Detecting a Complex Attack Scenario in an Airport: The

PRAETORIAN Framework
Stefan Schauer Tamara Hadjina Melita Damjanovic
Stefan.Schauer@ait.ac.at tamara.hadjina@koncar.hr mdamjanovic@zag.aero
AIT Austrian institute of Technology KONCAR Digital Zagreb Airport
Vienna, Austria Zagreb, Croatia Zagreb, Croatia

Eva Maria Muñoz Navarro Javier Hingant Gómez Lazaros Papadopoulos

Juan Jose Hernandez jahingme@upvnet.upv.es lpapadop@microlab.ntua.gr
Montesinos Universitat Politecnica de Valencia National Technical University of
emunoz.etraid@grupoetra.com Valencia, Spain Athens
jhernandez.etraid@grupoetra.com Athens, Greece
ETRA I+D
Valencia, Spain

ABSTRACT
In this paper, we describe the functioning of the PRAETORIAN
Framework, an integrated platform to identify complex threats
across the physical and cyber domains of Critical Infrastructures
(CIs). Therefore, the framework combines a physical and a cyber
situation awareness solution into an innovative Hybrid Situation
Awareness tool to detect the different stages of a complex threat.
Further, the framework supports the decision makers and emer-
gency organizations with a Coordinated Response tool to align and
plan the activities for reducing or preventing the effects of an attack.
All aspects are described according to a real-life use case that has
been tested at the Zagreb airport.
CCS CONCEPTS
• Security and privacy; • Information systems → Decision
support systems; • Hardware → Safety critical systems; •
Computer systems organization;
KEYWORDS
Critical Infrastructure Protection, Hybrid Situation Awareness, Cas-
cading Effects, Complex Attack Scenarios, Decision Support
ACM Reference Format:
Stefan Schauer, Tamara Hadjina, Melita Damjanovic, Eva Maria Muñoz
Navarro, Juan Jose Hernandez Montesinos, Javier Hingant Gómez, and Lazaros
Papadopoulos. 2023. Detecting a Complex Attack Scenario in an Airport:
The PRAETORIAN Framework . In The 18th International Conference on
Availability, Reliability and Security (ARES 2023), August 29–September 01,
2023, Benevento, Italy. ACM, New York, NY, USA, 7 pages. https://doi.org/
10.1145/3600160.3605095
This work is licensed under a Creative Commons Attribution-Share Alike
International 4.0 License.
ARES 2023, August 29–September 01, 2023, Benevento, Italy
© 2023 Copyright held by the owner/author(s).
ACM ISBN 979-8-4007-0772-8/23/08.
https://doi.org/10.1145/3600160.3605095
1 INTRODUCTION
Due to the increasing complexity of the different services that
are required by a society over the last two decades, the critical
infrastructures (CIs) providing these services have developed into
a highly complex and strongly interrelated network. With recent
incidents such as the SolarWinds hack in late 2020 [6, 10] or the
attack on the Colonial pipeline [1], the interdependencies among
CIs have become more visible and prominent. Further, the wide-
ranging effects these incidents could have on the society, such as the
partial shutdown of the Irish healthcare system after a ransomware
attack [3, 5] or shortage of medication or computer chips due to
the (still ongoing) interruptions of global supply chains [8, 9] have
shown the importance of a well-functioning and resilient interplay
between the CIs. Particularly in metropolitan areas, where CIs
from different sectors operate in a geographically narrow space to
provide essential services for thousands or millions of people, the
uninterrupted and failure-free operation of those CIs is vital.
The ongoing EU H2020 project PRAETORIAN is focusing on cap-
turing these interdependencies among CIs in a structured way and
providing a holistic picture on the interplay between the physical
and cyber assets of these CIs. The goal is to enable the CI operators
and security officers to identify complex attack scenarios early on
by bringing together information from the cyber and the physi-
cal domain, provided by a Cyber Situation Awareness (CSA) and
Physical Situation Awareness (PSA) system, respectively, into a
Hybrid Situation Awareness (HSA) solution. A Decision Support
System (DSS) building on such an integrated view provides the
necessary inputs to the CI operators to increase the effectiveness
of their measures to either prevent or counter such complex at-
tacks. The technology has been and is going to be validated and
demonstrated in several use cases, i.e., in Croatia (March 2023 and
June 2023), France (May 2023) and Spain (July 2023). In this paper,
we will present results from the first demonstration, which took
place at the Zagreb airport in Croatia in March 2023. We show how
the different tools (CSA, PSA, HSA and DSS) integrated into the
PRAETORIAN framework work together to not only identify a
complex attack scenario but also to support the CI operators and
security officers in selecting the best countermeasures.
ARES 2023, August 29–September 01, 2023, Benevento, Italy
The following Section 2 summarizes the main aspects of the
PRAETORIAN framework and briefly explains the ideas behind
the tools applied in the demonstration. Section 3 describes the
details of the complex attack scenario, which combines physical
and cyber attack vectors, and Section 4 highlights, in which steps
the individual tools of the PRAETORIAN framework are applied and
how they can be used to detect the attacks. Section 5 summarizes
the main results of the demonstration as well as the benefits for the
individual CI operators. Section 6 concludes the paper and provides
an outlook on the following steps in the project and beyond.
2 OVERVIEW ON THE PRAETORIAN
FRAMEWORK
The main goal of the PRAETORIAN project is to enable the security
stakeholders of European CIs to manage the lifecycle of security
threats, from forecast, assessment and prevention to detection, re-
sponse and mitigation, in a collaborative manner with the security
teams from related CIs, being the CIs in the same sector or not.
To achieve that, PRAETORIAN proposes a toolset that makes use
of data obtained from relevant legacy security systems of the CIs,
introduces novel sensors and innovative data analysis, and it builds
a model of the ecosystem of the CIs. Further, the toolset improves
the channels and quality of communication among stakeholders
and combines the emergency plans of those CIs. The combination
of these functionalities supports the decision-making process of
the CI operators to prevent major damages to the installations,
neighbouring population and the environment, while allowing a
fast recovery after incidents.
The PRAETORIAN framework consists of four main systems:
a Physical Situation Awareness (PSA) system, a Cyber Situation
Awareness (CSA) system, a Hybrid Situation Awareness (HSA)
system and a Coordinated Response (CR) system. Each system
comprises several modules:
• The CSA system is a system capable of preventing and detect-
ing stealthy cyber threats and anticipating problems to avoid
or limit them, if possible. It is realized by two main modules:
the Cyber Forecaster Engine (CFE) and the Cybersecurity
Assessment Lab (CAL), along with a human-machine inter-
face (HMI) that includes new visualization paradigms for the
cyber space.
• The PSA system collects data from the CIs’ legacy systems as
well as from the new sensors (e.g., sound sensors, video/IR
cameras, presence sensors, . . . ) introduced in the project. It
provides features such as dynamic location of resources and
assets, security perimeter control, real time inspection of
surveillance videos through a Video Analytics (VA) module
and a Drone Detection (DD) module to eliminate threats
stemming from drones.
• The HSA system receives alarms from both cyber and physi-
cal domains (through the CSA and PSA) and correlates them
to calculate the potential propagation of threats among the
systems of all CIs. It is supported by a Generic Digital Twin
(GDT) [7], which models the most relevant assets of the in-
dividual CIs as well as the relationships among them and
reflects the potential consequences or effects of the detected
threat over a single CI as well as over its related ones.
Schauer et al.
• The HSA system receives alarms from both cyber and physi-
cal domains (through the CSA and PSA) and correlates them
to calculate the potential propagation of threats among the
systems of all CIs. It is supported by a Generic Digital Twin
(GDT) [7], which models the most relevant assets of the in-
dividual CIs as well as the relationships among them and
reflects the potential consequences or effects of the detected
threat over a single CI as well as over its related ones.
• The CR system [4] is able to process the information coming
from the other three core components, i.e., CSA, PSA and
HSA, to enable a more effective response to complex threats.
A Decision Support System (DSS) orchestrates the emer-
gency plans of the CIs involved in the project by providing
response(s) to detected threats in an automated manner. Sec-
ondly, an Emergency Population Warning System (EPWS)
implements the EU-ALERT service functionality [2] relying
on special notifications to mobile phones geolocated in a
specific area. Moreover, a First Responders (FRs) information
sharing technology component creates a communication
channel through which the FRs and rescue teams will be
contacted in case of an incident and, at the same time, a
component for Integration With Social Media (IWSM) moni-
tors social media channels to identify posts relevant to an
incident. Finally, the Drone Neutralization (DN) module is
one of the mitigation actions implemented, which provides
technological foundation for countering Unmanned Aerial
Vehicle (UAVs).
The PRAETORIAN framework strongly relies on the idea of inter-
operability of systems and components (and is also focusing on
further scalability and replicability). Therefore, a key module is the
Interoperability Platform (IOP), which interconnects all the above-
mentioned modules of the PRAETORIAN framework, enabling the
exchange of information between all modules, the replication of
changes and possible inconsistencies as well as storing information
and avoiding duplication of data between modules, thus providing
data for the whole platform.
3 CROATIAN PILOT USE CASE
The Croatian pilot use case was developed in a cooperation between
Medical University of Graz and Zagreb Airport as CI operators and
the technical partners developing the PRAETORIAN framework so-
lutions. The use case shows how the PRAETORIAN framework can
support CI operators in case of a coordinated cyber-physical attack
on two interconnected CIs sharing the PRAETORIAN framework.
The attack starts at the Medical University of Graz, where their
Biosafety Level (BSL) 3 laboratory is targeted by a group of terrorists.
In preparation of the attack, they find the laboratory blueprints on
the dark web and obtain a copy of an employee’s ID card as well as
the entrance code using social engineering. One of the terrorists
uses this information to enter the laboratory and steal a hazardous
bio-sample from the high-secure refrigerator. Further, the terrorist
inserts a malicious USB into the laboratory computer with the aim
to destroy any evidence of his presence. Then, the adversary is
joined by another terrorist and both drive to Zagreb airport, as
it is the biggest airport in the region and their could create most
damage there. In the meantime, when a legitimate user logs in to
Detecting a Complex Attack Scenario in an Airport: The PRAETORIAN Framework ARES 2023, August 29–September 01, 2023, Benevento, Italy

the laboratory computer, the malware on the malicious USB stick

is launched and the laboratory database containing the evidence of
the theft is destroyed.
At the Zagreb airport, a corrupted airport employee is collabo-
rating with the terrorists and disables the check-in systems, which
soon creates a big crowd at the airport. At the same time, the at-
tackers approach the airport carrying the hazardous bio-sample.
One of them enters the check in area with the aim to release the
bio-sample in the large crowd of people; the other intends to fly a
drone towards the airport which also contains the bio-sample to
contaminate the airport.
The described scenario was jointly designed by the CI operators
and the technical partners to match the operators’ most recent
interests in terms of complex attack strategies and the framework’s
capabilities to show combined cyber-physical attacks. It played out Figure 2: Alert on the incorrect safety procedure captured by
in the real CI environments of the BSL 3 laboratory in Graz and the PSA.
the Zagreb airport. The part at the BSL 3 laboratory was filmed
as there are higher security requirements there and way between From the perspective of the cyber domain, the CSA is tracking
Graz and Zagreb is too long for driving for Graz to Zagreb during the activities of the terrorist in the BSL 3 laboratory and detects
the day of the demo. The operators of both CIs interacted with the several events (cf. Figure 6). Therefore, the CSA needs to have a
PRAETORIAN framework and were alerted by the events in their detailed overview on the primary assets (PAs) and supporting assets
respective CI (see Section 4). The complex attack scenario was fully (SAs) of a CI. The PAs represent an abstract concept of a system
played as described above to demonstrate all the capabilities of or a behavior, e.g., the “access control” or the “CCTV” system, that
the developed toolset, even though the attack could have been effi- is required for a CI to work properly. The SAs are the genuine
ciently prevented and countered at several points during the attack cyber (or cyber-physical) systems (servers, switches, cameras, etc.)
due to the information provided by the PRAETORIAN framework. that support the PAs to provide their service. Figure 1 shows a
relationship between the primary assets in the inner circle and
4 APPLICATION OF THE PRAETORIAN their respective supporting assets on the outer one.
FRAMEWORK
When the attack started at the laboratory in Graz, the terrorist
did not fully perform the correct safety procedure to access the
BSL 3 laboratory. Based on video analytics and motion capturing,
the PSA was able to detect this incorrect behaviour and raised an
alarm. In detail, the person was not wearing yellow clothes and was
behaving suspiciously; this was detected by the VA module of the
PSA. Moreover, the terrorist opened a fridge to steal some samples,
which triggered a temperature sensor in the fridge. The sensor
detected a rise in the temperature and generated a new alarm in the
PSA. Once the alarms were included in the system, the laboratory
operator was able to access the video recordings related to them.

Figure 3: Illustration of the PAs and SAs in the use case sce-
nario and the relations among them.

As part of the CSA, the Cyber Forecasting Engine (CFE), is fed

with data coming from different PAs and SAs (mostly sensors) and
provides two different types of data: “detections” and “alerts”. The
Figure 1: Terrorist opening the fridge, captured by the VA. detections are events that are happening in a system but do not
ARES 2023, August 29–September 01, 2023, Benevento, Italy
represent an immediate danger to it. Each detection is related to at
least one SA. When several detections are obtained, the CFE is able
to forecast the next step of the cyber-attack and raises an alert with
the target of the attack, i.e., the PA that is most probably going to
be affected.
In the context of the use case scenario, when the attacker plugs
the USB tool into the laboratory computer, the detection “Upload
Tool” is happening in the CFE (cf. Figure 4). Further, after the mali-
cious tool is uploaded to the system, this causes the detection “Mali-
cious File” (cf. Figure 4). When the malware execution is scheduled
for later execution, this is indicated by the detection “Cron” (cf.
Figure 4). At this moment, the CFE has identified this sequence of
events as a malicious activity and raises an alert, indicating that
something is wrong in the system of the laboratory.
Figure 4: Detections (yellow triangles) and alerts (red triangle)
within the CSA during the Croatian pilot.
The three lines in Figure 4 that connect the alert (red triangle)
with the three previous detections (yellow triangles) indicate the
reasoning process of the CFE. The alert contains information of the
current target, i.e., the Laboratory Information System, which is a
PA. The main goal of the attack is to delete the whole database to
hide the fact that the virus was stolen. However, the CSA alerted
the security officers about the malicious file and malware execution
detection and also predicted that the final step of the attack could be
data destruction. This gave security officers enough time to prevent
further propagation of the attack. As already mentioned above, for
reasons of continuity of the pilot use case, it was assumed that the
attack did progress as intended by the terrorist group.
The second stage of the attack in which the terrorists operate
at the Zagreb airport was captured live on site at the airport. In
detail, the video analytics triggered an alert detecting the loitering
behaviour of a person in the check-in area. Due to the captured
facial image of the terrorist at the BSL 3 lab, the VA could perform
face recognition and identified the loitering person as the same
person that stole the bio-sample in the BSL 3 laboratory some hours
ago. Consequently, a new alert is generated by the PSA. These alerts
automatically generated the corresponding incidents in the DSS.
As a consequence, the security staff at the airport was notified and
was able to find the attacker.
As soon as an alert is triggered either by the CSA or the PSA, the
Hybrid Situational Awareness (HSA) system comes into play. Its
Schauer et al.
Figure 5: Terrorist at the check-in area, captured by VA (left)
and identified by face recognition (right).
Figure 6: Alert on the loitering person captured by the PSA.
main purpose is to forecast the probable consequences a potential
on-going attack (indicated by an alert) can have both on a particular
CI and on the CIs interrelated with it. As part of the HSA, the
Threat Propagation Engine (TPE) runs a simulation on the potential
cascading effects of the attack.
Thus, once the unauthorized access to the changing cabin of the
laboratory is detected by the PSA, an alert is forwarded in real-
time to the HSA. Its Threat Propagation Engine (TPE) then carries
out a set of interdependent simulations to estimate in advance the
potential impact the detected critical event might have on the assets
within all CIs that are connected to the PRAETORIAN system. To
this end, a Generic Digital Twin (GDT) has been developed for this
specific use case (cf. Figure 7), in which both the relevant cyber
and physical assets of the involved CIs are modelled together with
their intra- and inter-dependencies (between those belonging to a
single CI or to different CIs respectively). Each of the simulations
consists in a correlation of the triggering alert with all prior events
in combination with the current state of each of the assets.
The outcome of the TPE encompasses the worst and most likely
scenarios resulting from the aggregation of the performed simula-
tions. This is sent to the Human-Machine Interface (HMI) of the
HSA representing the cascading effects of the individual threats.
Detecting a Complex Attack Scenario in an Airport: The PRAETORIAN Framework
Figure 7: Simplified depiction of the GDT in the Croatian
pilot.
This HMI follows a well-known and user-friendly graph-based ap-
proach to visualize in a georeferenced manner the cascading effects
over a GIS map. Color and size codes have been applied to both
the nodes (affected assets) and the edges (assets’ dependencies) to
further support the operator’s situational awareness of the overall
cyber, physical and hybrid domain.
Figure 8: Cascading effects of unauthorized access alert.
As shown in Figure 8, the HSA revealed the intrusion of the
attacker in the laboratory to be a critical event that may impact in
the first stage the critical assets of the BSL 3 laboratory. In addition
to that, the HSA indicates that the attack could also affect other
interdependent CIs in distant regions, such as the Zagreb airport
(which, in this use case, is connected via some competent authorities
in Vienna to the BSL 3 lab).
When the attacker accessed the BSL 3 laboratory but did not
follow the procedures, the PSA alert is also forwarded to the DSS,
which generates a relevant incident of type “Procedure BSL-3 was
not performed” (cf. Figure 9). The DSS is configured such that the
ARES 2023, August 29–September 01, 2023, Benevento, Italy
operator of the BSL 3 laboratory receives a corresponding noti-
fication by email at the time the incident is created, including a
video showing the attacker’s actions. The email also contains a
recommendation for the operator to access the DSS for more details
about the incident. Furthermore, the DSS displays other security
incidents as well, including the “Unallowed person in the changing
Cabin” and “Possible data destruction”, which are triggered by HSA
and CSA events, respectively. The operator get notified about these
incidents as well through the DSS.
Figure 9: List of incidents at the Zagreb airport.
In the Zagreb airport, the airport operator also accesses the
incidents page of the DSS to obtain details about the HSA incident
related to the cascading effects of the attack on the BSL 3 laboratory
and to learn how that can affect also the airport. Later on, the
operator also gets notified about the incident at the gate area, i.e.,
the face recognition indicating that the person loitering inside the
area of the airport is the same person as the terrorist in the BSL 3
laboratory. Additionally, the operator also gets informed about the
fact that a drone is flying in the vicinity of the airport.
Figure 10: Screenshot from the EPWS indicating the number
of cell phones in the area that can be informed about an
event.
With the help of the EPWS in the PRAETORIAN framework,
the operator selects the area around the airport and sends an EU
alert to the cell phones of the people in that area. He also uses
the IWSM functionality to send a relevant post to the CI’s Twitter
account about the incident in a semi-automatic way. Finally, the
operator uses the FR’s information sharing functionality to notify
the Croatian Mountain and Rescue Service Team about the incident,
sending the location of the drone and weather forecasting in the
area. The additional chat functionality can be used as a communica-
tion channel and enables fast bi-directional information exchange
between the operator and the team of first responders.
ARES 2023, August 29–September 01, 2023, Benevento, Italy
5 MAIN RESULTS FROM THE PILOT
The individual tools of the PRAETORIAN framework performed
according to the expectation of the project partners as well as
the participants and contributed to create an enhanced situational
awareness for the operators. In terms of countering and preventing
the different threats (physical and cyber), the HSA had a crucial
role as a central connection point between the involved CIs. It
enabled the operators at the Zagreb airport to connect the events
from the BSL 3 laboratory in Graz to the current situation at the
airport. The DSS served as a central dashboard where the operators
received initial information relevant for their CI and it highlighted
to them where they could retrieve additional information from the
CSA, the PSA or the HSA. Finally, the operators were successful in
sharing the relevant information with the public and the FR team to
realize a quick and coordinated response to the threats. The FR team
responded to their call and performed an efficient search mission
which resulted in finding and locating the neutralized rogue drone.
An important benefit of the pilot demonstration represented the
participation of the employees of both the Medical University of
Graz and the Zagreb airport as real time operators of the platform.
This provided the chance to evaluate how people from the physical
and the cyber security team of the respective CIs are handling the
PRAETORIAN framework. Therefore, the operators were trained
to use the PRAETORIAN framework prior to the demonstration
to make them familiar with the graphical user interface and the
interactions with the different modules. Their smooth performance
indicated that the PRAETORIAN framework can be used by agnostic
users with the right amount of training and support.
The attack scenario was designed based on the CI operators’
recent requirements and interests towards complex cyber-physical
attacks and to showcase the different capabilities of the PRAE-
TORIAN framework. Although this is not the ideal case, it was
sufficient to demonstrate the PRAETORIAN framework’s general
functionalities to the CI operators. A more objective approach to
test the framework’s capabilities would be to have the attack strat-
egy designed by one team (e.g., experts from the CI operators)
and to have the defensive strategy designed by another team (e.g.,
experts from the technical partners). In that way, the assessment
would be more objective as the PRAETORIAN framework would
have to show how it works against a wider range of possible attack
vectors. However, this was not the intention for this demonstration
but will be discussed in the future.
Finally, the demonstration was attended by around 40 people
on site and an additional 60 people following the demonstration
online. This provided a good setting to make the functioning of
the PRAETORIAN framework visible to a large group of potential
stakeholders and to showcase the support it can provide. Addi-
tionally, a questionnaire has been distributed among the online
and on-site participants to capture their impressions and feedback.
However, the results of this questionnaire are not available, yet.
A video summarizing the demonstration and providing detailed
insights is accessible through the project’s YouTube channel.
6 CONCLUSION AND OUTLOOK
CIs are more and more facing complex attacks that consist of com-
bined physical and cyber attack vectors. With the PRAETORIAN
Schauer et al.
framework, CI operators have a set of tools at hand that allow them
to obtain a holistic overview on the physical and cyber domain and
thus identify complex attacks in the hybrid domain. We showed
how the PRAETORIAN framework can be applied in a real-life use
case scenario, where terrorists steal a hazardous bio-sample from
a BSL 3 laboratory in Graz to use it as a bio-weapon at a distant
airport in Zagreb. Since both CIs are connected in the PRAETO-
RIAN framework, they are notified about potential cascading effects
that can harm some of their individual critical assets. Further, we
showed how the DSS helps the operators of both CIs in finding suit-
able counter measures for the detected attacks and also allows the
operators to warn the public in the vicinity of the CI, if necessary.
As the PRAETORIAN project is in its final phase, we still have
three more demonstrations scheduled, in France (May 2023), Croa-
tia (June 2023) and Spain (July 2023), with different attack scenarios
in each of them. These demonstrations will be used to train more
physical and cyber security personnel on the PRAETORIAN frame-
work and to get additional feedback on its usability and applicability
in the respective CIs. Although the attack scenarios are different in
all of the demonstrations, the general setup is similar to make the
experience for the users and the participants comparable. All par-
ticipants will be filling out a questionnaire to collect their feedback
and impressions on each demonstration; this information will be
used to further improve the handling and the user experience of
the PRAETORIAN framework.
ACKNOWLEDGMENTS
This work has been funded as part of the PRAETORIAN project
by the European Union’s Horizon 2020 Research and Innovation
Programme under Grant Agreement nº 101021274.
REFERENCES
[1] Christopher Bing and Stephanie Kelly. 2021. Cyber attack shuts down U.S. fuel
pipeline ‘jugular,’ Biden briefed. https://www.reuters.com/technology/colonial-
pipeline-halts-all-pipeline-operations-after-cybersecurity-attack-2021-05-08/
[2] ETSI. 2019. ETSI TS 102 900: Emergency Communications (EMTEL); European
Public Warning System (EU-ALERT) using the Cell Broadcast Service. Technical
Report TS 102 900. ETSI, Sophia Antipolis Cedex, France. https://www.etsi.org/
deliver/etsi_ts/102900_102999/102900/01.03.01_60/ts_102900v010301p.pdf
[3] Padraic Halpin and Conor Humphries. 2021. Irish health service hit by ‘very
sophisticated’ ransomware attack. https://www.reuters.com/technology/irish-
health-service-hit-by-ransomware-attack-vaccine-rollout-unaffected-2021-
05-14/
[4] Antonios Karteris, Georgios Tzanos, Lazaros Papadopoulos, Konstantinos De-
mestichas, Dimitrios Soudris, Juliette Pauline Philibert, and Carlos López Gómez.
2022. A Methodology for enhancing Emergency Situational Awareness through
Social Media. In Proceedings of the 17th International Conference on Availability,
Reliability and Security (ARES ’22). Association for Computing Machinery, New
York, NY, USA, 1–7. https://doi.org/10.1145/3538969.3544418
[5] Tadgh McNally. 2021. HSE hackers were in health service’s computer system for
eight weeks before cyber attack. https://www.thejournal.ie/hse-hack-report-
5626054-Dec2021/
[6] Sean Peisert, Bruce Schneier, Hamed Okhravi, Fabio Massacci, Terry Benzel, Carl
Landwehr, Mohammad Mannan, Jelena Mirkovic, Atul Prakash, and James Bret
Michael. 2021. Perspectives on the SolarWinds Incident. IEEE Security & Privacy
Magazine 19, 2 (2021), 7–13. https://doi.org/10.1109/MSEC.2021.3051235
[7] Stefan Schauer, Martin Latzenhofer, Sandra König, Sebastian Chlup, and
Christoph Schmittner. 2022. Application of a Generic Digital Twin for Risk
and Resilience Assessment in Critical Infrastructures. In Proceedings of the 32nd
European Safety and Reliability Conference (ESREL 2022) 28th August – 1st Sep-
tember 2022, Dublin, Ireland. RESEARCH PUBLISHING, SINGAPORE, Dublin,
Ireland, S21–01–195. https://doi.org/10.3850/978-981-18-5183-4_S21-01-195-cd
[8] Sam Shead. 2021. The global chip shortage is starting to have major real-world
consequences. https://www.cnbc.com/2021/05/07/chip-shortage-is-starting-to-
have-major-real-world-consequences.html
Detecting a Complex Attack Scenario in an Airport: The PRAETORIAN Framework ARES 2023, August 29–September 01, 2023, Benevento, Italy

[9] World Economic Forum. 2023. Why are there medicine shortages and [10] Kim Zetter. 2020. SolarWinds Hack Infected Critical Infrastructure, Including
what is the solution? https://www.weforum.org/agenda/2023/02/why-is- Power Industry. https://theintercept.com/2020/12/24/solarwinds-hack-power-
world-experiencing-medicine-shortages-and-how-can-the-generics-industry- infrastructure/
address-supply-challenges/