How NIL Trained Caltrans to Secure California’s Highways with Cisco Cyber Vision

California Department of Transportation (Caltrans) operates 12 districts, thousands of traffic devices, and one of the world’s busiest highway systems. But the network connecting these devices was invisible. Within months of deploying Cisco Cyber Vision, the organization discovered unauthorized devices, forgotten protocols, and hidden entry points that attackers could exploit. NIL Learning then trained the Caltrans team to interpret this data, distinguish real threats from noise, and respond with confidence.

California Department of Transportation (Caltrans) manages one of the world’s most complex transportation ecosystems that include Freeway and Expressway system, plus public transportation networks including Amtrak California.
With 12 operational districts, live traffic management centers, and thousands of connected road assets (from traffic signal controllers and ramp meters to dynamic message signs and pedestrian push buttons). Caltrans manages everything that keeps California moving.

Understand the Difference: IT vs. OT

Before diving into the solution, it’s critical to understand why standard security fails in industrial environments.

Information Technology (IT) is centered on data: databases, applications, email, files. It moves information from a center to a receiver. Think of it as the brain of the organization.

Operational Technology (OT) is centered on the physical world: motors, robotic arms, traffic signals, sensors, and control systems. It doesn’t just process information; it makes things happen.

In transportation, OT moves millions of people safely every day. You cannot protect what you cannot understand, and you cannot understand OT with IT tools.

THE CHALLENGE

When uptime is the only metric that matters

Industrial networks like those in transportation face a unique risk profile that traditional IT security tools simply cannot address:

The NIS2 reality check

For European organizations, the stakes just got higher. The EU NIS2 Directive (enforced October 18, 2024) mandates cybersecurity readiness across 350,000+ organizations, including energy, transport, manufacturing, and digital infrastructure sectors.
Penalties are severe:

  • Essential Entities: Up to €10 million or 2% of annual global turnover.
  • Important Entities: Up to €7 million or 1.4% of annual global turnover.
  • Management liability, suspension of certifications, and mandatory 24-hour incident reporting.

The message is clear: compliance is no longer optional, and ignorance is not a defense.

THE SOLUTION

From blind trust to total visibility:
the 4-step journey to industrial network security

NIL, as part of the Conscia Group and a leading Cisco partner, architects OT security transformations following a proven methodology:

Step 1: Build a security foundation
Define the IT/OT boundary with Cisco Secure Firewall, establishing an industrial DMZ that segments enterprise networks from operational zones without disrupting production.

Step 2: Gain visibility & device posture
Deploy Cisco Cyber Vision sensors throughout the network to turn the network itself into a security sensor.

Step 3: Segment network into zones of trust
Using Cisco ISE, enforce micro-segmentation within the OT environment, isolating zones based on the Purdue model (Cell, Area, Control) to contain threats.

Step 4: Integrated incident investigation
Feed OT security events into Cisco XDR for unified threat investigation and orchestrated response across IT and OT environments.

How Cisco Cyber Vision works

Cyber Vision sensors are deployed at two critical vantage points:

  • At the edge: Monitoring East-West traffic between OT devices
  • At aggregation: Monitoring North-South traffic crossing the IT/OT boundary

These sensors collect industrial network traffic passively (and query devices actively when needed), decode industrial protocols using Deep Packet Inspection to extract meaningful metadata, and send lightweight metadata to the Cyber Vision Center for analysis and visualization.

How Cisco Cyber Vision Works

Cyber Vision sensors are deployed at two critical vantage points:

  • At the edge: Monitoring East-West traffic between OT devices
  • At aggregation: Monitoring North-South traffic crossing the IT/OT boundary

These sensors collect industrial network traffic passively (and query devices actively when needed), decode industrial protocols using Deep Packet Inspection to extract meaningful metadata, and send lightweight metadata to the Cyber Vision Center for analysis and visualization.

The Caltrans Architecture: From Field to State

For Caltrans, NIL designed a multi-layered visibility architecture:

  1. Edge sensors at traffic controller cabinets, count stations, and camera aggregators capturing the East-West traffic between field elements that IT firewalls never see.
  2. District Cyber Vision Centers converting raw metadata into actionable intelligence for each of the 12 districts.
  3. Global Cyber Vision Center installed at Sacramento HQ, correlating threats across all districts so no blind spot becomes a systemic failure.

Once the sensors were live, Caltrans’ hidden world surfaced immediately. Cyber Vision inventoried every signal controller, camera, and message sign, but more importantly, it exposed the unknowns: unauthorized devices, forgotten systems still active on the network, and protocols communicating that no one had documented.

By implementing Cisco Cyber Vision with NIL’s industrial security expertise, organizations achieve:

NIL Learning: training built from real OT deployments

The 4-step methodology above isn’t just theoretical. Our Cisco-certified instructors (including CCSI and CCIE engineers) train your team on the actual traffic patterns, failure modes, and compliance scenarios they will face in day-to-day operation.

We teach your team to:

  • Decode industrial protocols (Modbus, DNP3, BACnet) that standard IT tools mislabel.
  • Interpret OT anomalies under pressure.
  • Build defensible compliance documentation that satisfies NIS2 incident reporting.
  • Operate in production environments where uptime is non-negotiable and a false positive can cost more than a missed alert.

NIS2

Compliance Context For European Organizations

While Caltrans operates in the U.S., European organizations face similar OT risks under the EU NIS2 Directive (enforced October 18, 2024). NIS2 mandates cybersecurity readiness across 350,000+ organizations, with penalties up to €10 million or 2% of annual turnover for Essential Entities.

The directive requires risk analysis, incident reporting, and technical controls, but it audits capability, not just equipment.

A tool without trained operators creates a false sense of compliance.

Take the next step
NIS2 compliance deadlines are active. OT threats are evolving. The organizations that will pass audits aren’t just the ones with the right tools, instead, they’re the ones with teams who know how to use them.
NIL Learning has trained Cisco professionals for over 30 years. Our Cisco Cyber Vision and OT Security courses don’t just teach features, they teach your engineers to recognize industrial protocols, interpret OT anomalies, and respond to threats in environments where uptime is non-negotiable.

Train your team before the incident trains you.

See Robert Lesar present this case study live and explore the technical architecture in detail.

Watch the full webinar: Cisco Cyber Vision in Action — How to Secure Your OT Network