Abstract
With the entry into force of the new CER directive, critical entities must focus on resilience. New tools will soon be demanded by Critical Infrastructure operators and innovative technologies will make the difference for the adoption of key measures: carry out risk assessments, take technical and organizational measures to enhance resilience and notify incidents. The H2020 PRAETORIAN project enables the security stakeholders of the CIs in Europe to manage the life cycle of security threats, from forecast, assessment and prevention to detection, response, and mitigation, in a collaborative manner with the security teams from related CIs—being the CIs in the same sector or not. PRAETORIAN supports the decision-making process of CI operators to prevent major damages to the installations, neighboring population, and the environment, while allowing a fast recovery after incidents. This means a significant move toward a Resilience-based framework, going beyond the merely Protection approach required by the former regulation.
You have full access to this open access chapter, Download chapter PDF
Keywords
- Resilience
- Critical infrastructure
- Situation awareness
- Cascading effects
- Coordinated response
- Information sharing
Regulation and the PRAETORIAN Solution: An Overview
The new CER Directive [1] constitutes a considerable change as compared to the ECI Directive 2008/114/EC [2] since critical entities will have to meet specific obligations aimed at enhancing their resilience. Moreover, a wider sectoral scope will allow Member States and critical entities to better address interdependencies and potential cascading effects of an incident. European critical entities are more interconnected and interdependent, which makes them stronger and more efficient but also more vulnerable in case of an incident.
As requested by the CER Directive, critical entities will need to carry out risk assessments on their own, take technical and organizational measures to enhance their resilience and notify incidents. New tools will soon be demanded by Critical Infrastructure (CI) operators and innovative technologies will have to be used allowing the adoption of these measures. The CER Directive is complemented by the NIS2 Directive [3], thus becoming an updated and comprehensive legal framework to strengthen both the physical and cyber-resilience of critical infrastructure.
The goal of the H2020 PRAETORIAN project (https://praetorian-h2020.eu/) is to enable the security stakeholders of the CIs in Europe to manage the life cycle of security threats, from forecast, assessment and prevention to detection, response, and mitigation, in a collaborative manner with the security teams from related CIs, being the CIs in the same sector or not. PRAETORIAN proposes a toolset that:
-
(a)
Makes use of data obtained from relevant legacy security systems of the CIs.
-
(b)
Introduces novel sensors and innovative data analysis.
-
(c)
Builds a model of the ecosystem of CIs.
-
(d)
Improves the channels and quality of communication among stakeholders.
-
(e)
Combines the emergency plans of those CIs.
The combination of these functionalities will support the decision-making process of CI operators to prevent major damages to the installations, neighboring population, and the environment while allowing a fast recovery after incidents.
The PRAETORIAN Framework
The PRAETORIAN toolset consists of four innovative products, which intend to provide the security managers with the capacity to protect the CIs from physical, cyber, and combined (physical and cyber) attacks. The Cyber Situation Awareness (CSA) system can recognize patterns within the network and generate corresponding events. The Physical Situation Awareness (PSA) system can be integrated with existing sensors and legacy systems in the CI to collect meaningful data and combine them with information received from newly developed modules that implement drone detection and video analytics. Both the CSA and the PSA generate an alarm when cyber/physical threats are detected. The Hybrid Situation Awareness (HSA) system uses a digital twin of the related CIs to correlate the received alarms and estimate the cascading effects on own and related CIs. This information is processed in the Coordinated Response (CR) system which suggests an effective response to the threat, allowing notifications and information sharing through multiple channels.
Figure 13.1 highlights the flow of information between the aforementioned components. The HSA receives events and alerts generated by the PSA and CSA. The CR receives alerts from all components and generates relevant security incidents and proper notifications to operators and first responders, while it recommends mitigation actions.
The framework for developing this solution is largely based on the idea of interoperability of systems and components (which also allows focusing on scalability and replicability), therefore the PRAETORIAN back end relies on the Interoperability Platform (IOP) that interconnects all the elements, allowing: (i) the exchange of information between all the systems and modules, (ii) the storage of information, and (iii) avoiding the duplication of data between modules, the replication of changes, and possible inconsistencies. In this way, data is provided for the entire platform that can be processed and retrieved to offer useful and usable information for all its users, and therefore serving as a data-sharing infrastructure for all PRAETORIAN components.
The IOP offers a variety of connectivity methods, including RESTful Application Programming Interface (API), Datagram Delivery Protocol (DDP), and Advanced Message Queuing Protocol (AMQP). About the front end, the main PRAETORIAN Human Machine Interface (HMI) is the CR. However, each of the other systems (i.e., PSA, CSA, and HSA) provides a user-friendly HMIs, tailored to the needs of CI operators.
The following subsections describe the PRAETORIAN components, focusing on the features and the added value that they provide compared to the typical legacy systems. A detailed description of the modules and subcomponents of each system can be found in [4].
Creating Situation Awareness
Three PRAETORIAN systems have been developed to create Situation Awareness: the Physical Situation Awareness (PSA) System, the Cyber Situation Awareness (CSA) System, and the Hybrid Situation Awareness (HSA).
The PSA system focuses on the monitoring and control of critical areas. It receives and processes information from sensors and detection systems, such as the Video Analytics and Anomaly Behavior tools for intrusion detection and threat identification, and the Drone Detection system. It detects possible physical threats, generates the corresponding detection events that can be analyzed by the operator, and offers both real-time information and incident historical for later analysis. Moreover, the PSA will forward alarms to the HSA to enable their correlation with the cyber events for the prediction of cascading effects.
The PSA HMI is the graphical interface providing the user with the sought-after situational awareness, allowing to know in a real, precise, and updated way the status of the asset to be protected. The tool is capable of displaying 3D models so that the operator has a clear idea of the exact location of each element. In buildings, for example, the sensors will be located represented in height.
Figure 13.2 shows an example of the PSA map view. The icons represent the location of sensors, cameras, and agents. The operator can, at any moment, retrieve information on measurements in real time, or get access to the streaming or recordings from cameras. Furthermore, unmanned vehicles are also represented in the map using 3D models, colored in green if they are assets in the CI, or in red if they are not recognized as part of the system.
The CSA system aims to improve the cyber situation awareness of the CI operator and to forward cyber events to the HSA to enable their correlation with the physical events for the prediction of cascading effects. The CSA has been implemented based on the development of Cybersecurity Digital Twins (CDT), which mimic some Critical Infrastructure’s Operational Technology (OT) and Information Technology (IT) systems. The CDTs are designed so as not to interfere with the CI’s real operational systems during the verification, validation, and demonstration activities. Cyber Assessment Tools (CAT) are used to simulate additional legitimate traffic, launch attacks, and collect cybersecurity logs. Finally, a Cyber Forecaster Engine (CFE) can forecast the end goal of the attacker.
The CSA HMI provides various visualization options to represent assets, alarms, detections, and attack goals, as predicted by the CFE. Figure 13.3 shows a timeline representation of attacks, showing the relation between the detections and the corresponding alerts. The timeline visualization integrates the time dimension in the overall cyber perspective and allows for aggregating, in the same view, primary assets, supporting assets, detections, and alerts. In this kind of visualization, the operator can identify which detections triggered which alerts and how both detections and alerts spawned in time and also lasted during their life cycle. Primary assets are usually information or business processes while supporting assets can be hardware, software, and human resources [5].
Finally, the Hybrid Situation Awareness (HSA) system provides CI operators with accurate forecasts of potential cyber and physical consequences at the facilities, given any kind of physical and cyber alert detected by the PSA and the CSA respectively. Figure 13.4 reflects that physical and cyber domains cannot be understood and treated independently since the attacks on any of these dimensions may have also significant consequences in the other one. Moreover, the HSA will be able to calculate and show not only the cascading effects of attacks on a particular CI, but also on interrelated CIs.
The HSA back end includes two systems, the Generic Digital Twin (GDT) that models the relevant CI assets with their inter/intrarelationships and the Threat Propagation Engine (TPE) that simulates the consequences of incoming alerts including cascading effects.
The GDT consists of a graph-based representation in which the nodes represent the critical entities of the CIs, and the edges represent the dependencies among these assets. Each asset has a state which may change due to a cyber or physical event, as detected by the PSA or the CSA, respectively (e.g., fire, cyberattack etc.). When the state of a node changes, a notification is sent to each adjacent node, which may themselves react to the incoming notification and change their state, and, in turn, inform their own adjacent nodes. The GDT models can be created within a CI, to calculate cascading effects between assets of the particular CI, as well as between different CIs, for calculating the cascading effects between them.
Based on the GDT, the Threat Propagation Engine (TPE) describes the direct and indirect consequences of alerts generated by the PSA and the CSA, over time. In particular, for each alert forwarded to the HSA, the TPE is triggered and a set of interdependent threat propagation simulations is run. The simulation results are used to estimate the potential consequences of the threat on the overall network of interconnected CIs. The output of the TPE is a prediction of the propagation of the cascading effects, which is displayed on the HSA HMI.
The front end has two HMIs, designed to be reactive and show, in an autonomous manner, if new elements have been received (without user intervention) from the back end. One shows the cascading effects (HSA HMI) and the other one is the model of the CIs and the status of their assets (Synoptic Live Diagram, SLD HMI).
The HSA HMI shows on a map the predicted cascading effects, as calculated by the TPE simulations (Fig. 13.5). A graph-based representation is used, in which each node corresponds to a cyber or physical asset of a CI and each link corresponds to an interdependency. Different colors in each node indicate the corresponding impact of the threat (i.e., the degree by which the asset was affected). On the other hand, the SLD HMI allows designing 3D diagrams and linking its elements with the data in the back end, as well as monitoring the status of the data in near-real-time (Fig. 13.6).
Providing Coordinated Response
The main CR module is the Decision Support System (DSS). It acts as a hub, as it collects all alerts and events generated by the PSA, CSA, and HSA. Through a set of predefined rules, the DSS generates events (i.e., information potentially useful to operators) and security incidents (i.e., information that may require immediate action by operators), as can be seen in Fig. 13.7.
The rules determine under which condition an event generated in the PSA, CSA or HSA will trigger the generation of a security incident, or when the DSS will trigger another module (e.g., in case of a mitigation action).
The DSS allows the CI operator to get real-time information about an incident, and decide about a possible mitigation action. If the proper rule is configured in the system, the mitigation action might be automatically launched, thus saving time and ensuring a rapid response. This is the case, for example, for drone detection and the corresponding countermeasures: Both systems have been integrated in PRAETORIAN. Any incident originating in both cyber, and physical domains, or in case of combination of both of them, due to some anomalous range or suspicious detection, is captured by the DSS in order to keep the personnel informed at all times. On the other hand, thanks to the HSA, the DSS can anticipate possible affected assets and cascading effects and report them. The system aims, through configurations and prior knowledge, to anticipate any incident and report it as soon as possible.
Once an incident has been created in the system, other operators can be notified in a variety of ways, including email, SMS or through a chat application, all of which are configurable through the notifiers page of the DSS.
PRAETORIAN is able not only to detect possible threats from the physical and cyber domains and generate the corresponding incidents, but also to analyze “weak signals” from different sources. This is the case for the Social Media Security Threat Detection (SMSTD) module [6], which utilizes text crawling techniques in order to monitor the entirety of the global Twitter stream and discern tweets that are potentially critical to the security of the CI, including tweets that mention data leaks, new vulnerabilities, and cyberattacks.
Moreover, another module provides a real-time feed of Twitter posts by the public during a crisis. The tool relies on machine learning techniques and identifies relevant informative-only tweets which can enhance the operator’s situational awareness during crisis.
Communicating and Sharing Information
The PRAETORIAN system provides several mechanisms for the effective communication between operators and first responders, through the Information Sharing & Communication with FRs (ISC-FR) module [6]. It gathers information available on the PRAETORIAN platform and discerns the parts that are relevant for each type of first responder, for a particular incident type.
PRAETORIAN also supports the creation of EU-Alerts [7] to notify the population near the CI in case of an incident. Through the Emergency Population Warning System (EPWS) tool, the CI operators can select an area around the incident. After selecting a message from existing templates, the operator can potentially edit the message and send it to the cell phones of the population in the area. As shown in Fig. 13.8, a colored grid on the map indicates the number of cell phones in the area, which can be used to provide a rough estimation of the number of people and their distribution in the area of the incident.
Finally, PRAETORIAN offers connectivity with Twitter through the Integration with Social Media (IWSM) modules [6]. It offers a number of tweet templates that allow CI operators to generate messages for the public and share them on the social media platform with the press of a button.
PRAETORIAN in the Context of Resilience of CIs
PRAETORIAN focuses on the interoperability of CIs’ legacy systems together with new novel systems and sensors, aiming at improving the capability of CI security managers to prepare and apply in practice the Resilience Plan as requested by the CER Directive. This means taking technical, security, and organizational measures. Moreover, PRAETORIAN also allows the integration of additional information sources, such as signals from social media, agencies or any other open sources. Social media is indeed a valuable source of information during emergency situations, since it can be used to further improve the situation awareness of First Responders and rescue teams so they can act more effectively.
PRAETORIAN is also aligned to the Council Recommendation on a Union-wide coordinated approach to strengthen the resilience of critical infrastructure [8], which aims at maximizing and accelerating the work to protect critical infrastructure in three priority areas: preparedness, response, and international cooperation. Three out of the four PRAETORIAN systems allow to enhance the situational awareness, by means of threat detection and creation of alarms on the one hand, but also allowing correlation of multiple signals in order to understand the threat propagation (“preparedness”). The remaining system focuses on the “response,” based on a Decision Support System providing automated reaction to the detected threat and promoting that the CIs take a unified response that ensures less harm and extent of damage and maintains business continuity. The last aspect to consider is the “international cooperation,” and in that sense, PRAETORIAN has explored quite interesting mechanisms that can be used by CI operators to share information about incidents. This is a relevant area, as well as difficult to implement; while CI managers have to decide about the nature and quantity of the information to be shared, due to the sensitiveness of it, the new regulations promote cooperation among different actors (public sector, public-private entities). This can only be achieved when this process is envisaged as part of the strategy for enhancing the resilience of critical entities, which will have to be defined by Member States.
Conclusions
The PRAETORIAN framework is a significant contribution to addressing the challenges of CI protection from combined cyber and physical attacks. It provides an advanced toolset which can be customized to the requirements of each particular type of CI. It focuses a lot on the prediction of the cascading effects of attacks and on the impact of these effects on interdepended CIs. Finally, it provides user-friendly interfaces for effective use by the CI operators. The toolset is designed and developed to focus on resilience of critical infrastructures, which is defined by the CER Directive as “a critical entity’s ability to prevent, protect, against, respond to, resist, mitigate, absorb, accommodate, and recover from an incident.”
References
Directive (EU) 2022/2557 of the European Parliament and of the Council of 14 December 2022 on the resilience of critical entities and repealing Council Directive 2008/114/EC (CER Directive).
Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection.
Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive).
Papadopoulos, L., Karteris, A., Soudris, D., Muñoz-Navarro, E., Hernandez-Montesinos, J. J., Paul, S., Museux, N., Koenig, S., Egger, M., Schauer, S., Gómez, J. H., & Hadjina, T. (2023). PRAETORIAN: A framework for the protection of critical infrastructures from advanced combined cyber and physical threats. In Proceedings of the 18th international conference on availability, reliability and security (ARES ‘23). Association for Computing Machinery.
ISO/IEC 27005:2022. Information security, cybersecurity and privacy protection – Guidance on managing information security risks.
Karteris, A., Tzanos, G., Papadopoulos, L., Demestichas, K., Soudris, D., Philibert, J. P., & Gómez, C. L. (2022). A methodology for enhancing emergency situational awareness through social media. In Proceedings of the 17th international conference on availability, reliability and security (ARES ‘22) (Article No.: 130) (pp. 1–7). Association for Computing Machinery.
ETSI TS 102 900 V1.3.1 – Emergency Communications (EMTEL); European Public Warning System (EU-ALERT) using the Cell Broadcast Service.
Council Recommendation on a Union-wide coordinated approach to strengthen the resilience of critical infrastructure. Document 15623/22 of the Council of the European Union.
Acknowledgments
PRAETORIAN has received funding from the European Union’s Horizon 2020 research and innovation program under grant agreement No. 101021274.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.
The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.
Copyright information
© 2025 The Author(s)
About this chapter
Cite this chapter
Muñoz-Navarro, E., Hernández-Montesinos, J.J., Marqués-Moreno, A., Papadopoulos, L., Karteris, A., Demestichas, K. (2025). PRAETORIAN: From Protection to Resilience of Critical Infrastructures. In: Gkotsis, I., Kavallieros, D., Stoianov, N., Vrochidis, S., Diagourtas, D., Akhgar, B. (eds) Paradigms on Technology Development for Security Practitioners. Security Informatics and Law Enforcement. Springer, Cham. https://doi.org/10.1007/978-3-031-62083-6_13
Download citation
DOI: https://doi.org/10.1007/978-3-031-62083-6_13
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-62082-9
Online ISBN: 978-3-031-62083-6
eBook Packages: Physics and AstronomyPhysics and Astronomy (R0)