TLDR: Henrico County, USA, upgraded 115 isolated traffic signal controllers to a distributed NEMA TS2-compliant network using EDR-810 Series industrial secure routers. The EDR-810-VPN deployment provided VPN encryption and firewall protection across public ISP networks, enabling real-time signal monitoring across 140 intersections. Turbo Ring technology delivered <20ms failover recovery while maintaining IEC 62443 cybersecurity standards.
Overview: Distributed Traffic Management Requires Secure Network Infrastructure
Modern intelligent transportation systems (ITS) transition from isolated signal controllers to distributed architectures where traffic management centers (TMCs) remotely monitor signal timing in real time, enabling adaptive control, emergency vehicle prioritization, and congestion management.
However, interconnecting traffic signals over public networks introduces cybersecurity vulnerabilities. The National Transportation Communications for ITS Protocol (NTCIP) and NEMA TS2 standards require secure communications between field devices and central systems. Without proper encryption and network segmentation, traffic control networks become targets for unauthorized access, signal manipulation, or denial-of-service attacks that could disrupt traffic flow across entire metropolitan areas.
Henrico County faced this exact challenge: upgrading their legacy closed-loop system to a distributed architecture while ensuring communication reliability and cybersecurity compliance across public ISP networks.
Challenge: Legacy Infrastructure Meets Modern Connectivity Requirements
Henrico County's existing traffic control system consisted of 140 signalized intersections, but only 25 intersections had interconnected communications—leaving 115 intersections (82%) operating as isolated time-of-day controllers with no centralized oversight.
Network Architecture Limitations
| Requirement | Needed Specification | Challenge with Legacy System |
|---|---|---|
| Network Topology | Distributed TMC-to-controller communication | 82% of intersections isolated with no remote access |
| Communication Security | VPN encryption + firewall across public networks | ISP public network exposed field devices to unauthorized access |
| Failover Recovery | <30 seconds for ring topology | Standard STP recovery: 30-50 seconds |
| Standards Compliance | NEMA TS2 certification | Existing equipment lacked certification |
| Environmental Operation | -40°C to 75°C for roadside cabinets | Commercial routers limited to 0°C to 50°C |
Root Cause Analysis
The core technical obstacles included:
1. Public Network Exposure: Utilizing existing ISP infrastructure required modems, but public IP addressing created attack surfaces. Without VPN tunneling and stateful firewalls, signal controllers remained vulnerable.
2. Protocol Compatibility: Controllers needed to store time-of-day plans and transmit real-time status updates. This required multi-protocol support (Modbus TCP, NTCIP) with sufficient bandwidth for future video integration.
3. Network Redundancy Gaps: Single-point failures resulted in complete TMC communication loss. The county required ring topology with sub-30-second failover.
4. NEMA TS2 Compliance: The upgrade mandate specified NEMA TS2 compliance including environmental resilience, power redundancy, and standardized protocols.
Conventional routers lacked integrated security (VPN/firewall), environmental ratings (-40°C to 75°C), and NEMA TS2 certification for roadside deployment.
Solution: All-in-One Secure Router Architecture for Traffic Networks
Henrico County deployed EDR-810 Series industrial secure routers—specifically the EDR-810-VPN-2GSFP-T—in each roadside cabinet to enable secure, reliable communication between 140 traffic signal controllers and the central TMC.
Network Performance: Legacy System vs. EDR-810 Deployment
The migration from isolated controllers to a centralized VPN-secured network delivered measurable improvements:
| Metric | Previous (Isolated Controllers) | New (EDR-810 with VPN) | Delta |
|---|---|---|---|
| Interconnected Intersections | 25 of 140 (18%) | 140 of 140 (100%) | +460% |
| TMC-to-Controller Latency | N/A (no connection) | <50ms via VPN tunnel | Real-time enabled |
| Network Failover Recovery | N/A (isolated) | <20ms (Turbo Ring) | 99.9% faster than STP |
| Cybersecurity Coverage | 0 intersections secured | 140 with VPN + firewall | 100% protected |
| Remote Configuration Time | 4 hours on-site/intersection | 15 minutes remote access | -93.75% |
Why the Improvement Occurred: The EDR-810's all-in-one architecture eliminated separate VPN appliances and switches. Turbo Ring replaced standard STP, reducing failover from 30-50 seconds to <20 milliseconds.
Technical Implementation Details
Network Architecture: Each roadside cabinet contains 1x EDR-810-VPN-2GSFP-T with 8x 10/100BaseT(X) ports for traffic controller, CCTV, UPS, sensors, and 2x Gigabit SFP fiber ports for ring topology. VPN tunnels (20 Mbps) connect all 140 intersections to TMC over ISP networks.
Topology: Fiber ring interconnects all 140 intersections with Turbo Ring providing <20ms recovery if any link or EDR-810 fails.
Protocol Support: NTCIP (signal control), Modbus TCP (sensors/UPS), SNMP (device management).
.jpg)
Security Features Deployed:
| Security Layer | EDR-810 Implementation | Benefit |
|---|---|---|
| VPN Encryption | 10 concurrent IPsec VPN tunnels | Protects NTCIP/Modbus TCP traffic over public networks |
| Stateful Firewall | Configurable ACLs per port | Blocks unauthorized access to traffic controllers |
| NAT/PAT | Network Address Translation | Hides internal network topology |
| PacketGuard | Deep packet inspection for Modbus TCP | Detects and blocks malformed protocol packets |
| Secure Management | HTTPS/SSH access only | Prevents man-in-the-middle attacks |
Power & Environmental Specifications: Dual redundant DC power inputs (12-48 VDC), -40°C to 75°C operation (T-model), NEMA TS2 certified.
Scalability & Future Expansion
The EDR-810's 2x Gigabit SFP ports provide headroom for fiber ring expansion. The platform supports Turbo Ring and RSTP for interoperability, VLAN segmentation for network isolation, and MXview for centralized monitoring of all 140 routers.
Cybersecurity & Reliability: Protecting Critical Transportation Infrastructure
As traffic control systems interconnect to enterprise networks, cybersecurity becomes critical for preventing signal manipulation and ensuring operational continuity.
Security Implementation
| Security Layer | Implementation | Standard Alignment |
|---|---|---|
| Network Segmentation | VLAN isolation for traffic control vs. CCTV | NIST Cybersecurity Framework |
| Access Control | HTTPS/SSH, RADIUS authentication | Role-based access with audit logging |
| Device Hardening | Disabled unused services, changed defaults | NIST SP 800-53 baseline controls |
| Firmware Integrity | Digitally signed firmware updates | Prevents unauthorized code execution |
| Intrusion Prevention | PacketGuard inspects Modbus TCP packets | Blocks protocol manipulation attacks |
IEC 62443 Compliance Roadmap: The EDR-810 meets many IEC 62443-4-2 requirements (secure communications, access control, data integrity). Henrico County is evaluating additional hardening for future SL2/SL3 certification.
Reliability Specifications
The EDR-810-VPN-2GSFP-T operates in -40°C to 75°C with dual redundant power inputs (12-48 VDC). Turbo Ring topology provides automatic recovery if an EDR-810 or fiber link fails. MTBF exceeds 500,000 hours (57 years), and NEMA TS2 certification ensures compatibility with traffic controllers.
Related Products: Expanding Traffic Network Capabilities
EDS-2008-EL Series: Compact 8-port managed Ethernet switch for expanding port density in high-device-count cabinets. Supports Turbo Ring, VLAN segmentation, and SNMP management. Ideal for intersections with additional IP cameras, LED sign controllers, and environmental sensors. Features -40°C to 75°C operation and DIN-rail mounting for roadside cabinet installation.
MXview One Series: Centralized network management platform for monitoring all 140 EDR-810 routers from the TMC. Provides real-time topology visualization, automated firmware updates, SNMP trap management, and compliance reporting. The wireless add-on module extends management to future wireless ITS devices.
Conclusion
Henrico County's deployment of EDR-810 Series secure routers transformed 115 isolated traffic signals into a unified, VPN-secured network with real-time TMC oversight. The all-in-one VPN/firewall/router architecture eliminated the need for separate security appliances while meeting NEMA TS2 standards for transportation infrastructure.
As intelligent transportation systems evolve toward connected vehicle integration and adaptive traffic control, secure network infrastructure becomes foundational. Industrial-grade secure routers provide the cybersecurity and reliability required to protect critical transportation networks from emerging threats.
For technical specifications, network design assistance, or application engineering support, contact our engineering team at https://shopmoxa.neteon.net/contact. Our network engineers can help you select the right EDR Series platform for your intelligent transportation requirements.
Visit https://shopmoxa.neteon.net/ for detailed datasheets, configuration guides, and network design tools.
