Misuse cases show how attackers can chain multiple threats to disrupt ITS operations. They help stakeholders understand realistic attack scenarios, identify impacted assets, and apply the right protections to strengthen their systems.
Misuse Case 1: Phishing Attack Leads to Loss of Monitoring Visibility¶
An attacker sends a phishing email to an employee working in a Traffic Management Center (TMC). The employee provides credentials that allow the attacker to gain access to the TMC’s IT environment. Once inside, the attacker performs lateral movement to reach the operational technology (OT) network that manages roadside monitoring devices such as Closed-Circuit Television (CCTV) cameras. The attacker issues commands that disable or disrupt these devices, resulting in a loss of video feeds. With monitoring visibility reduced, the TMC cannot effectively oversee traffic conditions or detect incidents in real time.
Harden roadside devices with secure configuration, password management, and audit logging to resist unauthorized shutdown.
Misuse Case 2: Compromise of Remote Software Update Process¶
An attacker compromises the update process used to deliver software or firmware to ITS field devices. This could involve exploiting weak authentication on the update server, intercepting update files in transit, or inserting a malicious update through a compromised supplier. Once the malicious update is applied, the attacker gains persistent control over the device, allowing service disruption, data manipulation, or use of the device as a launch point for further attacks.