Likelihood: LOW
Impact: HIGH
Treatment: MITIGATE
Confidence: Moderate
Likelihood is low because exploitation is unconfirmed, no KEV listing exists, and successful attack requires network-accessible Daktronics OT assets — many of which may be air-gapped or behind industrial DMZs; however, if exposed to internet-reachable networks, the barrier drops materially. Impact is high because successful manipulation of highway signage directly threatens public safety (traffic disruption, misdirection), exposes the operating organization to significant reputational and regulatory harm, and could constitute critical infrastructure interference under federal frameworks.
Treatment rationale: The public-safety consequences and regulatory visibility of critical infrastructure signage make risk transfer or acceptance untenable; immediate network segmentation and firmware patching per ICSA-26-176-04 are actionable and proportionate to the threat.
Third-Party / Supply-Chain Risk
Daktronics is the OEM vendor supplying both firmware and controller hardware; operating organizations have no direct control over the vulnerability or patch timeline — they are dependent on Daktronics releasing and validating firmware updates. Per NIST SP 800-161, this represents a hardware/firmware supplier dependency risk: if Daktronics delays patch release or if the organization has no contractual SLA for OT security updates, the exposure window is vendor-controlled. Organizations operating Daktronics infrastructure across multiple highway or venue deployments face aggregated supply-chain exposure if the same firmware version is deployed at scale.
Loss Exposure (illustrative)
Magnitude: High — illustrative $500K–$5M per significant incident, driven primarily by emergency response coordination, potential civil liability from traffic safety events, regulatory inquiry costs, and remediation across a multi-site signage fleet
Frequency: Illustrative: for an organization with internet-exposed Daktronics controllers, a meaningful manipulation event is plausible at low frequency — perhaps once in a 3–7 year horizon absent compensating controls; near-zero for fully air-gapped deployments
Annualized: Illustrative ALE: approximately $70K–$1.7M annualized, reflecting low-frequency / high-magnitude event structure across exposed deployments — not defensible as a precise figure
Basis: Loss magnitude anchored to: multi-site OT remediation costs, emergency public-safety response coordination, potential civil liability from traffic incidents attributable to manipulated signage, and regulatory engagement costs. Frequency anchored to: no confirmed active exploitation, no KEV listing, OT network exposure variability across operators. Range spread reflects high uncertainty in both exposure breadth and actual network accessibility of affected controllers.
Illustrative estimate — not actuarially derived.
Insurance / Contractual / Legal — Potential Obligations
Potential triggers, not legal determinations. Verify with counsel/broker before acting.
• If a successful manipulation event causes a traffic incident or public safety harm, public liability and errors-and-omissions policies held by the operating organization may be implicated — verify with broker and counsel.
• Organizations operating Daktronics signage under government or DOT contracts may face contractual obligations related to OT security incident notification or patch compliance timelines — verify with counsel.
• Critical infrastructure operators subject to CISA reporting frameworks (e.g., CIRCIA) may have incident-reporting obligations if exploitation is confirmed — verify with counsel.