Historically, critical water infrastructures have operated with limited digitalization, relying on legacy protocols designed without intrinsic security. The rapid integration of advanced IoT telemetry into Operational Technology (OT) networks has dissolved traditional air gaps, exposing these facilities to severe cyber–physical threats. Concurrently, regulatory frameworks such as the European NIS2 Directive and the Cyber Resilience Act (CRA) now strictly mandate robust risk monitoring for essential entities. To address these challenges, this study develops a non-intrusive, hybrid Intrusion Detection System (IDS) tailored for converged IT/OT environments. Engineered upon the Snort 3 multi-threaded engine, the architecture captures both North–South and East–West traffic. A defense-in-depth rule set was constructed using threat intelligence (MITRE ATT&CK, CISA KEV) to perform Deep Packet Inspection (DPI) across legacy industrial protocols (Modbus, S7Comm, CIP) and IoT application layers (MQTT, HTTP). Experimental validation against high-volume synthetic packet captures (exceeding 170,000 packets) replicating specific manufacturer vulnerabilities (CVEs) demonstrated an improvement in the detection rate from a 0% baseline to 100%. Crucially, the system demonstrated high scalability and minimal computational overhead, processing high-volume traffic streams with zero dropped packets. This contextualized signature approach provides the deterministic security required to ensure operational continuity and regulatory compliance in modern water infrastructures.
Rodríguez et al. (Sat,) studied this question.