Virginia Department of Transportation + Duo
Virginia Department of Transportation (VDOT) Northern Traffic Operations Center was working to strengthen security for its traffic management systems. Deploying Duo helped VDOT secure remote access to Cisco AnyConnect VPN and provided VDOT a solid win in their journey toward a security model based on zero-trust principles.
I’ve only had to contact Duo support two or three times over the last two years. In fact, Duo calls me to see how we’re doing more than I’ve ever called them.
Business Challenge
Just a few days before the U.S. presidential inauguration in 2017, the traffic management system in Washington DC was breached. The ransomware hack targeted the city’s network of traffic-monitoring video cameras, disabling the majority of the camera network and resulting in traffic signals flashing yellow throughout the city. Terrible traffic jams ensued, bringing the entire city (including police and emergency vehicles) to a near standstill for two days. It also triggered an urgent U.S. Secret Service investigation into infrastructure security ahead of the inaugural events. Even though the perpetrators were eventually arrested, the breach served as a wake-up call to traffic management organizations like VDOT about the importance of securing their operations.
Technical Challenge
VDOT uses a custom transportation management application that integrates various data sources such as highway ramp meters, traffic video cameras and 911 emergency service dispatch feeds. It manages traffic signals and highway information message boards. It is also used to coordinate resources such as tow trucks, state police and fire/paramedics to respond to traffic emergencies.
Company personnel used Cisco AnyConnect VPN services to access the traffic management system from various locations. VDOT needed to implement a trusted user solution for various types of users, including field workers, contract programmers and administrators.
Like many organizations, VDOT operated their IT function with only a small team. It was imperative that the security solution they selected to address their needs would also be easy to deploy and manage in a way that would not overwhelm the IT staff.
The Solution
VDOT deployed Duo’s solution in 2017 to protect VPN access to their traffic management system. Deployment was completed in under one week, and the ongoing administration of the solution proved to be minimal. “Duo has made the installation and management highly intuitive,” said John Kornhiser, Northern Transportation Operations Center Manager of IT.
Secure Remote Access to Protect Against Remote Attacks
Duo has given VDOT confidence in the security of remote access to its critical traffic management system. Duo’s secure MFA addressed the threat of ransomware and other similar remote attacks by verifying the identity of users accessing their systems.
VDOT has been especially pleased with Duo’s ease of use and flexibility across all their user types and diverse set of devices. “You don’t have to be a technical person to grasp and use it,” Kornhiser said.
Very High Return on a Small Administration Investment
At VDOT, Duo has proven to be an extremely reliable and problem-free solution. According to Kornhiser, “I’ve only had to contact Duo support two or three times over the last two years. In fact, Duo calls me to see how we’re doing more than I have ever called them.” He continued, “What does the Duo solution do on a day to day basis after we got it running? It just works and doesn’t require us to intervene.”
Progress Toward Zero Trust
Implementing Duo provided VDOT a solid win in their journey toward a security model based on zero-trust principles. These zero-trust principles include establishing user trust, gaining visibility into users' devices, and establishing device trust for secure access from anywhere, for any application. According to Kornhiser, VDOT intends to continue this journey by extending Duo to work with additional VDOT systems, and by expanding the use of Duo’s device trust capabilities to identify and restrict access from devices with elevated risk.