Keywords

Regulation and the PRAETORIAN Solution: An Overview

The new CER Directive [1] constitutes a considerable change as compared to the ECI Directive 2008/114/EC [2] since critical entities will have to meet specific obligations aimed at enhancing their resilience. Moreover, a wider sectoral scope will allow Member States and critical entities to better address interdependencies and potential cascading effects of an incident. European critical entities are more interconnected and interdependent, which makes them stronger and more efficient but also more vulnerable in case of an incident.

As requested by the CER Directive, critical entities will need to carry out risk assessments on their own, take technical and organizational measures to enhance their resilience and notify incidents. New tools will soon be demanded by Critical Infrastructure (CI) operators and innovative technologies will have to be used allowing the adoption of these measures. The CER Directive is complemented by the NIS2 Directive [3], thus becoming an updated and comprehensive legal framework to strengthen both the physical and cyber-resilience of critical infrastructure.

The goal of the H2020 PRAETORIAN project (https://praetorian-h2020.eu/) is to enable the security stakeholders of the CIs in Europe to manage the life cycle of security threats, from forecast, assessment and prevention to detection, response, and mitigation, in a collaborative manner with the security teams from related CIs, being the CIs in the same sector or not. PRAETORIAN proposes a toolset that:

  1. (a)

    Makes use of data obtained from relevant legacy security systems of the CIs.

  2. (b)

    Introduces novel sensors and innovative data analysis.

  3. (c)

    Builds a model of the ecosystem of CIs.

  4. (d)

    Improves the channels and quality of communication among stakeholders.

  5. (e)

    Combines the emergency plans of those CIs.

The combination of these functionalities will support the decision-making process of CI operators to prevent major damages to the installations, neighboring population, and the environment while allowing a fast recovery after incidents.

The PRAETORIAN Framework

The PRAETORIAN toolset consists of four innovative products, which intend to provide the security managers with the capacity to protect the CIs from physical, cyber, and combined (physical and cyber) attacks. The Cyber Situation Awareness (CSA) system can recognize patterns within the network and generate corresponding events. The Physical Situation Awareness (PSA) system can be integrated with existing sensors and legacy systems in the CI to collect meaningful data and combine them with information received from newly developed modules that implement drone detection and video analytics. Both the CSA and the PSA generate an alarm when cyber/physical threats are detected. The Hybrid Situation Awareness (HSA) system uses a digital twin of the related CIs to correlate the received alarms and estimate the cascading effects on own and related CIs. This information is processed in the Coordinated Response (CR) system which suggests an effective response to the threat, allowing notifications and information sharing through multiple channels.

Figure 13.1 highlights the flow of information between the aforementioned components. The HSA receives events and alerts generated by the PSA and CSA. The CR receives alerts from all components and generates relevant security incidents and proper notifications to operators and first responders, while it recommends mitigation actions.

Fig. 13.1
A block diagram of the Praetorian platform. It represents 4 blocks, cyber situation awareness, physical situation awareness, hybrid situation awareness, and coordinated response. All blocks are connected to the coordinated response.

PRAETORIAN platform

Full size image

The framework for developing this solution is largely based on the idea of interoperability of systems and components (which also allows focusing on scalability and replicability), therefore the PRAETORIAN back end relies on the Interoperability Platform (IOP) that interconnects all the elements, allowing: (i) the exchange of information between all the systems and modules, (ii) the storage of information, and (iii) avoiding the duplication of data between modules, the replication of changes, and possible inconsistencies. In this way, data is provided for the entire platform that can be processed and retrieved to offer useful and usable information for all its users, and therefore serving as a data-sharing infrastructure for all PRAETORIAN components.

The IOP offers a variety of connectivity methods, including RESTful Application Programming Interface (API), Datagram Delivery Protocol (DDP), and Advanced Message Queuing Protocol (AMQP). About the front end, the main PRAETORIAN Human Machine Interface (HMI) is the CR. However, each of the other systems (i.e., PSA, CSA, and HSA) provides a user-friendly HMIs, tailored to the needs of CI operators.

The following subsections describe the PRAETORIAN components, focusing on the features and the added value that they provide compared to the typical legacy systems. A detailed description of the modules and subcomponents of each system can be found in [4].

Creating Situation Awareness

Three PRAETORIAN systems have been developed to create Situation Awareness: the Physical Situation Awareness (PSA) System, the Cyber Situation Awareness (CSA) System, and the Hybrid Situation Awareness (HSA).

The PSA system focuses on the monitoring and control of critical areas. It receives and processes information from sensors and detection systems, such as the Video Analytics and Anomaly Behavior tools for intrusion detection and threat identification, and the Drone Detection system. It detects possible physical threats, generates the corresponding detection events that can be analyzed by the operator, and offers both real-time information and incident historical for later analysis. Moreover, the PSA will forward alarms to the HSA to enable their correlation with the cyber events for the prediction of cascading effects.

The PSA HMI is the graphical interface providing the user with the sought-after situational awareness, allowing to know in a real, precise, and updated way the status of the asset to be protected. The tool is capable of displaying 3D models so that the operator has a clear idea of the exact location of each element. In buildings, for example, the sensors will be located represented in height.

Figure 13.2 shows an example of the PSA map view. The icons represent the location of sensors, cameras, and agents. The operator can, at any moment, retrieve information on measurements in real time, or get access to the streaming or recordings from cameras. Furthermore, unmanned vehicles are also represented in the map using 3D models, colored in green if they are assets in the CI, or in red if they are not recognized as part of the system.

Fig. 13.2
A 3-D map of the P S A. It presents a surveillance drone, cameras, and some agents.

The PSA map view

Full size image

The CSA system aims to improve the cyber situation awareness of the CI operator and to forward cyber events to the HSA to enable their correlation with the physical events for the prediction of cascading effects. The CSA has been implemented based on the development of Cybersecurity Digital Twins (CDT), which mimic some Critical Infrastructure’s Operational Technology (OT) and Information Technology (IT) systems. The CDTs are designed so as not to interfere with the CI’s real operational systems during the verification, validation, and demonstration activities. Cyber Assessment Tools (CAT) are used to simulate additional legitimate traffic, launch attacks, and collect cybersecurity logs. Finally, a Cyber Forecaster Engine (CFE) can forecast the end goal of the attacker.

The CSA HMI provides various visualization options to represent assets, alarms, detections, and attack goals, as predicted by the CFE. Figure 13.3 shows a timeline representation of attacks, showing the relation between the detections and the corresponding alerts. The timeline visualization integrates the time dimension in the overall cyber perspective and allows for aggregating, in the same view, primary assets, supporting assets, detections, and alerts. In this kind of visualization, the operator can identify which detections triggered which alerts and how both detections and alerts spawned in time and also lasted during their life cycle. Primary assets are usually information or business processes while supporting assets can be hardware, software, and human resources [5].

Fig. 13.3
A screenshot of the C S A-H M I. It represents phishing, exploitation for client execution, account discovery, video capture, exfiltration over web service, supply chain compromise, B I T S jobs, protocol, and data manipulation.

CSA HMI: visualization of timeline

Full size image

Finally, the Hybrid Situation Awareness (HSA) system provides CI operators with accurate forecasts of potential cyber and physical consequences at the facilities, given any kind of physical and cyber alert detected by the PSA and the CSA respectively. Figure 13.4 reflects that physical and cyber domains cannot be understood and treated independently since the attacks on any of these dimensions may have also significant consequences in the other one. Moreover, the HSA will be able to calculate and show not only the cascading effects of attacks on a particular CI, but also on interrelated CIs.

Fig. 13.4
A diagram of the H S A system. It represents 3 layers, including cyber, hybrid, and physical domains. The hybrid domain and physical domain are fully connected.

Physical and cyber domains interdependency. (Source: PRAETORIAN D5.3 “HSA system Development and Functional Validation Report”)

Full size image

The HSA back end includes two systems, the Generic Digital Twin (GDT) that models the relevant CI assets with their inter/intrarelationships and the Threat Propagation Engine (TPE) that simulates the consequences of incoming alerts including cascading effects.

The GDT consists of a graph-based representation in which the nodes represent the critical entities of the CIs, and the edges represent the dependencies among these assets. Each asset has a state which may change due to a cyber or physical event, as detected by the PSA or the CSA, respectively (e.g., fire, cyberattack etc.). When the state of a node changes, a notification is sent to each adjacent node, which may themselves react to the incoming notification and change their state, and, in turn, inform their own adjacent nodes. The GDT models can be created within a CI, to calculate cascading effects between assets of the particular CI, as well as between different CIs, for calculating the cascading effects between them.

Based on the GDT, the Threat Propagation Engine (TPE) describes the direct and indirect consequences of alerts generated by the PSA and the CSA, over time. In particular, for each alert forwarded to the HSA, the TPE is triggered and a set of interdependent threat propagation simulations is run. The simulation results are used to estimate the potential consequences of the threat on the overall network of interconnected CIs. The output of the TPE is a prediction of the propagation of the cascading effects, which is displayed on the HSA HMI.

The front end has two HMIs, designed to be reactive and show, in an autonomous manner, if new elements have been received (without user intervention) from the back end. One shows the cascading effects (HSA HMI) and the other one is the model of the CIs and the status of their assets (Synoptic Live Diagram, SLD HMI).

The HSA HMI shows on a map the predicted cascading effects, as calculated by the TPE simulations (Fig. 13.5). A graph-based representation is used, in which each node corresponds to a cyber or physical asset of a CI and each link corresponds to an interdependency. Different colors in each node indicate the corresponding impact of the threat (i.e., the degree by which the asset was affected). On the other hand, the SLD HMI allows designing 3D diagrams and linking its elements with the data in the back end, as well as monitoring the status of the data in near-real-time (Fig. 13.6).

Fig. 13.5
An aerial view of the Praetorian H S A-H M I. It represents an emergency management system with critical infrastructures. The emergency system is centralized.

PRAETORIAN HSA HMI: cascading effects visualization

Full size image
Fig. 13.6
A 3-D block diagram of the cascading effects. It represents the power plant and port area connected to regional authorities.

Cascading effects displayed by the Synoptic Live Diagram

Full size image

Providing Coordinated Response

The main CR module is the Decision Support System (DSS). It acts as a hub, as it collects all alerts and events generated by the PSA, CSA, and HSA. Through a set of predefined rules, the DSS generates events (i.e., information potentially useful to operators) and security incidents (i.e., information that may require immediate action by operators), as can be seen in Fig. 13.7.

Fig. 13.7
A screenshot of the Praetorian D S S interface. It represents a table with level, label, type, system, description, open, category, created, and options.

The PRAETORIAN DSS interface

Full size image

The rules determine under which condition an event generated in the PSA, CSA or HSA will trigger the generation of a security incident, or when the DSS will trigger another module (e.g., in case of a mitigation action).

The DSS allows the CI operator to get real-time information about an incident, and decide about a possible mitigation action. If the proper rule is configured in the system, the mitigation action might be automatically launched, thus saving time and ensuring a rapid response. This is the case, for example, for drone detection and the corresponding countermeasures: Both systems have been integrated in PRAETORIAN. Any incident originating in both cyber, and physical domains, or in case of combination of both of them, due to some anomalous range or suspicious detection, is captured by the DSS in order to keep the personnel informed at all times. On the other hand, thanks to the HSA, the DSS can anticipate possible affected assets and cascading effects and report them. The system aims, through configurations and prior knowledge, to anticipate any incident and report it as soon as possible.

Once an incident has been created in the system, other operators can be notified in a variety of ways, including email, SMS or through a chat application, all of which are configurable through the notifiers page of the DSS.

PRAETORIAN is able not only to detect possible threats from the physical and cyber domains and generate the corresponding incidents, but also to analyze “weak signals” from different sources. This is the case for the Social Media Security Threat Detection (SMSTD) module [6], which utilizes text crawling techniques in order to monitor the entirety of the global Twitter stream and discern tweets that are potentially critical to the security of the CI, including tweets that mention data leaks, new vulnerabilities, and cyberattacks.

Moreover, another module provides a real-time feed of Twitter posts by the public during a crisis. The tool relies on machine learning techniques and identifies relevant informative-only tweets which can enhance the operator’s situational awareness during crisis.

Communicating and Sharing Information

The PRAETORIAN system provides several mechanisms for the effective communication between operators and first responders, through the Information Sharing & Communication with FRs (ISC-FR) module [6]. It gathers information available on the PRAETORIAN platform and discerns the parts that are relevant for each type of first responder, for a particular incident type.

PRAETORIAN also supports the creation of EU-Alerts [7] to notify the population near the CI in case of an incident. Through the Emergency Population Warning System (EPWS) tool, the CI operators can select an area around the incident. After selecting a message from existing templates, the operator can potentially edit the message and send it to the cell phones of the population in the area. As shown in Fig. 13.8, a colored grid on the map indicates the number of cell phones in the area, which can be used to provide a rough estimation of the number of people and their distribution in the area of the incident.

Fig. 13.8
A 3-D view presents the E P W S tool with an alert. The alert contains category, message, initial count, and area fragment.

EPWS tool and generation of EU-Alert

Full size image

Finally, PRAETORIAN offers connectivity with Twitter through the Integration with Social Media (IWSM) modules [6]. It offers a number of tweet templates that allow CI operators to generate messages for the public and share them on the social media platform with the press of a button.

PRAETORIAN in the Context of Resilience of CIs

PRAETORIAN focuses on the interoperability of CIs’ legacy systems together with new novel systems and sensors, aiming at improving the capability of CI security managers to prepare and apply in practice the Resilience Plan as requested by the CER Directive. This means taking technical, security, and organizational measures. Moreover, PRAETORIAN also allows the integration of additional information sources, such as signals from social media, agencies or any other open sources. Social media is indeed a valuable source of information during emergency situations, since it can be used to further improve the situation awareness of First Responders and rescue teams so they can act more effectively.

PRAETORIAN is also aligned to the Council Recommendation on a Union-wide coordinated approach to strengthen the resilience of critical infrastructure [8], which aims at maximizing and accelerating the work to protect critical infrastructure in three priority areas: preparedness, response, and international cooperation. Three out of the four PRAETORIAN systems allow to enhance the situational awareness, by means of threat detection and creation of alarms on the one hand, but also allowing correlation of multiple signals in order to understand the threat propagation (“preparedness”). The remaining system focuses on the “response,” based on a Decision Support System providing automated reaction to the detected threat and promoting that the CIs take a unified response that ensures less harm and extent of damage and maintains business continuity. The last aspect to consider is the “international cooperation,” and in that sense, PRAETORIAN has explored quite interesting mechanisms that can be used by CI operators to share information about incidents. This is a relevant area, as well as difficult to implement; while CI managers have to decide about the nature and quantity of the information to be shared, due to the sensitiveness of it, the new regulations promote cooperation among different actors (public sector, public-private entities). This can only be achieved when this process is envisaged as part of the strategy for enhancing the resilience of critical entities, which will have to be defined by Member States.

Conclusions

The PRAETORIAN framework is a significant contribution to addressing the challenges of CI protection from combined cyber and physical attacks. It provides an advanced toolset which can be customized to the requirements of each particular type of CI. It focuses a lot on the prediction of the cascading effects of attacks and on the impact of these effects on interdepended CIs. Finally, it provides user-friendly interfaces for effective use by the CI operators. The toolset is designed and developed to focus on resilience of critical infrastructures, which is defined by the CER Directive as “a critical entity’s ability to prevent, protect, against, respond to, resist, mitigate, absorb, accommodate, and recover from an incident.”