Security Analysis: Penetration Testing and Vulnerability Assessment
SHIELD-IoT is a joint initiative between ODINS, a leading Spanish SME in IoT solutions for smart cities, and LEGITEC, a certified cybersecurity company with over 20 years of experience in penetration testing. The project aims to strengthen the cybersecurity of critical and essential infrastructure in Spain, addressing real-world environments ranging from smart buildings and urban irrigation systems to industrial, healthcare, and academic services.
Unlike traditional lab-based approaches, SHIELD-IoT conducts its assessments directly on operational infrastructures, identifying vulnerabilities under real-world use conditions. This approach enables the detection of risks in IoT devices, SCADA platforms, cloud services, mobile applications, and network components, covering the entire device-to-cloud continuum.
Project objectives
The main objective of SHIELD-IoT is to improve the cybersecurity resilience and maturity of entities classified as Critical, Essential, or Important under NIS2, CRA, and CER regulations. To achieve this, the project includes:
- Perform at least 12 penetration tests and vulnerability assessments on real IoT and IIoT deployments.
- Define testing scopes in collaboration with participating entities.
- Apply recognized methodologies such as PTES, OWASP, MITRE ATT&CK and NIST 800-115.
- Offer prioritized remediation strategies and mitigation plans.
- Transfer knowledge to end users through training sessions and practical documentation.
- Contribute to the European ecosystem with open source tools, hardening guides and replicable practices.
Strategic sectors
The consortium has direct access to critical and essential infrastructure in Spain, including:
- Public transport: Murcia tram.
- Agri-food: Buitrago Group and RIVERSA (smart irrigation with 5G/6G).
- Health: HospitalMC, with healthcare systems managed by SCADA.
- Industry and energy: Iberchem (chemical production), Konery (energy control), MASORANGE (telecommunications and 5G).
- Building and public services: TProtege (building automation), MurciaCity and UMU (digital services), PuntosVuela (digital inclusion centers).
- Inclusive technology: NaviLens (mobile accessibility applications).
Each assessment will generate detailed reports outlining detected vulnerabilities and recommended actions, ensuring compliance with current European regulations. Furthermore, advanced techniques such as firmware reverse engineering, fuzz testing of network services, exploitation of insecure cloud integrations, and social engineering simulations will be applied.
With this combination of experience in IoT, cybersecurity and European projects, SHIELD-IoT not only strengthens the participating entities, but also provides replicable methodologies, tools and knowledge for the entire sector, consolidating the position of ODINS and LEGITEC as benchmarks in innovation and applied cybersecurity.
The SHIELD-IoT subproject is funded by the open call of the European project CYSSDE (Cybersecurity Deployment Preparedness Support, Capacity & Capabilities), promoted by LSEC and the European Union’s Digital Europe Programme, under grant agreement No. 101158471.
