Featured innovations of STOP-IT

STOP-IT tools validated at Oslo VAV (Norway) and Berliner Wasserbetriebe (Germany)

The STOP-IT project is slowly coming to an end and so are the demonstration activities of the STOP-IT tools at the Frontrunner water utilities. The two frontrunners Oslo VAV in Norway and Berliner Wasserbetriebe in Germany now have published factsheets with the results of the implementation of STOP-IT tools they have tested at their facilities.

Oslo VAV was interested in a set of tools that can provide a system of defense against cyber and physical threats on their water supply system on all levels, from strategical and tactical planning to operations. Tested were the Risk Analysis and Evaluation Toolkit, Network Traffic Sensors and Analysers, Cyber Threat Sharing Service, Computer Vision Tool, Real-Time Anomaly Detector, Cross Layer Security Information and Event Management, Reasoning Engine and the Enhanced Visualisation Interface for water utilities.

Harald Rishovd from Oslo VAV comes to the following conclusion: “By adopting a comprehensive set of tools developed within STOP-IT, our team has benefitted from both, the selected tools by themselves as well as the connection and interaction between them. Thanks to all the partners involved in the project, our organization has successfully demonstrated the selected tools and therefore accomplished our objectives related to a more secure and resilient cyber-physical infrastructure.”

Read about the results and validated tools from Oslo VAV here:

In order to improve the resilience of their supply system, Berliner Wasserbetriebe (BWB) also has tested some of the STOP-IT tools: The Fault Tree Editor, Scenario Planner tool, Cyber-physical threats Stress-Testing Platform, Human Presence Detector using WiFi signals, Real-time sensor data protection, Network Traffic Sensors and Analysers and the Public Warning Notification System.

Fereshte Sedehizade from BWB is happy with the outcomes of the project: “Berliner Wasserbetriebe has been working on improving the resilience of its water supply for a long time. Therefore, many tools for physical and cyber security are already in use. However, the big additional advantage of STOP-IT is that all project tools are linked together in the STOP-IT platform, where they are feeding their outputs to each other and ultimately are working as one large integrated tool.”

Read about the results and validated tools from Berliner Wasserbetriebe here:  

STOP-IT tools validated at Aigües de Barcelona in Spain and Mekorot in Israel

The STOP-IT project is slowly coming to an end and so are the demonstration activities of the STOP-IT tools at the Frontrunner water utilities. The two frontrunners Aigües de Barcelona in Spain and Mekorot in Israel now have published a factsheet with the results of the implementation of STOP-IT tools they have tested at their facilities.

Tools tested at Aigües de Barcelona were the Water Quality Sensor Placement tool, the Asset vulnerability Assessment Tool, the InfraRisk-CP tool, the Risk Analysis and Evaluation Toolkit and the Fault-tolerant Control Strategies for Physical Anomalies affecting the SCADA system.

Meritxell Minoves from Aigües de Barcelona is content with how their collaboration with the STOP-IT project turned out: “The technological solutions developed in STOP-IT have met the original goals of the project and, thanks to all the colleagues, we have been able to proof them to be useful tools to manage risks in real situations and in all the aspects needed by the water industry. Moreover, the project has brought experiences and a different vision to our team and there has been a fruitful exchange between all the technology providers and water related organizations that have had a role during these four years.”

Read about the results and validated tools from Aigües de Barcelona here:

Mekorot and other water companies often are targets of physical- and/or cyber-attacks. In order to improve their resilience as a water supply company they have applied several STOP-IT tools for testing: The Jammer Detector, the Network Traffic Sensors and Analyzers, the Smart-Locks, the Fine-grain cyber access control tool and the Real-Time Anomaly Detector.

Relly Bar-On from Mekorot was satisfied with the STOP-IT collaboration as well: “STOP-IT was a major step for Mekorot to increase its resilience by demonstrating a set of tools for cyber and physical protection. The project took place in an era of increasing cyber-attacks on water facilities in Israel, emphasizing the importance of projects like STOP-IT even more. The knowledge share that was done in the project and the exposure to innovative technologies accelerated the implementation of additional cyber tools and added more layers to the risk-management methodology that Mekorot follows.”

Read about the results and validated tools from Mekorot here:

STOP-IT tools to detect a cyber attack

Real-Time Anomaly Detector (RTAD)

Real time anomaly detection on cyber-physical infrastructures using machine learning and signature-based detection of abnormal behaviours within the network. It provides an additional layer of security by detecting potential threats from the logs of the system. The tool is composed of three main components: a security Big Data platform, machine learning algorithms, and signature-based rules. You will find more information about the RTAD under Key Exploitable Results here.

The Real Time Anomaly Detector

The Real Time Anomaly Detector

Cross Layer Security Information and Event Management (XL-SIEM)

This tool receives events coming from different sources to generate correlated alarms that indicate the risk level, and detailed information about the event (description, IP source and destination, Port source and destination, Protocols). The tool can perform automatic countermeasures or generate tickets for further investigation. It provides enhanced capabilities to address storage limitations, correlation, performance and visualization issues, enabling a reduced reaction time. It is part of the STOP-IT platform. You will find more information about the XL-SIEM under Key Exploitable Results here.

XL-SIEM High Level Architecture

XL-SIEM High Level Architecture

Network Traffic Sensors and Analysers (NTSA)

It incorporates five categories of sensors able to identify different malicious patterns such as TTL-based attacks, brute force attacks, DNS answer attacks, time-based attacks, and domain-based attacks. The Network Traffic Sensors and Analysers go one step beyond of traditional anomaly detection systems based on pattern and regular expressions analysis, by using well-known machine learning mechanisms: One-class Support Vector Machine (One-class SVM) to identify abnormal behaviour in the traffic capture based on a multi-featured approach that restricts the analysis to a modelled IP address and extended in terms of samples (valid and invalid ones). Read more about NTSA here.

NTSA Architecture

NTSA Architecture

STOP-IT toolbox for protection against cyber threats

The toolbox of technologies for securing IT and SCADA systems contains real-time fault diagnosis tools of anomalies affecting integrated sensors/actuators and assets operated by SCADA systems; IT communication analysis systems to ensure security using established network protection rules and traffic monitoring; and blockchain schemes, applied to protect the integrity of the data generated during critical infrastructure operation (logs, sensor data, etc.), both against intentional attacks or malfunction. The accompanying PDF report supports the use of the developed tools, describing their technical requirements, installation procedures and usage instructions.

This video gives an overview of different STOP-IT tools and shows the developed functionalities:

STOP-IT toolbox for protection against physical threats

STOP-IT developed a toolbox of technologies for securing critical water infrastructure assets from physical threats. It contains a set of novel tools, such as smart locking mechanisms, computer vision and sensor-based tools and authorization and intrusion detection technologies. The supporting PDF document provides a detailed technological description of these tools, setup instructions, examples of the tools usage and results, contact information for the developers of each tool as well as a short discussion about relevant privacy and security concerns.

The Cyber Threat Sharing System

The cyber threat sharing system is collecting sources of existing threats from relevant feeds, structures the information and sends out personalized alerts. This service ensures the mitigation of threats to critical infrastructure and enhances the coordination, establishing exchange methods to prevent, reduce, mitigate and recover from existing threats. It also allows coordination to deal with those threats in a global approach.

The Public Warning Notification System (PWNS)

STOP-IT has developed a Public Warning Notification System (PWNS) with two main functionalities: detect and report incidents and inform users and citizens.

The PWNS processes data, alerts and detected incidents from external sources and reports them to the STOP-IT core platform. At this initial stage the incident has to be validated by a human operator in most cases. Once this is done, the anomaly is notified to the system that, by cross-checking with other incident-related data from different sources, can identify the risk situation. This assessment then will be sent to the visualisation interface for water utilities, which starts a response plan with actions to be executed. These are based on different parameters set by water operators and can include both corrective and mitigation measures. The system also sends the information and instructions to follow to the users and citizens using the most appropriate channels, i.e. email, SMS, mobile app notifications, etc.

Water agencies, regulators, municipalities and environmental agencies can benefit from this Public Warning Notification System. The tool is publicly available and open source. At this stage however, the system uses OneMind, the proprietary solution of Worldsensing, as visualisation interface. The STOP-IT solution for the user interface is currently being developed by RISA within the project.

The system operation can be seen in this video.

Find the PWNS here: https://stop-it-project.eu/results/public-warning-notification-system/

The Risk Identification Database (RIDB)

The Risk Identification Database (RIDB) is an organized collection of data, which includes the identification of threats, risk sources, risk factors, causal relations and the description of risk events.


The purpose of the RIDB is to identify risk events, related to physical and cyber threats that can occur in water distribution systems and utilities, their locations, and causes. The RIDB therefore is a source of information to identify and select potential risk events to be further elaborated and/or combined into risk scenarios to be analysed and treated by applying STOP-IT solutions and security considerations.

For whom is the RIDB useful and why?

All water utilities need to consider the effects of the most risky cyber and physical events in their facilities. The RIDB is a repository of cyber-physical threats identifying the majority of the most risky threats provided by water operators, civil engineers, head of operations, IoT engineers, system engineers, etc. In that sense, RIDB is a data source included in several tools applied in risk analysis also developed in STOP-IT project such as PSA Explorer, InfraRisk and others (see figure).

The RIDB is available for public access here.

Meklock – the clever smart lock system

As a protection measure against physical threats, STOP-IT partners Mekorot and Aplicatzia developed Meklock, a smart lock system that is useful for any company that maintains and operates facilities with multiple buildings, entrances and cabinets with large quantities of expensive equipment, vulnerable to break-ins and sabotage.

Meklock is an innovative access-control mobile app with a sophisticated management system that interacts with electronic locks. With the help of the system it is possible to track entry of authorized users or enable or disable remote privileges for opening and locking doors. It does not require the implementation of wired or wireless infrastructure and therefore reduces maintenance costs. It increases the safety, is user friendly and flexible, offers navigation to facilities and works with a standalone system, among other things.

The Meklock system is ready to use. In case of interest, please contact Gil Groskop (Groskop@MEKOROT.CO.IL).