforce version checks and test updates on canary devices before broad deployment.
• Secure factory provisioning: device identity pre‑provisioned in secure element; avoid on‑site manual key injection when possible.
• Audit logging and attestations: devices should log update provenance and attestation results back to a central SIEM for forensic analysis.

Monitoring, detection and incident response

Prevention fails. You must detect and respond fast. For highway projects, detection needs to be OT‑aware and continuous.

Detection stack

• Network detection for ICS: signatures and behavioral rules for common ICS traffic (DNP3, Modbus) using specialized NDR tools.
• Telemetry baselining: ML models trained on pre‑deployment telemetry to detect anomalies in sensor patterns and control commands.
• Centralized logging: ingest device logs, gateway logs and OTA server logs into a SIEM with long‑term retention for compliance and forensic needs.
• Threat intelligence feeds: integrate SCRM feeds that highlight vendor or component compromises; subscribe to CISA advisories for real‑time alerts.

Response playbook essentials

• Predefine roles and escalation paths between DOT, vendor, CISA and law enforcement.
• Containment steps: isolate affected subnets and enforce data diode blocking for outbound telemetry if exfiltration suspected.
• Forensic preservation: preserve firmware images, update logs and network captures, and coordinate chain‑of‑custody for evidence.
• Public communications: prepare pre‑approved messaging templates to minimize reputational damage when incidents affect safety or revenue.

Operational controls: people, process and temporary construction risks

Construction phases introduce unique operational risks: temporary networks, subcontractors, and transient credentials. Treat the construction lifecycle as a security phase in your program plan.

• Ephemeral credentials and JIT access: provision time‑limited access for contractors with automated revocation tied to task completion.
• Least privilege: role‑based access control (RBAC) for OT consoles and maintenance systems, augmented with attribute‑based access where appropriate.
• Physical security and asset tags: tamper‑evident seals and asset tracking for field units during storage and transport.
• Change control: all field configuration changes go through a change board with documented approvals and rollback plans.

Regulatory context and frameworks (practical mapping)

Use existing frameworks as procurement and audit checklists. In practice:

• Map your controls to NIST CSF for executive reporting and to NIST SP 800‑161 for supply‑chain risk management.
• Adopt SBOM requirements as a procurement standard (building on EO 14028 momentum) to ensure software transparency.
• Align OT architecture to NIST SP 800‑82 guidance for ICS security controls and zone/ conduits planning.

2026 predictions: what to expect next and how to get ahead

• Mandated SBOMs and higher vendor accountability: more DOTs will require SBOMs and live vulnerability reporting for awarded contracts.
• Rise of managed OT security stacks: regional managed detection services for transportation infrastructure will proliferate as federal funding enables shared services.
• OTA hardening becomes a procurement differentiator: vendors who provide per‑device attestation and key separation will win more bids.
• AI in traffic management: edge AI for traffic prediction will increase the value of sensor streams — and the incentive for attackers to manipulate them.

Actionable checklist: rapid steps to reduce risk on I‑75 style projects

1. Run a full asset inventory and assign owners for every device class before procurement awards.
2. Embed SBOM, SDL and signing key requirements in RFPs and vendor contracts.
3. Design network zones (OT, Field, Payments, Vendor DMZ, Cloud) and enforce them with firewalls and data diodes.
4. Require per‑device identity and hardware attestation for all field devices; avoid single shared keys.
5. Implement JIT access and recorded jump hosts for all vendor remote sessions during construction and operations.
6. Deploy OT‑aware detection (NDR) and ingest telemetry into a SIEM with playbooks and incident escalation to CISA/state SOCs.
7. Establish supply‑chain governance: audit rights, subcontractor flow‑downs, and breach notification within 24 hours.
8. Test failover and rollback of OTA updates with a canary cohort prior to production rollout.
9. Perform a third‑party security assessment and tabletop incident response exercise with vendors and DOT stakeholders.

Wrap: making infrastructure upgrades resilient — not just connected

Georgia’s $1.8B I‑75 plan is an inflection point — a rare chance to bake security into procurement, network design and device lifecycle from day zero. If you treat the program like an enterprise OT build rather than a set of isolated civil contracts, you can reduce supply‑chain risk, prevent malicious OTA misuse, and limit blast radius with disciplined segmentation.

Start with procurement controls and per‑device attestation, design strict OT/IT separation, and operationalize continuous detection and response. These measures are practical, auditable and increasingly required by funders and regulators in 2026.

Final takeaways

• Procurement is prevention: contractually enforce SBOMs, SDL and per‑device signing now.
• Segmentation is survival: design the network so a compromised sensor cannot reach the SCADA master or payment systems.
• OTA needs enterprise controls: cryptographic attestation, canaries and staged rollouts are non‑negotiable.
• Prepare to detect and respond: OT‑aware NDR, SIEM, playbooks and vendor coordination are mission critical.

Call to action

If you are responsible for delivering or securing a major highway project, the right next step is a focused threat‑modeling workshop that maps suppliers, temporary construction exposure, and OTA channels — and produces enforceable procurement clauses and a segmentation plan. Schedule a 90‑minute workshop with your OT and procurement teams to produce a prioritized remediation roadmap before contracts are signed. Don’t hand attackers your keys to the infrastructure — lock the lifecycle down on day one.

Related Reading

• Smart Plugs for Consoles: When to Use One — and When Not To
• Lesson Plan: Creating AI-Powered Vertical Microdramas Inspired by Holywater
• How Publishers Can Pitch Platform Partnerships — Lessons from BBC and YouTube Talks
• How to Save a Dying Game: A Playbook for Communities Facing Server Closures
• Casting Is Dead — Here’s What That Means for Creators Making Second-Screen Experiences