{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,10,31]],"date-time":"2025-10-31T17:05:16Z","timestamp":1761930316757,"version":"build-2065373602"},"reference-count":35,"publisher":"MDPI AG","issue":"1","license":[{"start":{"date-parts":[[2023,3,1]],"date-time":"2023-03-01T00:00:00Z","timestamp":1677628800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"DOI":"10.13039\/501100000780","name":"EU H2020 Research and Innovation Programme","doi-asserted-by":"publisher","award":["820954"],"award-info":[{"award-number":["820954"]}],"id":[{"id":"10.13039\/501100000780","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["JCP"],"abstract":"<jats:p>The security of IoT-based digital solutions is a critical concern in the adoption of Industry 4.0 technologies. These solutions are increasingly being used to support the interoperability of critical infrastructure, such as in the water and energy sectors, and their security is essential to ensure the continued reliability and integrity of these systems. However, as our research demonstrates, many digital solutions still lack basic security mechanisms and are vulnerable to attacks that can compromise their functionality. In this paper, we examine the security risks associated with IoT-based digital solutions for critical infrastructure in the water sector, and refer to a set of good practices for ensuring their security. In particular, we analyze the risks associated with digital solutions not directly connected with the IT system of a water utility. We show that they can still be leveraged by attackers to trick operators into making wrong operational decisions.<\/jats:p>","DOI":"10.3390\/jcp3010006","type":"journal-article","created":{"date-parts":[[2023,3,1]],"date-time":"2023-03-01T03:03:48Z","timestamp":1677639828000},"page":"76-94","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":6,"title":["Water-Tight IoT\u2013Just Add Security"],"prefix":"10.3390","volume":"3","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-4456-6279","authenticated-orcid":false,"given":"Guillaume","family":"Bour","sequence":"first","affiliation":[{"name":"SINTEF Digital, Strindvegen 4, 7034 Trondheim, Norway"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-0710-5505","authenticated-orcid":false,"given":"Camillo","family":"Bosco","sequence":"additional","affiliation":[{"name":"SINTEF Community, B\u00f8rrestuveien 3B, 0314 Oslo, Norway"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-2096-8591","authenticated-orcid":false,"given":"Rita","family":"Ugarelli","sequence":"additional","affiliation":[{"name":"SINTEF Community, B\u00f8rrestuveien 3B, 0314 Oslo, Norway"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-7127-6694","authenticated-orcid":false,"given":"Martin Gilje","family":"Jaatun","sequence":"additional","affiliation":[{"name":"SINTEF Digital, Strindvegen 4, 7034 Trondheim, Norway"}]}],"member":"1968","published-online":{"date-parts":[[2023,3,1]]},"reference":[{"key":"ref_1","first-page":"130","article-title":"STOP-IT-Strategic, Tactical, Operational Protection of water Infrastructure against cyber-physical Threats","volume":"56","author":"Ugarelli","year":"2019","journal-title":"Phys. Cyber Saf. Crit. Water Infrastruct."},{"key":"ref_2","doi-asserted-by":"crossref","unstructured":"Soldatos, J., Pra\u00e7a, I., and Jovanovi\u0107, A. (2021). Cyber-Physical Threat Intelligence for Critical Infrastructures Security: Securing Critical Infrastructures in Air Transport, Water, Gas, Healthcare, Finance and Industry, Now Publishers.","DOI":"10.1561\/9781680838237"},{"key":"ref_3","unstructured":"Ostfeld, A., Salomons, E., Smeets, P., Makropolous, C., Bonet, E., Meseguer, J., M\u00e4lzer, H.J., Vollmer, F., and Ugarelli, R. (2018). STOP-IT D3.2 Risk Identification Database (RIDB), Zenodo."},{"key":"ref_4","unstructured":"Makropolous, C., Moraitis, G., Nikolopoulos, D., Karavokiros, G., Lykou, A., Tsoukalas, I., Morley, M., Castro Gama, M., Okstad, E., and Vatn, J. (2019). STOP-IT D4.2: Risk Analysis and Evaluation Toolkit (RAET), Zenodo."},{"key":"ref_5","unstructured":"M\u00e4lzer, H., Vollmer, F., and Corchero, A. (2019). STOP-IT D4.3 Risk Remediation Measures Database (RRMD), Zenodo."},{"key":"ref_6","doi-asserted-by":"crossref","first-page":"04020061","DOI":"10.1061\/(ASCE)EE.1943-7870.0001722","article-title":"Cyber-physical stress-testing platform for water distribution networks","volume":"146","author":"Nikolopoulos","year":"2020","journal-title":"J. Environ. Eng."},{"key":"ref_7","unstructured":"Ahmadi, M., Ugarelli, R., Gr\u00f8tan, T.O., Raspati, G., Selseth, I., Makropoulos, C., Nikolopoulos, D., Moraitis, G., Karavokiros, G., and Bouziotas, D. (2019). STOP-IT D4.4: Cyber\u2013Physical Threats Stress\u2013Testing Platform, Zenodo."},{"key":"ref_8","unstructured":"Schwarzm\u00fcller, H., Vennesland, A., Haro, P.H., and Bour, G. (2021). D4.1: Interoperable and Secure Flow of Information\u2014Cyber-physical Sphere and Interoperability Aspects in the Utilities Regarding the DWC Solutions, Zenodo. Technical Report D4.1; Digital Water City."},{"key":"ref_9","unstructured":"(2023, February 06). Directive 2006\/7\/EC of the European Parliament and of the Council of 15 February 2006 Concerning the Management of Bathing Water Quality and Repealing Directive 76\/160\/EEC. Available online: https:\/\/eur-lex.europa.eu\/legal-content\/EN\/TXT\/?uri=celex%3A32006L0007."},{"key":"ref_10","unstructured":"City, D.W. (2023, February 06). Sensors for Real-Time In Situ E. coli and Enterococci Measurements. Available online: https:\/\/www.digital-water.city\/solution\/sensors-for-real-time-in-situ-e-coli-and-enterococci-measurements\/."},{"key":"ref_11","unstructured":"City, D.W. (2023, February 06). Mobile Application for Asset Management of Drinking Water Wells. Available online: https:\/\/www.digital-water.city\/solution\/mobile-application-for-asset-management-of-drinking-water-wells\/."},{"key":"ref_12","unstructured":"(2023, February 06). What You Need To Know About the SolarWinds Supply-Chain Attack | SANS Institute. Available online: https:\/\/www.sans.org\/blog\/what-you-need-to-know-about-the-solarwinds-supply-chain-attack\/."},{"key":"ref_13","unstructured":"(2023, February 06). European Banking Authority Hit by Microsoft Exchange hack-BBC News. Available online: https:\/\/www.bbc.com\/news\/technology-56321567."},{"key":"ref_14","unstructured":"Fouche, G. (2021). Norway\u2019s parliament hit by new hack attack. Reuters, Available online: https:\/\/www.reuters.com\/world\/europe\/norways-parliament-hit-by-new-hack-attack-2021-03-10\/."},{"key":"ref_15","unstructured":"(2023, February 06). A Large-Scale Supply Chain Attack Distributed Over 800 Malicious NPM Packages; Section: Article. Available online: https:\/\/thehackernews.com\/2022\/03\/a-threat-actor-dubbed-red-lili-has-been.html."},{"key":"ref_16","unstructured":"(2023, February 06). Governments Need to Reassess Security Infrastructures|Orange Business Services. Available online: https:\/\/www.orange-business.com\/en\/magazine\/new-generation-critical-infrastructures-secure."},{"key":"ref_17","unstructured":"(2023, February 06). Clear the \u201cAir Gap\u201d Myth to Evade Cyber Threats\u2014Securing Critical Infrastructure in the Digital World. Available online: https:\/\/www.nokia.com\/thought-leadership\/articles\/critical-infrastructure-enterprise-security\/."},{"key":"ref_18","doi-asserted-by":"crossref","unstructured":"Kambourakis, G., Kolias, C., and Stavrou, A. (2017, January 23\u201325). The Mirai botnet and the IoT Zombie Armies. Proceedings of the MILCOM 2017\u20142017 IEEE Military Communications Conference (MILCOM), Baltimore, MD, USA.","DOI":"10.1109\/MILCOM.2017.8170867"},{"key":"ref_19","doi-asserted-by":"crossref","unstructured":"Weingart, S.H. (2000, January 17\u201318). Physical Security Devices for Computer Subsystems: A Survey of Attacks and Defences. Proceedings of the Second International Workshop on Cryptographic Hardware and Embedded Systems, CHES \u201900, Worcester, MA, USA.","DOI":"10.1007\/3-540-44499-8_24"},{"key":"ref_20","unstructured":"Microsoft (2023, February 06). Ten Immutable Laws of Security (Version 2.0); The Mirai Botnet and the IoT Zombie Armies. Available online: https:\/\/learn.microsoft.com\/en-us\/security\/compass\/ten-laws-of-security."},{"key":"ref_21","unstructured":"ISECOM (2023, February 06). OSSTMM. The Open Source Security Testing Methodology Manual. Available online: https:\/\/www.isecom.org\/OSSTMM.3.pdf."},{"key":"ref_22","unstructured":"Bour, G.N. (2019). Security Analysis of the Pacemaker Home Monitoring Unit: A BlackBox Approach. [Master\u2019s Thesis, NTNU (Norwegian University of Science and Technology)]."},{"key":"ref_23","doi-asserted-by":"crossref","first-page":"602","DOI":"10.1016\/j.jhydrol.2015.01.063","article-title":"Relationships between rainfall and Combined Sewer Overflow (CSO) occurrences","volume":"523","author":"Mailhot","year":"2015","journal-title":"J. Hydrol."},{"key":"ref_24","doi-asserted-by":"crossref","first-page":"117","DOI":"10.2166\/wst.1993.0293","article-title":"Urban drainage-impacts on receiving water quality","volume":"27","author":"House","year":"1993","journal-title":"Water Sci. Technol."},{"key":"ref_25","doi-asserted-by":"crossref","first-page":"706","DOI":"10.1899\/04-028.1","article-title":"The urban stream syndrome: Current knowledge and the search for a cure","volume":"24","author":"Walsh","year":"2005","journal-title":"J. N. Am. Benthol. Soc."},{"key":"ref_26","doi-asserted-by":"crossref","first-page":"893","DOI":"10.1016\/j.watres.2010.09.024","article-title":"Impact of an intense combined sewer overflow event on the microbiological water quality of the Seine River","volume":"45","author":"Passerat","year":"2011","journal-title":"Water Res."},{"key":"ref_27","doi-asserted-by":"crossref","first-page":"1836","DOI":"10.1139\/f2011-096","article-title":"Wastewater release and its impacts on Canadian waters","volume":"68","author":"Holeton","year":"2011","journal-title":"Can. J. Fish. Aquat. Sci."},{"key":"ref_28","doi-asserted-by":"crossref","first-page":"4370","DOI":"10.1016\/j.watres.2013.04.030","article-title":"Temporal variability of combined sewer overflow contaminants: Evaluation of wastewater micropollutants as tracers of fecal contamination","volume":"47","author":"Dorner","year":"2013","journal-title":"Water Res."},{"key":"ref_29","doi-asserted-by":"crossref","first-page":"555","DOI":"10.2166\/wst.2009.376","article-title":"Separate and combined sewer systems: A long-term modelling approach","volume":"60","author":"Mannina","year":"2009","journal-title":"Water Sci. Technol."},{"key":"ref_30","doi-asserted-by":"crossref","first-page":"04014073","DOI":"10.1061\/(ASCE)WR.1943-5452.0000468","article-title":"Climate change impact on combined sewer overflows","volume":"141","author":"Fortier","year":"2015","journal-title":"J. Water Resour. Plan. Manag."},{"key":"ref_31","unstructured":"Bour, G. (2023, February 06). IoT Security Checklist. Available online: https:\/\/www.sintef.no\/en\/projects\/2022\/ragnarok\/outcomes\/."},{"key":"ref_32","unstructured":"(2023, February 06). Baseline Security Recommendations for IoT. Available online: https:\/\/www.enisa.europa.eu\/publications\/baseline-security-recommendations-for-iot."},{"key":"ref_33","unstructured":"(2023, February 06). OWASP Application Security Verification Standard|OWASP Foundation. Available online: https:\/\/owasp.org\/www-project-application-security-verification-standard\/."},{"key":"ref_34","unstructured":"(2023, February 06). ISO 31000:2018(en), Risk Management\u2014Guidelines. Available online: https:\/\/www.iso.org\/standard\/65694.html."},{"key":"ref_35","doi-asserted-by":"crossref","unstructured":"Bosco, C., Raspati, G.S., Tefera, K., Rishovd, H., and Ugarelli, R. (2022). Protection of Water Distribution Networks against Cyber and Physical Threats: The STOP-IT Approach Demonstrated in a Case Study. Water, 14.","DOI":"10.3390\/w14233895"}],"container-title":["Journal of Cybersecurity and Privacy"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/2624-800X\/3\/1\/6\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,10]],"date-time":"2025-10-10T18:44:56Z","timestamp":1760121896000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/2624-800X\/3\/1\/6"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,3,1]]},"references-count":35,"journal-issue":{"issue":"1","published-online":{"date-parts":[[2023,3]]}},"alternative-id":["jcp3010006"],"URL":"https:\/\/doi.org\/10.3390\/jcp3010006","relation":{},"ISSN":["2624-800X"],"issn-type":[{"type":"electronic","value":"2624-800X"}],"subject":[],"published":{"date-parts":[[2023,3,1]]}}}