PRAETORIAN: A Framework for the Protection of Critical

Infrastructures from advanced Combined Cyber

and Physical Threats
Lazaros Papadopoulos, Antonios Karteris, Eva Muñoz-Navarro,
Dimitrios Soudris Juan José Hernández-Montesinos
{lpapadop,akarteris,dsoudris}@microlab.ntua.gr {emunoz,jhernandez}.etraid@grupoetra.com
National Technical University of Athens, Greece ETRA Investigación y Desarrollo, Spain

Stephane Paul, Nicolas Museux Sandra König, Manuel Egger, Stefan Schauer
{stephane.paul,nicolas.museux}@thalesgroup.com {sandra.koenig,manuel.egger,stefan.schauer}@ait.ac.at
THALES Research and Technology, France Austrian Institute of Technology

Javier Hingant Gómez Tamara Hadjina

jahingme@upvnet.upv.es tamara.hadjina@koncar.hr
Universitat Politècnica de València, Spain Koncar Digital, Croatia

ABSTRACT (ARES 2023), August 29–September 01, 2023, Benevento, Italy. ACM, New
Combined cyber and physical attacks on Critical Infrastructures York, NY, USA, 6 pages. https://doi.org/10.1145/3600160.3605030
have disastrous consequences on economies and in social well-
being. Protection and resilience of CIs under combined attacks is
challenging due to their complexity, reliance on ICT systems and 1 INTRODUCTION
the interdependences between different types of CIs. The PRAE- Combined cyber and physical attacks on Critical Infrastructures
TORIAN framework was designed to address these challenges, by (CIs) have major impact, not only on the owners and operators
integrating components responsible for detecting both cyber and of these CIs, but also on their customers and suppliers. People
physical threats. Additionally, it forecasts how the combined attacks in the vicinity of the attacked CIs, as well as neighboring and
will evolve and their cascading effects on interdependent CIs. The interrelated CIs are also affected, leading to widespread and often
PRAETORIAN framework was demonstrated based on a realistic massive damages in various sectors of the economy and in social
scenario in the Zagreb airport, combining both physical and cyber well-being.
attacks. There are many reasons why combined cyber and physical at-
tacks on CIs are expected to become more common. To mention just
CCS CONCEPTS a few, there is a proliferation of industrial control system malware,
• Security and privacy → Intrusion/anomaly detection and while there is an increased reliance of the industry and CIs on ICT
malware mitigation; Systems security. systems. Additionally, the industrial control system networks are
notoriously difficult to secure, while the cyber criminals have a
KEYWORDS proven business model. The impact of a coordinated physical at-
tack, a deliberate (cyber) disruption of critical automation systems,
Physical threats, Cyber threats, Critical Infrastructure Protection, a natural hazard or even a combined scenario including several
Decision Support System, Security kinds of attacks, can have disastrous consequences for the economy
ACM Reference Format: and social well-being in general.
Lazaros Papadopoulos, Antonios Karteris, Dimitrios Soudris, Eva Muñoz- Therefore, there is a need of methodologies and tools that meet
Navarro,, Juan José Hernández-Montesinos, Stephane Paul, Nicolas Museux, the expectation needs of the CI operators in addressing the security
Sandra König, Manuel Egger, Stefan Schauer, Javier Hingant Gómez, and Tamara challenges of combined attacks. These tools should extend the
Hadjina. 2023. PRAETORIAN: A Framework for the Protection of Critical capabilities of the typical legacy security systems for detecting
Infrastructures from advanced Combined Cyber and Physical Threats. In various types of threats and enable successful coordinated response
The 18th International Conference on Availability, Reliability and Security
to attacks. Also, they should be effective against combined attacks
including both physical and cyber threats. Finally, since no CI exists
and operates in isolation, the cascading effects of an attack on a
single CI to others should be identified and addressed. There are
This work is licensed under a Creative Commons Attribution International
4.0 License. several state-of-the-art frameworks which are designed to support
CI operators in the anticipation and the mitigation of a combined
ARES 2023, August 29–September 01, 2023, Benevento, Italy physical and cyber attack. However, most of them are tailored to
© 2023 Copyright held by the owner/author(s).
ACM ISBN 979-8-4007-0772-8/23/08. specific types of CIs, such as healthcare [1], transportation [8][2],
https://doi.org/10.1145/3600160.3605030 or telecommunications [3].
ARES 2023, August 29–September 01, 2023, Benevento, Italy L. Papadopoulos, et al.

The PRAETORIAN framework was designed to address the above (API), the Datagram Delivery Protocol (DDP) [4] and the Advanced
challenges [9]. It was developed in the context of the PRAETORIAN Message Queuing Protocol (AMQP) [6]. About the front-end, the
H2020 EU funded project. The framework targets CI operators and main PRAETORIAN HMI is the CR. However, each component (i.e.
it is an integrated toolset that allows a cooperative communication PSA, CSA and HSA) provides a user-friendly HMI, tailored to the
and effective preventive and mitigation actions among interrelated needs of CI operators.
CIs, before and during emergencies. In contrast to other frame- The following subsections are a detailed description of each
works, PRAETORIAN was designed to be more flexible and scalable, PRAETORIAN component, focusing on the features and the added
with features that allow it to be adapted to different types of CIs. value that each one provides compared to the typical legacy systems.
This paper is an overview of the PRAETORIAN system and
describes each PRAETORIAN component and the data flow between 2.1 Physical Situation Awareness
them. Also, it explains how each component can be used by the The role of the Physical Situation Awareness system (PSA) is to
operator and its added value in the detection and mitigation of collect and display information gathered from the physical domain
combined (i.e. cyber and physical) attacks. and particularly from various sensors installed in the area of the CI
The rest of the paper is organized as follows: Section 2 describes under study.
each PRAETORIAN component: The cyber, the physical, the hy- The PSA stores and retrieves data from the IOP through the DDP.
brid situation awareness and the coordinated response. Section 3 The main front-end is the PSA HMI, which consists of the following
explains how the PRAETORIAN was demonstrated in a realistic sections:
scenario, combining cyber and physical attacks in an airport and
in a medical laboratory. Finally, in Section 4 we draw conclusions. • Map, which is the central PSA HMI and shows the earth
globe with the different items (assets, agents, etc.) placed
on it (Figure 2). It provides many features which allow CI
2 THE PRAETORIAN FRAMEWORK
operators to improve situation awareness with regard to the
Figure 1, shows the main components of the PRAETORIAN frame- physical domain of CIs.
work: • Scenes, which are used to define the areas of CIs on the map.
• The Physical Situation Awareness system (PSA) receives and • Cameras, which allows to watch and manage the camera
processes information from sensors and other IoT devices, streams.
such as object tracking devices and UAVs and generates • Chat, (i.e. a chat application integrated in the PSA), which en-
alarms when intrusion or hostile activity is detected at the ables bidirectional communication between different teams,
physical domain of a CI. as well as the exchange of files, such as videos.
• The Cyber Situation Awareness system (CSA) is responsible Figure 2 shows an example of the PSA map view, for a port CI.
for detecting threats in the cyber domain of the CIs. It relies Sensors in the area of the port are represented as icons on the map.
on novel tools, such a the cyber forecaster engine, which They are green by default. However, they can be configured so
complement existing well-established cyber-security tech- that their color changes depending on the measured value. As an
nologies. example, a sound sensor may change color when the sound of a
• The Hybrid Situation Awareness system (HSA) that analyzes drone is detected. (This is the case for the sound sensor, which has
events, predicts how attacks will evolve and calculates the turned into orange color in Figure 2).
cascading effects of attacks within the same and between CI operators can watch on the PSA HMI sensor real-time mea-
different CIs. surements and video streams. Unmanned vehicles are also visible
• The Coordinated Response system (CR) that integrates infor- on the map. They are shown as 3D models and they leave a trail
mation from all other components, generates security inci- on the map when they move. Additionally, the PSA integrates the
dents which trigger relevant notifications and recommends IDEMIA Augmented Vision Platform [5]. Examples of its capabili-
mitigation actions. Finally, it integrates various tools to fur- ties are the automatic detection of potential physical threats, such as
ther support effective response, enable efficient information intrusion detection, suspicious behavior, as well as face recognition
sharing with first responders, increase situation awareness and object classification.
based on social media and support the interaction with drone The PSA map HMI displays ongoing security incidents. In the
neutralization systems. context of PRAETORIAN, the incidents are defined as events which
Figure 1, highlights the flow of information between the afore- may require immediate action by CI Operators (e.g. smoke/fire or
mentioned components. The HSA receives events and alerts gen- unauthorized drone detection). By clicking on an incident located
erated by the PSA and CSA. The CR receives alerts from all com- on the map, operators can view details. For example, when the
ponents and generates relevant security incidents and proper no- incident is the detection of an unauthorized drone, clicking on it
tifications to operators and first responders, while it recommends will show the live video stream of the camera that has detected it.
mitigation actions. Finally, the PSA supports the creation of Emergency Population
The PRAETORIAN framework back-end is based on the InterOp- Warning System (EPWS) EU alerts. Operators can select an area
erability Platform (IOP), a database in which the generated data are around the incident. After selecting a message from existing tem-
stored and retrieved. It serves as a data sharing infrastructure for plates, the operator can potentially edit the message and send it to
all PRAETORIAN components. It offers a variety of connectivity the cell phones of the population in the area. As shown in Figure 3,
methods, including a RESTful Application Programming Interface a colored grid on the map indicates the number of cell phones in
PRAETORIAN: A Framework for the Protection of Critical Infrastructures from advanced Combined Cyber
and Physical Threats ARES 2023, August 29–September 01, 2023, Benevento, Italy

Figure 1: Overview of the PRAETORIAN framework

the area, which can be used to provide a rough estimation of the

number of people and their distribution in the area of he incident.

2.2 Cyber Situation Awareness

The main goals of the CSA component are (i) to improve the cyber
situation awareness of the CI operator and (ii) to forward cyber
events to the HSA and enable their correlation with the physical
events for the prediction of cascading effects.
The CSA was designed to address limitations of existing Security
Information and Event Management (SIEM) tools. The main inno-
vative element of the CSA is its forecasting features. In particular,
Figure 2: An instance of the PSA map view. The monitored
it is capable of forecasting the end goal of an attacker based on the
values of each sensor are shown in real-time.
first detected activities of the attacker.
For this purpose, the CSA relies on Digital Twins and simulators
mimicking the cyber domain of CIs, on Cyber Assessment Tools
(CAT) to simulate additional legitimate traffic, launch attacks and
collect cybersecurity logs and on the Cyber Forecaster Engine (CFE)
to forecast the end goal of the attacker.
The CFE addresses shortcomings of cybersecurity sensors and
SIEM tools, such as the fact that the SIEM tools rely only on CI-
agnostic Indicators of Compromise (IoC), without any relation to
business or operational impact. Thus, they lead to either false-
positive cyber alarms or to late cyber-security incident generation.
Additionally, stealth Advanced Persistent Threats (APT), which are
developed over weeks or months, they may be detected only too
late, due to lack of information transmission between operators
working on different shifts.
The CFE addresses these limitations as follows: It relies on CI-
specific IoCs, which are based on a risk assessment report for the
Figure 3: An example of an EPWS alert sent through the particular CI. Additionally, it stores cyber events in memory, with-
PRAETORIAN PSA out time limitations, as long as they are valid. An event-pattern
recognition engine (ERE) uses these observables and based on a
set of rules recognises the attack activities. A Hypothetical Reason-
ing Engine (HRE) predicts the possible next steps of the attacker,
ARES 2023, August 29–September 01, 2023, Benevento, Italy L. Papadopoulos, et al.

Figure 6: Schematic illustration of the overall concept of the

Generic Digital Twin

2.3 Hybrid Situation Awareness

Figure 4: An example of the CSA HMI. Assets, detections,
The main of the PRAETORIAN Hybrid Situation Awareness (HSA)
alerts and attack goals are shown with different colors.
component is to provide to CI operators accurate forecasts of po-
tential cyber and physical consequences at the facilities, given any
kind of physical and cyber alert detected by the PSA and the CSA
respectively. It calculates the cascading effects of attacks on CIs,
both within the particular CI, as well as on interrelated CIs.
Its main components of the HSA the following:
• A Generic Digital Twin (GDT)
• A Threat Propagation Engine (TPE)
• The Hybrid Situation Awareness HMI
The GDT is an abstract representation of the entire network of
CIs. It includes the cyber and the physical digital twin of the CI ,
but also inter-domain knowledge. Figure 6 shows how information
from the physical and the cyber digital twins is incorporated in the
GDT. It can be observed that not every physical or cyber asset or
every characteristic of each asset is represented in the GDT. Instead,
the GDT includes the most relevant ones, as well as the ones that
describe similar concepts among different types of CIs. Thus, the
GDT adapts to the specific characteristics of the different types
of CIs and their internal and external interdependencies, in order
to be able to model the operational states of every critical asset.
Dependencies between cyber and physical components are added
where relevant for the analysis, e.g., encrypted data is connected to
a server.
The GDT consists of a graph-based representation. The nodes
represent the critical entities of the CIs, as modelled in the individual
Figure 5: Alternative CSA representations. Different color digital twins and the edges represent the dependencies among these
is used to distinguish between the primary and secondary assets. Each asset has a state, representing (i) Functionality (normal,
assets, as well as about the end goal of the attacker. reduced, not working) (ii) Availability (normal, interrupted, not
available) or (iii) Damage (no, some, failure), depending on the type
of asset.
The granularity of the models is configurable: Models can be
created within a CI, to calculate cascading effects between assets of
generates alerts based on the risk assessment report and provides ex- the particular CI, as well as between different CIs, for calculating
plainable predictions to the CI operators. These alerts are forwarded the cascading effects between them. Also, the system can be de-
to the HSA and CR for calculating cascading effects, generating centralized or centralized: For example, in some countries 112 may
security incidents, notifications and recommend mitigation actions. act as a central authority, which may be responsible to inform the
The CSA HMI provides various visualization options to repre- affected CIs, about, for example, calculated cascading effects. De-
sent assets, alarms, detections and attack goals, as predicted by the pending on protocols and legislation, in other cases maybe one CI
CFE. An example is shown in Figure 4. Other visualizations, include can directly inform another CI about cascading effects of ongoing
tree map, radial, force graph, etc. Some examples are shown in Fig- incidents.
ure 5. Additionally, it provides a timeline representation of attacks, The state may change due to a cyber or physical event, as de-
showing the relation between the detections and the corresponding tected by the PSA or the CSA, respectively (e.g., fire, cyber-attack
alerts. etc.). When the state of a node changes, a notification is sent to
PRAETORIAN: A Framework for the Protection of Critical Infrastructures from advanced Combined Cyber
and Physical Threats ARES 2023, August 29–September 01, 2023, Benevento, Italy

Figure 8: The rules interface of the DSS. The rules determine

under which condition an event generated in the PSA, CSA
Figure 7: An example of TPE output, as displayed on the HSA or HSA will trigger the generation of a security incident.
HMI. The different colors indicate the state of each asset or Additionally, they determine when the DSS will trigger an-
CI. (i.e. the degree by which it is affected). other module (e.g. the drone neutralization module, when an
"unauthorized drone detected" type of incident is created).

each adjacent node. Then, the adjacent nodes may themselves react
to the incoming notification. They may change their state, and, in
turn, inform their own adjacent nodes. Thus, the GDT models the
cascading effects within a CI and between different interconnected
CIs.
Based on the GDT, the Threat Propagation Engine (TPE) de-
scribes the direct and indirect consequences of alerts generated by
the PSA and the CSA, over time. In particular, for each alert for- Figure 9: A tool for security threat detection in social me-
warded to the HSA, the TPE is triggered and a set of interdependent dia. The text of the post is displayed. The keywords and the
threat propagation simulations is run. The simulation results are crawling rules are highlighted with red and yellow color, re-
used to estimate the potential consequences of the threat on the spectively, to provide explainable identifications.
overall network of interconnected CIs. The output of the TPE is
a prediction of the propagation of the cascading effects, which is
displayed on the HSA HMI.
Aside from the DSS, the PRAETORIAN system provides more
The HSA HMI displays on a map the predicted cascading effects,
options for the effective communication between operators and
as calculated by the TPE simulations, on a map (Figure 7). A graph-
first responders, through the Information Sharing & Communication
based representation is used, in which each node corresponds to
with FRs (ISC-FR) module. It relies on the theoretical concept of
a cyber or physical asset of a CI and each link corresponds to
of attribute trees in order to gather all of the information available
an interdependency. Different colors in each node indicate the
on the PRAETORIAN platform and discern the parts that are rele-
corresponding impact of the threat (i.e., the degree by which the
vant for each type of first responder, for a particular incident type.
asset was affected). Other features of the HMI include historical
Subsequently, the module uses the chat application as a channel
information of simulations for past alerts, filtering options, and
for bidirectional communication. More details about the ISC-FR
step-by-step display of the simulation results.
module can be found in [7].
Finally, the CR system offers connectivity with Twitter through
2.4 Coordinated Response the Social Media Security Threat Detection (SMSTD) and Integra-
The main CR module is the Decision Support System (DSS). It acts tion with Social Media (IWSM) modules. The SMSTD utilizes text
as a hub, as it collects all alerts and events generated by the PSA, crawling techniques in order to monitor the entirety of the global
CSA and HSA. Through a set of predefined rules, a sample of which Twitter stream and discern tweets that are potentially critical to the
can be seen in figure 8, the DSS generates events (i.e. information security of the CI, including tweets that mention data leaks, new
potentially useful to operators) and security incidents (i.e. infor- vulnerabilities and cyber attacks. A screenshot with an identified
mation that may require immediate action by operators). Once an tweet indicating a security threat is shown in Figure 9. The module
incident is created, responsible operators can be notified in a variety is customizable to the requirements of type of CI, as it prioratizes
of ways, including email, SMS or through a chat application, all posts which are potentially more relevant to the particular CI. The
of which are configurable through the notifiers page of the DSS. latter module (IWSM) offers a number of tweet templates that allow
Finally, in order to assist the operators in taking the appropriate the CI operators to generate messages for the public and share them
actions once an incident is generated, the DSS offers a configurable on the social media platform with the press of a button. Finally, a
list of recommended mitigation actions that the CI operator can third module provides a real-time feed of Twitter posts by the public
take. The mitigation actions proposed by the PRAETORIAN DSS during a crisis. The tool relies on machine learning techniques and
were obtained through interviews with the CI security operators. identifies relevant informative-only tweets which can enhance the
ARES 2023, August 29–September 01, 2023, Benevento, Italy L. Papadopoulos, et al.

Table 1: Summary of demonstration scenario execution

Step Tools involved

The operators gets notified about the intrusion incident in the DSS
An intruder enters the medical
1 The video analysis platform of the PSA detects the intruder
laboratory and steals a sample.
The operator is notified about the cascading effects in the DSS
HSA: The operator sees the cascading effects about other CIs affected and authorities involved
DSS: A cyber incident is created and the operator gets notified
A cyber attack at the laboratory
2 CSA: The operator sees the cyber detections and alerts, the primary assets affected and the
with a malware
final goal of the attacker
DSS: The operator is notified about the drone and the DSS triggers its neutralization
3 A terrorist attacks the airport with a drone
PSA: Sees the location on the map in real time
EPWS: The airport operator sends EU alerts
4 Informing the public
Integration with social media: The operators posts a message on Twitter about the incident.
ISC-FR: The operator dispatches to FRs information including the location of the neutralized drone,
the estimation of number of people in the area (provided by the EPWS).
5 Involvenent of First Responders
The communication channel is a chat session: A group including the operator and First Rsponders
to enable bidirectional communication

operator situational awareness during crisis. More details about ACKNOWLEDGMENTS

this module can be found in [7]. This work has received funding by the EU H2020 research and in-
novation programme under grant agreement No 101021274. (PRAE-
3 DEMONSTRATION TORIAN, https://praetorian-h2020.eu/).
The first pilot demonstration of the PRAETORIAN system took
place at the Zagreb airport in Croatia. It was based in a cross-border REFERENCES
scenario involving both the Medical University of Graz in Austria [1] Elisabetta Biasin. 2020. Healthcare critical infrastructures protection and cyberse-
curity in the EU: regulatory challenges and opportunities. In Proceedings of the 1st
and the airport of Zagreb. The scenario was based on a physical and European Cluster for Securing Critical Infrastructures (ECSCI) Virtual Workshop.
cyber attack involving bio-terrorism and drone attacks. Around 100 [2] Marie-Hélène BONNEAU, Laura PETERSEN, Grigore HAVARNEANU, and Stephen
Crabbe. 2022. SAFETY4RAILS EU project: Protecting railway and metro infras-
people joined the event either in-person or online. The video record- tructure against combined cyber-physical attacks. In World Congress on Railway
ing of the demonstration is available on the PRAETORIAN YouTube Research (WCRR) 2022.
channel 1 . During the live demo, all the PRAETORIAN framework [3] Mirjam Fehling-Kaschek, Katja Faist, Natalie Miller, Jörg Finger, Ivo Häring, Marco
Carli, Federica Battisti, Rodoula Makri, Giuseppe Celozzi, Giuseppe Amato, et al.
components were used by operators of both the laboratory and the 2019. A systematic tabular approach for risk and resilience assessment and Im-
airport. provement in the telecommunication industry. In Proceedings of the 29th European
Table 1 summarizes the steps of the demonstration scenario, Safety and Reliability Conference (ESREL 2019). ESREL. Hannover, Germany. 22–26.
[4] Karen Frisa and Steven Waldbusser. 1995. AppleTalk Management Information
and describes how the operators use the PRAETORIAN tools to Base II. RFC 1742. https://doi.org/10.17487/RFC1742
address the attack. In particular, the attack consists of an intrusion [5] IDEMIA. 2021. Augmented Vision Platform. https://www.idemia.com/wp-
content/uploads/2021/01/augmented-vision-platform-idemia-brochure-
in the laboratory of the Medical University of Graz, followed by a 202102.pdf
cyber attack. Then, the terrorist performs an attack at the Zagreb [6] ISO/IEC 19464:2014 2014. Information technology – Advanced Message Queu-
airport using a drone armed with a bio-weapon created by the stolen ing Protocol (AMQP) v1.0 specification. Standard. International Organization for
Standardization, Geneva, CH.
sample. The PRAETORIAN system can is used in this scenario (i) to [7] Antonios Karteris, Georgios Tzanos, Lazaros Papadopoulos, Konstantinos Demes-
detect the intrusion and predict its cascading effects (ii) to detect the tichas, Dimitrios Soudris, Juliette Pauline Philibert, and Carlos López Gómez. 2022.
cyber attack and calculate the final goal of the attacker (iii) to detect A Methodology for enhancing Emergency Situational Awareness through Social
Media. In Proceedings of the 17th International Conference on Availability, Reliability
the drone and trigger its neutralization (iv) to alert the population and Security. 1–7.
in various ways and (v) to communicate with the first responders [8] Corinna Köpke, Louis König, Katja Faist, Mirjam Fehling-Kaschek, Jörg Finger,
Alexander Stolz, Kelly Burke, Eftichia Georgiou, Vasiliki Mantzana, I Chosiotis,
(the Croatian Mountain Rescue Service, in this particular scenario). et al. [n. d.]. Security and resilience for airport infrastructure. In Proceedings of the
30th European Safety and Reliability Conference and the 15th Probabilistic Safety
Assessment and Management Conference. 1191–1198.
4 CONCLUSIONS [9] PRAETORIAN. 2021. Horizon2020 Project. https://praetorian-h2020.eu/
The PRAETORIAN framework is a significant contribution into ad-
dressing the challenges of CI protection from combined cyber and
physical attacks. It provides an advanced toolset which can be cus-
tomized to the requirements of each particular type of CI. It focuses
a lot on the prediction of the cascading effects of attacks and on the
impact of these effects on interdepended CIs. Finally, it provides
user-friendly interfaces for effective use by the CI operators.

1 https://www.youtube.com/watch?v=dBsY-emLehw