Mitigation of operational impacts on airports by early awareness of malicious events impacting linked critical infrastructures

This paper introduces to security management that is conducted at infrastructure installations and their corresponding technical assets. Malicious activities at those infrastructures lead to a loss of service provision or can even introduce cascading eﬀects towards other connected infrastructures. If an infrastructure satisﬁes a signiﬁ-cant societal need, it is considered a critical infrastructure. The cascading eﬀects can cause secondary eﬀects at the connected infrastructures, such as airports. Airport operations are central to long-distance societal mobility and even small disruptions have knock-on eﬀects throughout the air transport network. The cascading eﬀects that can aﬀect the airport and that originate at linked infrastructures and real-time use of the corresponding information for airport management and collaborative decision-making purposes in an Airport Operations Center are not well known. In what operational way can an Airport Operations Center make use of early awareness of and information about attacks on linked critical infrastructures? In how far do attacks on separate, but interconnected critical infrastructures have an eﬀect on the operations of an airport? By looking at the existing state of the art and ongoing projects in infrastructure security research, disaster and airport management, this paper conducts a gap identiﬁcation. The identiﬁed weaknesses and limitations are already partially addressed by current research projects. What is still unknown is the necessary airport-centric security management view in order to answer the research question. As a consequence, this paper proposes ideas for future necessary airport-centric infrastructure security research.


Introduction
The motivation for this work was driven by the question what operational impact at an airport happens if a connected Critical Infrastructure (CI) fails due to it being a target of malicious activities and how higher-level airport management would be involved to mitigate further cascading effects on airport operations.There are several CIs that an airport is connected to.These can be energy, water, banking and finance, space, data and cloud, communication, transport to and from the airport to name just a few.
CIs include a great variety of different organizations and installations.Aspects that elevate these entities to the level of a CI usually are reflected by the significance of the impact if they fail to operate, Moteff et al. (2003) explain this in detail.For this work it is sufficient to understand that CIs are organizations and facilities of major impor-type of targeted malicious act as early as possible in order to mitigate or in the best case entirely prevent such outcomes.Cyber related attacks, e.g.break-in and theft in crypto-currency brokers, can cause financial damage.If control systems of industrial companies or power plants are targeted, cyber-attacks can result in possibly wide-spread physical damage based on a non-physical attack.Another example of this kind could be a cyber manipulation of hub airline systems that impacts the check-in or the entire airline process chain, leaving thousands of passengers stranded.The amount of cyber-attacks in the aviation domain has risen over the past years according to EUROCONTROL EATM-CERT2 and based on the independent 2022 analysis of KonBriefing. 3oing one step further, an attack on one CI may not only affect operations on the targeted CI, but may also impact interrelated CIs.One example for this could be a power plant failing to provide power to an airport or a hospital.This is the reason why recent EU Commission funded security research projects (e.g.PRAETORIAN 4 and PRECINCT5 ) aimed to fill a gap in security research by focusing on interrelated CIs of different domains.The general assumption seems to be that the consideration of possible cascading effects could optimize the way in which such effects can be handled.That is, knowledge about an ongoing attack at another CI as well as its potential consequences might enable a second, linked CI to adapt its response in some way.
Since an airport is a CI itself, the question arises in what way the availability of information about cascading effects at linked CIs would be used by the higher-level airport management within an Airport Operations Center (APOC) if these became available.Further, how the usage of this information would differ from information about e.g.expected weather-related impacts.Operational decision making in an APOC is related to the core problem of balancing available capacity against the demand of flights or corresponding handling activities, as has been explained in varying level of details by e.g.Ball et al. (2007) or as focused on by EUROCONTROL (2013) and Piekert et al. (2017b) .Any security related event, either at the airport or coming as a cascading effect from other infrastructures (e.g.manipulation of a fuel pipeline from a refinery to the airport fuel tanks) or as Polater (2018) has analyzed in his survey coming from non-aviation related disasters, has the potential of influencing any of these demand-capacity balancing processes.Further, as climate change continues to develop, corresponding hazards pose threats to airport operations as has been dissected by the Voskaki et al. (2023) survey with the strong suggestion to each airport operator to develop climate hazard risk mitigation plans.Similarly, it is assumed that security related risk mitigation plans exist at airports, possibly for each airport stakeholder organization.While climate impacts could be rather straightforward in identification, the security related assessment understandably is kept from public eyes to not pinpoint on potential target angles.
Security at and within the airport today has to address physical and cyber aspects and units such as the Security Control Center (SOC) are responsible for the procedures.While especially smart airports have to put further emphasis on cyber security ( Koroniotis et al., 2020 provide an up-to-date view), all already deal with physical security related situations within the airport and their mitigation means.One example of such a situation is the detection of unattended luggage.Established procedures are already in place to resolve the potential threat and cybersecurity tools can support to detect such situations earlier.Additionally, the impact of the threat (disruptions of the normal airport operations) is communicated to the APOC.Thereby, capacity constraints can be considered in the operational planning of each involved stakeholder, raising individual and mutual situation awareness.In this example, these are caused by the closure (of parts) of the terminal, which leads, for example, to passengers not being able to reach the gates.In the APOC, the planning for the affected flights is adjusted as a result based on the demand capacity balancing approach as mentioned above.While APOC operators are aware of events internal to the airport that might impact local operations, it is questionable whether this is also the case for impacts originating from external events related to CIs that an airport is connected to.The other way around has been in the focus of research by e.g.Sun et al. (2020) regarding impacts on cities due to airport outages or Sun and Wandelt (2021) regarding the impact on the ATM network.Following the Total Airport Management (TAM) notion of airside, landside and ground access, Xu et al. (2023) underline the need for collaborative, multimodal decision-making approaches in case of disruptions in either transport mode due to its interdependencies and this again leads back to the research question since the multimodal transport nodes can be considered as linked CIs.
The following section will provide an overview of the state-of-theart in higher-level airport operational management in order to convey a more detailed idea of an APOC's manner of functioning and the different processes it is connected to and that it manages.

Total airport and performance based airport management
Airport management is required to operate an airport.Consequently, airport management has to deal with any event that the airport is subjected to, including any malicious activity on physical or cyber level.The degree of involvement in countering, mitigating or recovering after such an incident is probably different based on the event outcome and target.
The airport management has evolved especially for the big hub airports in Europe over the past decade, driven by the need to optimally use existing capacity and to compete with future challenges of deeply interlinked operations.The topic has also been taken up in the international context and is included in various European research and development programs.One of these is SESAR, which is the technological pillar of the Single European Sky (SES). 6It aims to improve ATM by defining, developing, validating and deploying innovative technological and operational ATM solutions ( Undertaking, 2015 ).Piekert et al. (2017a) in depth explained SESAR's approach for a harmonized European airport management development.Following the TAM philosophy ( Eriksen & Meier, 2006;Günther et al., 2006 ), the management of big hubs will be organized on a higher level by the APOC, which will provide the Airport Operations Plan (AOP) and where decisions are taken in a collaborative manner between the stakeholder representatives with a longer lead time (e.g. one hour until the next day).On a physical level it is housing stakeholder representatives of various operating entities, including e.g.airlines, the airport itself, air traffic control, security/border control and more (see Fig. 1 ).As such though, the APOC does not directly interrelate to infrastructure or cyber-security measures taken in ad-hoc situations or on operational level, but its involvement is required to resume operations in the recovery phase after security related or critical events.Further, the APOC itself could be the target of a directed attack on either level, rendering it inoperative or by manipulation of the provided AOP information creating impacts in the connected organizations.
In case of events that threaten to impact the airport's overall performance (usually focused on flight operations and corresponding key metrics; Helm et al., 2015;Kosanke & Schultz, 2015 ), the APOC stakeholders jointly decide via suitable collaborative decision-making procedures and tool support ( Papenfuss et al., 2017;Piekert et al., 2023;SESAR, 2020 ) on the best mitigation approach.Such events include weather related, capacity shortage due to staffing, construction work or equipment issues, breaches of security inside the terminal and on the apron  area, left behind baggage or even accidents/incidents.This high-level decision taken in the APOC how to operate the airport is then broken down in the individual stakeholder operation centers, down to the individual flight or process step.Depending on the types of events, tool support offers prediction capability.This capability can show the anticipated impact of adverse weather or disruptions of landside operations.This allows for a more homogeneous information and reliability level than just relying on personal experience of the different team members.Input to the predictions are operational data of the various processes coming from the different stakeholders and all this data is stored in the AOP.
The management of small and medium type airports does not require such a sophisticated APOC infrastructure element and predictions most often are based on the experts' judgement that are in control of the operations during their shifts.Nevertheless, based on the airports' needs, collaborative decision making does happen between those airport stakeholders, with less complex tool support and with a "light " version of the AOP.Since airports are not isolated nodes in the air transport network, their (in-)direct dependency upon each other (sink and source of flight operations) is very obvious.The controlling entity that governs and regulates the traffic flows is the Network Manager ( European Commission, 2011 ).In close collaboration with the national Air Navigation Service Providers (ANSPs) it issues and maintains flow predictions of the various aerial sectors or airport destinations and ensures their adherence.In this regard the airports and the ATM network build a dependency network of CIs on an ATM operational service level, not necessarily on a physical link level.ATM events at one airport may impact others, but possibly the effect can be anticipated sufficiently and predicted reliably by these actors.Physical attacks on an airport CI do not necessarily introduce cascading physical effects in other airports, but maybe on the ATM layer.
The following section will describe the state of the art regarding security research for and among CIs, as well as more recent research dealing with interconnected CIs.Gaps in this research are iden-tified and the need for future research in the context of airports is discussed.

Research on security -state of the art
In this section, we will address the state of the art in security management research.In order to establish a general understanding of what the term security management entails, Fig. 2 illustrates a simplified chain of steps typically incorporated in security management systems (adapted from National Institute of Standards and Technology, 2023 ).First of all, sensors are required in order to detect events that are possibly related to an attack (e.g.cameras or cyber sensors).Secondly, the gained information of an ongoing or already occurred event on singular or multiple seemingly unrelated or linked elements needs to be analyzed according to criteria.Not all detected events by the sensors are malicious, only if they fulfil previously defined criteria.In the case of a positive detection of non-authorized activity, responsible operators need to be informed in a meaningful way.This is then followed by a reaction or countermeasure and lastly, recovery and prevention.This last step is highly specific to each project and CI and therefore not further addressed in this work.
A considerable number of research projects on European and national level have dealt with the protection of CIs (covering the above chain in different levels of intensity) and, judging from existing ( European Commission, 2023a ) and anticipated research calls, more are necessary.It is good practice for new research projects to consider previous project results in order to take over promising approaches.Predescu et al. (2023) conducted an analysis of different approaches for security management systems so far used in previous security projects.Most of the analyzed projects addressed the entire attack and mitigation chain for e.g. a specific CI or business process chain.This includes the detection of an attack by sensors, the data correlation and analysis, the appropriate information provision to operators and possibly the support in countering this event.The knowledge and implementations based on these previous projects can be considered state-of-the-art for this area.Other, not less important projects were conducted even in previous European Commission funded programs, e.g. the GAMMA (Global ATM Security Management) project7 or the security related projects in the SESAR8 (Single European Sky ATM Research) work program mentioned.These will be incorporated later in this section Security Research in Air Traffic Management.The domain categories that had been addressed by 21 of the 22 projects analyzed by Predescu et al. (2023) were: • Port/Maritime • SAURON ( König et al., 2019 ), • PIXEL ( Š iroka et al., 2021 ), • MITIGATE ( Duzha et al., 2017 ), and • ENSURESEC ( Francaviglia et al., 2021 ), • HYRIM ( Busby et al., 2016 ), and • PREVISION ( Demestichas et al., 2020 ).

Main pillars of security management
The majority of the analyzed projects recognized the need to correlate externally sourced physical with cyber-attacks in a hybrid approach.The term hybrid only refers to the civil perspective in this work and refers to combined cyber and physical attacks.Four main pillars (see Fig. 3 ) of security management can be identified from the above projects, following the SAURON nomenclature: • Physical Situational Awareness (PSA), • Cyber Situational Awareness (CSA), • Hybrid Situational Awareness (HSA), and • Support Functionality (e.g.Emergency Population Warning Systems EPWS or Impact Propagation Simulation IPS or Decision Support Systems DSS).
The aforementioned projects addressed the four pillars according to their needs and focal areas.In general, each pillar (except the support functionality pillar) has either sensors and/or fusion/correlation as input, some sophisticated core functionality and varying human-machine interfaces (HMI).
Sensors are directly linked to situation awareness as they are the means of detection.Physical sensors can, e.g., include proximity, noise or smoke detectors or cameras.Cyber sensors can include, e.g., intrusion detection, anti-malware, firewalls, or customized survey scripts.In case information between physical and cyber events is correlated, this is referred to as a hybrid sensor.
Regarding data analysis and attack identification (i.e. the identification of meaningful events or the correlation of events), different projects have developed correlation functionalities.For example, a Reasoning Engine (STOP-IT) or cyber-physical event correlators (e.g.RE-SISTO, SAURON, SATIE, FINSEC, InfraStress, 7SHIELD) that address intra-physical (PSA only), intra-cyber (CSA only) and/or hybrid (HSA) events.Simply put, what they have in common is the correlation of events happening at the same time or in timely sequence that could be related to an attack.The individual correlation approaches differ based on e.g.architecture, used sensor systems and asset models.
Once such events are identified, responsible operators get informed.The projects foresee different methods of displaying this information, these range from log excerpts by email to more complex and sophisticated HMIs, allowing dynamic interaction with the provided information.
Some projects take this further, paying tribute to the fact that any detected attack might be the entry key to follow-up attacks on other assets of the same CI or possibly even act as a decoy.Based on modelling of the relationship of assets, their (inter-)dependencies and known relevance to operations as a whole, risk probability models allow to guesstimate possible follow-up targets as cascading effects.The functionality differs between the individual projects, but the overall approach is similar.From Risk Predictor (RESISTO), via Threat Propagation Engine (TPE; e.g.SAURON, HYRIM) to impact propagation tools (e.g.SATIE, SAFE-CARE, FORTRESS, MITIGATE, MEDUSA), such tools provide additional information about possible future consequences to the operators, allowing preparation, mitigation or counter-measures appropriately.SATIE proposed an ontology to harmonize understanding technically (e.g.attributes and structural elements in exchanged messages) for the correlation as well as the used vocabulary -when interpreting the results ( Canito et al., 2020 ) and helps to prevent misunderstandings when communicating across CI boundaries with other responsible operators.
The support functionality pillar is more diverse.It can include tools for e.g.disclosing information to the public, tools that provide decision support or integration of first responder teams.Some projects foresee an emergency population warning system (e.g.SAURON, STOP-IT) or suitable interfaces for transmitting information to the local/national authorities that are responsible for the information dissemination to the public based on the applicable regulations (e.g.distribution via first responders).Some provide decision support functionality (e.g.RESISTO, SAFECARE, 7SHIELD, SAFETY4RAILS) to operators, tapping on internal databases that contain, e.g.lessons learned from previous events, crisis or emergency procedures easily accessible, or guidance on the best choice for risk treatment.Sometimes the boundary between one of the awareness pillars and the transversal support functionality does not exist as functionality is directly implemented into the former.

Intra-and inter-CI security management
Most of the analyzed projects focused on a specific type of CI or digital service and stayed more or less within the boundaries of that CI or directly connected systems, e.g.intra-industrial, intra-space, intra-port, intra-airport, intra-financial or intra-commercial systems or intra-healthcare related infrastructures.Some projects targeted the provision of enhanced cyber-crime fighting capabilities for Law Enforcement Agencies.Several projects introduced cross-CI supply-chain risk assessment methodologies (e.g.MEDUSA, MITIGATE or PIXEL).Predescu et al. (2023) state that from the point of industrial suppliers and infrastructure operators only SATIE focused on the airport critical infrastructure, while the others focused on non-airport critical infrastructure-specific solutions.A few projects looked beyond the addressed single CI's physical or IT boundary, not limited to a local or regional perspective.E.g.SECUREGAS covered the value-chain from production to distribution with focus on the European gas network beyond regional CI influence and FINSEC addressed the cyber-physical security of the financial supply chain, while MITIGATE looked at the cyber security of the supply chain from a port-oriented point of view, stretching beyond the port CI.
Two projects addressed multiple CIs beyond regional aspects and, to a degree, their inter-dependencies or relationships.PRECINCT focusses on multimodal transport, energy, water, and ICT/telecoms with digital twins.The goal of PRECINCT is to supervise and control complex interdependent networks and cyber-physical systems of systems with distributed ownership and management structures.This project can be considered PRAETORIAN's sister project, as both started in parallel and ended in autumn 2023.The other project that extends its view beyond a single CI's boundary is FORTRESS.Crisis situations are difficult to overcome on their own, but things can easily turn for the worse and lead to higher magnitude consequences.The FORTRESS project aimed to gain a greater understanding of these cascading effects and provide stakeholders (crisis managers and infrastructure providers) with tools to cope better with these complex phenomena during possible crises across European borders.That incidents in CIs can develop into crisis is selfexplanatory, however the cascading effects are a factor that can make events even worse.
SATIE ( Georgiou et al., 2019 ) addressed interconnected CIs as external stakeholders to the airports' crisis management, whereas crises could be caused intentionally (e.g. by attacks).The interconnected CIs could participate in the AOC/APOC during the crisis response step.The recovery phase shall be used to stabilize operations, which could be seen as a step toward pre-tactical planning in the TAM/Performance basedairport management (done in the APOC), which in consequence impacts the ATM network.

Security research in air traffic management
In ATM and aviation in general, the need to consider security on another level started with the devastating 9-11 attacks in 2001.This changed air transportation forever -it also changed the way to look on and deal with security.Security began to receive increased attention and research was intensified to secure air transport.In contrast to the physical protection of CIs introduced above, a focus of the ATM related security research was the protection of ATM services.The organizations providing these services and their physical infrastructures are subject to the application of the above approaches.
The European 7th Framework Program (FP7; 2007-2013) project GAMMA spotted at cyber security, communication navigation and surveillance security, physical infrastructure security and crisis management, all in the ATM domain.Detected events were sent to so-called Local GAMMA Security Operations Centers (LGSOCs) and correlated based on rules.Each LGSOC could send the information to the corresponding National GAMMA Security Management Platform (NGSMP).These NGSMPs are provided with advanced functions and additional control capabilities, which are not available at the local level.The NGSMP operators can share information with the European GAMMA Coordination Center (EGCC) ( Montefusco et al., 2016 ).Schaper et al. (2017) indicate benefits of fusing local security data on national level as well as incident management on national level; nevertheless, there shall be the possibility to sanitize data before sharing.From our understanding sanitization could include, e.g., removal of state or business confidential data.
As SESAR is the technological pillar of the SES, it is responsible to provide innovative solutions for ATM security as well.The European Commission has already established common rules in the field of civil aviation security aimed at protecting persons and goods from unlawful interference since 2002.This has been taken up by SESAR from its first program installment (SESAR 1, 2004(SESAR 1, -2016)).However, the foundations to foster security as such in SESAR has been laid merely at the end of the first SESAR cycle when the SESAR ATM Security Risk Assessment Methodology (SecRAM) was developed and postulated initially by one of the dedicated projects of SESAR.
This methodology was further improved by the SESAR cyber security task force in 2017 and developed to its current version 2.0 ( Le Fevre et al., 2017 ).Projects being funded by SESAR 2020 (2016 -2024) had to conduct a security risk assessment following the guidance of SecRAM 2.0 and take measures accordingly to assure a secure set up of their architecture and processes as well as operations.This ensured that all new developments followed a kind of security-by-design approach and that had to be considered even by already existing solution in retrospect.This had the positive side-effect that all participants of SESAR 2020 received training on how security aspects have to be considered and are now sensitized to apply this for further developments.This so-called security culture will also be beneficial for the developments, innovations and deployments which will follow in the SESAR 3 multi-annual work program (2021-2031;SESAR 3 Joint Undertaking, 2022 ).
It is worth noticing that the current Horizon Europe work program for civil security research ( European Commission, 2023a ) does not mention airports at all.The topic airport is included in the "Climate, Energy and Mobility " research program ( European Commission, 2023b ), however this does not include security research aspects of linked CIs and the SESAR 3 program is a sub program of this Horizon Europe program.The airport as a node in a network of linked CIs is not addressed in the SESAR 3 program.However, SESAR 3 still addresses the need to provide cyber-security to the aviation infrastructure as a CI, showing that previous and ongoing efforts are not closing all possible gaps.

Weaknesses or limitations of state of the art
Each of the security research activities and projects aforementioned had contributed greatly towards the goal of increasing the resilience and protection of CIs.Many of these addressed the challenge with unique approaches and built on previous research results.However, as research is a continuous activity in which the knowledge is pushed beyond the boundaries of the state of the art, it can be understood that certain limitations may exist as laid out by Predescu et al. (2023) .
The current state of the art research had mostly been considering the challenge of protecting the CIs only within the context defined by each type of infrastructure (e.g.communications, transportation or healthcare).This approach provides a good coverage of the threats posed to each individual CI, while also considering their specific industry particularities, therefore allowing an efficient development of associated threat mitigations and defense measures.Nevertheless, it can be argued that this approach is limited in some sense when threats posed by failures in protecting adjacent CIs are not considered.In current times, CIs are widely interconnected through the supply of critical services from one to another.The lack of consideration of cases in which the disruption of a critical service in one CI results in a cascading effect in another is a limit that needs to be overcome.
With respect to cascading effects caused by disruptions in interconnected CIs, the geographical context is also of high concern and not emphasized enough in current state of the art as very few research efforts have considered this aspect.CI protection and threat landscape definition should not be limited to geographical borders.When the CI is near a border region between countries, the threats of cross-border nature should be very much taken under consideration.Further consideration should be given to events that impact critical infrastructures of any kind on a cross-border level.This matter can be considered as a weakness and it should be taken into account with more in the future research activities and projects.
In the aviation sector, security research is well implemented regarding the protection of the individual Air Traffic Management related services.This includes e.g. the manipulation of essential data exchange or detection of malicious use of the voice radio channels in airport vicinities giving commands or confirmations that could develop into threat situations ( Schaper et al., 2017 ).Whether such an occurrence leads to an operational impact on the airport, e.g. the extend of flight operations flow reduction, is yet unknown and hence, no automatic correlation and impact prediction exists.Only the knowledge of operational experts, which is highly specific to each airport, can answer this eventually.However, for more often occurring security related events that happen at the airport, these introduce an operational impact that is well known to the airport management and the operation centers involved.These events comprise e.g.left along baggage in the terminal or a passenger passing security control without being checked or some person appearing on the apron area without permission.In contrast, what is missing is the operational impact of attacks on CIs outside the airport and that introduce cascading effects into the airport, e.g. if gas or fuel pipelines from refineries in the airport vicinity to refuel airport-based tanks are the target.It is apparent that at some time after these events occur the cascading effects will impact airport operations due to refueling capacity or failing to refuel issues.
From the ATM network flow perspective, e.g.weather situations sometimes develop in such a dynamic way that operational predictions with sufficient lead time are not possible and traffic partners (airlines flying to this particular airport) are forced to adapt and possibly take an aerial holding or land at an alternate destination airport and prepare follow-on steps.Depending on the sophistication of the employed airport management approach, mitigation and recovery might be differently effective and efficiently.This could be similar to security related events and their impacts, where the time to prepare might not be sufficient enough to optimally adapt the operational plans and where the recovery needs to address these shortcomings.
The concept of TAM/PBAM (Performance Based Airport Management) is still rather new.Consequently, the APOC has to be considered as a new asset of the airport, included in all of the security risk plans.As a consequence, it means that a threat and risk assessment needs to be performed, focusing on all APOC services.

Most recent security research contributions
Previous security projects did important work in innovating security research.Nevertheless, Predescu et al. (2023) identified some gaps in the state of the art.For example, the recent PRAETORIAN project addressed interconnected CIs of a large set of heterogeneous sectors.This involves, for example, transport, energy and healthcare sectors.The toolset is specific and scalable according to the needs of individual CIs.Still, the calculation of possible cascading effects also for interrelated CIs enables to respond in a unified, coordinated way, e.g. by enabling communication between CIs in the context of both national and cross-border attack scenarios.
For example, one potential attack scenario including an airport was developed within the project ( PRAETORIAN, 2023 ) and involves the theft of a sample from a laboratory which is transported to an airport across the border.The attackers plan to spread the sample at the airport with the help of a drone and inside the terminal building.Without a support system providing information about this correlation, an operator at the airport would not get notified about the stolen sample already before the attackers arrive at the airport, neither would the operator be aware that the airport has a link to the other CI.The information received includes video footage of one of the laboratory attackers, which enables airport's video analytics tools to later recognize the attacker's face in the airport area.
To achieve this cross-CI visibility of ongoing events at other CIs, the aforementioned project integrated tools already developed in other research projects like the EPWS (from SAURON, STOP-IT), a DSS (from RE-SISTO, SAFECARE, 7SHIELD, SAFETY4RAILS), the Threat Propagation Engine (from SAURON, HYRIM) and Impact Propagation Tools (from SATIE, SAFECARE, FORTRESS, MITIGATE, MEDUSA).This integrated system was applied to a variety of different CIs and into a CI-network and validated by a scenario-based established methodology ( Stelkens-Kobsch et al., 2023 ).
To summarize, the PRAETORIAN project's contribution to the stateof-the-art is a holistic approach that considers cascading effects for heterogenous and geo-distributed interrelated/ interconnected/ linked CIs.Although the project addressed the airport as part of the to be protected CI network in one of the attack scenarios, the selected scenario is not taken to the point where possible operational impacts become visible.Further, the research suggestions about APOC inclusion in security related events as reported by SATIE ( Georgiou et al., 2019 ) were not taken aboard by it.A reason for this seemed to be that the security orientation of the project did not foresee this need to include operational airport expertise beyond security representatives for the envisaged orientation of the project.However, the project helped creating the links between different CIs (e.g. by communication means), but what the airport will do with the information is still kept open.

Conclusions and future research needs
Looking at the individual pieces, it is possible to state that there exists profound knowledge of security and security management when considering single CIs.Similarly, this has been developed for inter-CI relationships and even entire process chains in various domains.Further, threat impact prediction and escalation models and mechanisms for intra-and inter-CI aspects exist and have been shown by recent research projects.
On the airport and ATM side, the conducted research brought aspects of the security management research into this domain (ATM network and airport) and supports secure transport.ATM domain related predictions of operational problems exist to a large degree (e.g.weather impact or closure of runways due to maintenance, climate hazard or non-aviation disaster related influences).However, predictions of operational impacts based on security related events exist only for a few typical and well-known intra-CI security events at the airport (e.g.security events inside the airport terminal).Future research could as complimentary knowledge using the suggestions by Sun and Wandelt (2021) address the cascading effects from the airport into the ATM network based on the node's importance and network functionality.Depending on the relevance, known security events and beyond them (full picture approach) should be assessed regarding the network information needs and their operational utilization at other network nodes.As an example, it is easy to understand that the power outages at a large hub airport due to powerplant failures have a greater disruption potential than a road blockage near a small regional airport.But if this information is helpful for other network nodes needs to be assessed in subsequent research and was not in focus of our work.
Looking again at the research question "what operational impact at an airport happens if a connected Critical Infrastructure (CI) fails due to it being a target of malicious activities and how higher-level airport management would be involved to mitigate further cascading effects on airport operations ", we can conclude from the above deduction that there is no operational impact prediction based on external threats coming from linked CIs outside the airport yet, although in airports' undisclosed risk assessment and mitigation plans very high-level mitigation measures might exist.Literature does not reveal whether airport operational experts have experienced such situations already and if yes, if they were sufficiently aware of the reasons why some connected CIs did not maintain their regular services.Without proper information and knowledge, they can only take assumptions on the potential impact on the CI and hence on airport operations, possibly by guidelines of those risk mitigation plans.Based on this, it is apparent that no support systems for such situations exist yet either.
Independent from the above confirmed gaps, another central question that needs to be asked is: what makes an external threat event different in handling from an event that happens inside the interairport-network or from an adverse weather-based event local to the airport?Will an external event's impact on airport operations be dealt with differently on operational level by the APOC decision makers?
Once research has identified suitable cascading effects' models (what e.g. can induct effects at the airport), the models can be analyzed from an operational point of view.And once this is achieved, suitable operational prediction models can be derived.The literature has already some sophisticated solutions for the airline perspective, but the holistic airport view does not exist.
Further, the way existing predictions of operational impacts are made available are not incorporated into support systems (e.g., providing all information in digital form or even decision support for the operators) or available in a complete manner.New additions based on research output should be harmonized with and incorporated into thenexisting solutions.Depending on the airport size and its needs, appropriate scaling needs to be conducted.Since bigger airports have more sophisticated tools available that provide management support, consequently these predictions should be incorporated into these management tools.For smaller airports, suitable stand-alone solutions could be envisaged.
Taking the already developed ideas described above into a more specific direction, these ideas may be combined in an even more holistic approach than it was done in recent security research projects and along the envisaged SATIE gap idea.It is imaginable to collect security information from different sources belonging to different CIs, classify them according to an ontology, correlate them, predict possible impacts -in detail within the CI, on a higher level of detail to other CIs -and share the information accordingly.Related open questions, especially when information is shared cross-border, concern e.g.data protection, legislation, internal policies (e.g.CI internal or national) as well as means of filtering and appropriate visualizations.One option might be, that an operator responsible for the security at that CI has to categorize the information as an incident or an attack which would trigger automatic sharing of that incident/attack information.Since an ontology is used, every recipient would be aware of the significance of transmitted messages.The operator of the receiving CI or some centralized distribution service may have to filter whether the received information is just nice to know or if explicit actions should be triggered in response.
Tools for estimating cascading effects and impact propagation may not only be useful for other CIs but -in the airport domain -also for the APOC decision makers as a simple awareness mechanism of an ongoing threat or attack.The impacts that manifest at the airport need to be identified by the SOC in collaboration with affected operation centers and then the APOC decision makers need to be duly informed.For the planning of mitigation and recovery of operations, the APOC needs to conduct demand and capacity balancing correspondingly and then update the Airport Operations Plan (AOP) in an appropriate manner (see Fig. 4 ) and follow established information distribution flows.
Concluding, a lot of unanswered questions remain.Do the APOC decision makers need the information about ongoing attacks at external CIs for situation awareness?How specific and detailed does the information need to be in order to be useful in an APOC?Or do the operators only want to get involved when the end of the impact is becoming visible and the recovery phase will start and how to best restart operations again needs to be planned?Above we mainly discussed the instances in which the APOC might utilize information about security events for its own work.But what if the APOC itself is the CI asset under attack?How does this cascade into the ATM network and connected CIs?Sun and Wandelt (2021) do not entirely answer this, as maybe not an entire failure to provide operations occurs, but undetected fraudulent information exchange spoils the network.As was explained above, the information regarding malicious activities at linked CIs is currently neither available at the airport nor in the APOC.Therefore, it is not possible to achieve an early awareness about such events and as a consequence it limits the mitigation means an APOC can take on operational impacts.All in all, it becomes evident that airport operations would benefit from research approaches that combine aspects of critical infrastructure security and airport operations beyond the current state-of-the-art and literature.

Declaration of competing interest
The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.

Fig. 4 .
Fig. 4. Research needs for the exchange of security and operational impact messages.