Chapter 22: Modern Innovative Detectors of Physical Threats for Critical Infrastructures

Nowadays, the types of threats against Critical Infrastructures are becoming more sophisticated imposing the use of equally modern detection measures. The involved aspects are too important when considering both direct physical threats and physical threats that enable malicious impact to the cyber domain as well. The Chapter begins with an overview of the current situation in Critical Infrastructures in terms of detecting physical threats, attacks, or hazards and continues by introducing modern detecting techniques covering a wider range of threats. These vary from systems with sensors for airborne threats along with audio and visual analytics up to using the wireless networks themselves as sensing systems by exploiting their networking features.

The most common impression when discussing in general terms about physical security in critical infrastructures (CI) is that of dealing mainly with the protection of building sites and internal equipment from theft, vandalism, natural disasters (i.e., floods, earthquakes), manmade catastrophes, and accidental damage (e.g., electrical surges, heavy rains, and lightning) or unintentionally destructive acts. In this context, physical security requires solid building construction, suitable emergency preparedness and procedures, reliable power supplies, adequate climate control, and appropriate protection from intruders. In order to accomplish building sites be safeguarded in a way that minimizes the risk of resource theft and destruction, decision-makers must be also concerned about regulations governing equipment placement and use, product handling, and relationships with outside contractors and agencies [1].

However, physical security is often a second thought when it comes to information security. Since physical security has technical and administrative elements, it is often overlooked because most organizations focus on “technology-oriented security countermeasures” to prevent hacking attacks [2, 3]. Hacking into network systems is not the only way that sensitive information can be stolen or used against. Physical security must be implemented correctly to prevent attackers from gaining physical access and cause physical damages and consequently endanger information systems. In this context, cyber threats, apart from relative direct actions, can be also seen as a result of physical security breaches (“cyber-physical threats”). To this end, the physical element of security is often disregarded; hardware damages or vandalism could occur while working with administrative and technical controls as well, while organizations often focus on them, and as a result, security breaches may not be discovered right away [4].

Physical security is often thought as only controlling personnel access to facilities; however, its relation to achieving data center availability goals is more than crucial. Physical security professionals are more concerned about the physical entrance of a building environment and what damages a potential intruder may cause. As new technologies such as biometric verification and remote management of security data become more widely available, traditional card-and-guard security is being supplanted by security systems that can provide identification and tracking of human activity in and around the data center. The challenges of implementing physical security are much more important now than in previous decades; laptops, tablets, and smartphones all have the ability to store sensitive data that can be lost or stolen. CI organizations are obliged to safeguard personnel, information, equipment, IT infrastructure, data, facilities, systems, and company assets (and all information and software contained therein). Thus, before investing in equipment, they must carefully evaluate their specific security needs and determine the most appropriate and cost-effective security measures for their facility [5].

A brief overview of the current physical security solutions, mechanisms, and sensors for protecting CI assets is given in this Section. Usually, the most sophisticated physical security mechanisms are implemented for the protection of central buildings and headquarters. In most of the cases, integrated unified security systems are implemented addressing mainly visual inspection and access control, following a predefined plan.

The first step in a security plan is to identify the areas, rooms, and entry points that need different rules of access. Thus, different levels of security are employed depending on potentially stringent access methods to achieve added protection. By this way, an inner area is protected both by its own access methods and by those of the areas that enclose it. In addition, any breach of an outer area can be met with another access challenge at a perimeter further in. This can be employed in areas that might have concentric boundaries (i.e., site or building perimeter, computer area, and computer rooms along with equipment racks) or with side-by-side boundaries (i.e., visitor areas, offices, utility rooms) [5].

Thus, the strategies used to protect the organization’s assets need to have a layered approach. It is harder for the attackers to reach their objective when multiple layers must be bypassed to access a resource. Various access levels and fragmentation/separation of the building in zones are then employed, depending on the foreseen physical threats and the type of area to be protected so that to prevent unauthorized people to enter or access the site and use equipment. The main physical security mechanisms along with related sensors or components currently used per case are described in the following:

Access control takes place at main entrances (input/output) especially for personnel and vehicles and in internal or other critical areas (i.e., data center). For the organization’s staff and visitors, various methods may be of use involving personal identities, entrance cards, and, in most sophisticated cases, biometrics and related measures. For critical or high security areas, simultaneous monitoring by visual surveillance and closed circuits (CCTV) usually takes place along with checks of incoming/outgoing people, recording of activities, tamper alarms, etc. Usually, guests must be accompanied while entrance may be allowed only to predefined program-based areas. Almost in all cases, CCTV and Access Control systems are interconnected. Depending on the desired security level, special measures include detection ofexplosives, chemicals, or even of weapons and metal objects. Intercommunication of the entrance checkpoints with the control room usually takes place, while silent panic buttons in all positions are also available.

Concerning entrance cards, a large variety exists on the market including personal cards with data and photo, limited validity cards for visitors/suppliers, smart cards with onboard processor, magnetic stripe cards (with a simple magnetic strip of identifying data) or magnetic spot cards (barium ferrite cards), bar-code cards, and infrared shadow ones. The types of interaction with the relevant card readers may be of swipe, insert, flat contact, and even with no contact as in proximity cards or proximity tokens. Apart from their ability to be reprogrammed, the above types of cards present resistance to counterfeiting and ability to allow access only in permitted areas (floors) per employer. The programming process may be separate for visitors and vendors, while an escort mode may be also used in certain cases in conjunction with anti-passback mode.

Keypads and coded locks are also in wide use. They are reliable and very user-friendly, but their security is limited by the sharable and guessable nature of passwords as personal access codes (PAC) or personal identification numbers (PIN) are implied.

The most sophisticated tools are the biometrics sensors, which are used mostly for verification of the identity rather identification of a person. Biometric scanning techniques and relevant sensors have been developed for several human features: fingerprint scanners, iris pattern, face biometrics models, retina pattern, handwriting, and voice recognition systems. Biometric devices are generally very reliable. The main sources of unreliability for biometrics is the possibility that a legitimate user may fail to be recognized (“false rejection”) and the erroneous recognition, either by confusing one user with another or by accepting an imposter as a legitimate user (“false acceptance”). Nowadays, a wide range of biometric devices exist on the market, used either independently as stand-alone or in combination to other measures like smart cards, which is highly likely to become mainstream. The main considerations when choosing a biometric technique are the equipment cost, the failure rates, and the user acceptance, especially in cases where specific conditions should be regarded (i.e., distance from the sensors, light, etc.).

In parking areas and at all entrances, gardens, or facilities that vehicles may access, the checking is being held by reading of the vehicles’ plates with high definition and surveillance cameras (Vehicles’ plate recognition system). Recording of the surrounding area and parking management systems can also be applied, using license plates databases of employees and access control procedures for transporter/carriers.

Explosives Detectors can also be used in parallel to access control in high security areas or at the entrances. Different detection systems (i.e., gates) for explosives and hidden objects (i.e., weapons) are applied with units capable of detecting any such material or metal within hand-luggage’s or carried by visitors, highlighting also the material with color. Advanced detectors can be employed guaranteeing minimum detection time while interconnections with the operator’s security system provide remote control and silent alarm capabilities.

In demanding situations, sophisticated methods such as perimeter defense are also applied. These include both internal (headquarters or main buildings) and external cases (outer area perimeter) incorporating a variety of sensors and combined detection/protection systems.

Building perimeter: This refers mostly to major buildings of the infrastructure and headquarters. The building perimeter usually includes a combination ofthe following measures: access control on inputs/ outputs ofthe building and of sensitive critical areas, surveillance and tracing ofinterior violations, motion detectors and magnetic contacts, webcams around the building, tamper alarm even glass (window) breaking detection.

Outer perimeter: On the other hand, the outer perimeter defense may incorporate the whole infrastructure area by employing full monitoring and tracking of the point of violation, cameras and sirens alert, visual surveillance of the perimeter, enhanced lighting in dark areas and hidden (i.e., infra-red) illumination along with electronic fencing systems.

The sensing systems that are usually employed in these detection and protection mechanisms against physical threats include the following:

Access control systems: With biometrics or card readers as already described earlier.

Optical (Camera-based) surveillance systems: These include the following sensors:

• High-definition IP cameras for outdoor use: capable for day/night operation, wide zones (i.e., 10 m) coverage, motion detection, enabling parallel monitoring (in control rooms or checkpoints) with automatic recordings and alarm;

• Optical surveillance with high-analysis cameras: Megapixel cameras are deployed around the building, supervising all surroundings. They offer the ability to analyze individual images from a single camera, resulting up to 10 times (and more) larger coverage than a simple camera, with multiple digital extended zoom;

• Panoramic surveillance of the environment: Pan, tilt, and zoom (PTZ) cameras are installed on the roof featuring high resolution of 520 TVLines, high sensitivity less than 1 lux, and powerful zoom (×35 or more). They enable overriding their control from the control room and interface with the perimeter tampering system.

Apart from the high-resolution cameras and access control system interconnections, the perimeter lighting can be also enabled through infrared (IR)/invisible lighting elements. The camera-based surveillance systems can also accommodate vehicle license plate recognition, are often combined with silent panic buttons or with electronic fencing system, and assist to the intercommunication of the entrance checkpoints with the control room.

Intrusion detection systems: Intrusion detection sensors provide an all-around glazing at the ground and lowest floors. The functionalities include the surveillance ofopenings (doors, windows) and sliding doors, while the relevant sensors include magnetic contacts, motion detectors, and crystal breaking detectors among others.

Electronic fencing systems: these are more sophisticated and more expensive solutions which incorporate invisible underground (buried) sensing cables. The fencing systems create an invisible detection field, not affected by vegetation or the natural environment. The detection range varies with usual widths of around 3 m and with accuracy of less than 1 m. Graphic on-line representation can be visible to the central control, while there is the possibility of partial or total activation of the fence or interfacing with CCTV.

Associated operation procedures: The above sensing and detection systems are usually combined with associated operation procedures of the Cl’s security staff. Security Guards patrols take place through specific route and time planning based on patrol scenarios, crosschecked with CCTV and intrusion detection systems. Evacuation plans are also being practiced involving specific measures, i.e., automated output counting units and similar.

The above detection and sensing systems are administrated as standalones or within unified security management systems (SMS), either outsourced to specialized companies or managed inherently by each operator or both. The SMS often involve central control rooms and are designed to be compatible with International Security Standards and the organizations’ procedures, providing functionalities such as integration with IT applications and TCP/IP LAN networks, client-server remote monitoring, encryption of network data and data integrity, double routes or dual flows, checks with internal and external blacklists and provision of direct, through complex reports. However, it should be noted that usually the SMS, although conducting the orchestration of the sensors and surveillance mechanisms, only indicate the faults providing alarms, while the faults/alarms’ handling and tackling is being managed by the operator instead.

It is clear that the abovementioned physical security aspects affect all types of CIs which in turn also make use of telecom infrastructures. Therefore, large interdependences with the telecom CIs are shown for delivering data or notifications to the SMS which might not be noticed if the telecom infrastructure is breached. Security equipment deployed on site can have different levels of integration with the telecommunication system; many of them rely on the possibility to use the site LAN and local networks via ethernet or via WiFi. This, however, makes them open to any attack to the telecom infrastructure and availability.

For the Telecom CIs, the issues of both physical and cyber threats are of major importance since they greatly affect one another. Nevertheless, although cyber threats are given the major attention, which is reasonable since data security is a primary factor and are usually handled by the telecom provider’s Network Operation Centre (NOC), the physical security threats in telecom CIs are not regarded evenly. Usually, the most sophisticated physical security mechanisms, as described earlier, are implemented for the security of the central telecommunication buildings and headquarters where large number of the telecom organization’s personnel is employed and is present on day-to-day basis, along with the core of the telecom assets (i.e., NOCs and main backhaul fiber optics terminals).

Although the above hierarchy is considered reasonable due to the critical units involved, it should be noted, however, that this is rather not the case for all the telecom assets that a telecom provider possesses. Telecom pillars, antenna parks, or even fiber optics terminals in remote and rural areas are not given equal security treatment as in large central telecom buildings, since it is more expensive. Sophisticated security methods are rarely observed in decentralized structures; the situation is even more critical for assets such as antenna parks or facilities at remote islands or mountainous regions. There, security guards may be employed, while ordinary wire fencing is the main protection measure.

On the other hand, cost is one of the most important parameters, since the investment in advanced security mechanisms for the many remote assets could turn to be high enough, limiting the cost-effectiveness, not considering the needed resources in time and effort for the relevant implementations. Thus, it is most common for major telecom organizations to invest in disaster or redundancy centers, back-up infrastructure and networks, along with failover techniques for the main services, facilitating management from a central station to relevant checkpoints all over the country. In general, redundancy networks, disaster centers, or failover capabilities are common, and almost obligatory, for all types of CIs, tackling not only issues associated with physical intrusion but also with potential losses due to overloads or natural disasters such as floods, lighting, and earthquakes.

It should be highlighted, though, that despite the offered control operations, the main functionality pursued by current security systems, mechanisms, and sensors apart detection is deterrence. Thus, the principles governing the basic procedures of the usual physical security plans are detection, deterrence, response, and recovery/re-evaluation. As mentioned earlier, in current CI’s security systems, detection is seen more as a physical detection of an intruder, attempting to illegally access premises and facilities. To this end, the overall security measures and sensing systems employed mainly focus to address the personnel identification and access control and thus are mainly meant for deterrence purposes. The deterrence principle is conducted through the organization’s policy, operating procedures, and control, and similarly, the response principle is mostly addressed by the guard staff through the same procedures. Recovery and re-evaluation mainly affect the operational actions of the security staff.

However, the procedures used mainly address a rather limited implementation than a holistic tackling of the principles addressed. Additionally, the use of all the above security mechanisms depends on their relevant cost which is being regarded as an important factor. For example, limitations and weaknesses can be noticed in most of the current cases: i.e., reluctance in employing the newest commercial models, possibly due to cost reasons, may result in inefficient access management or poor integration of ambient information. Furthermore, in case of inherently managed security systems, best practices are difficult to be followed, resulting in limited protection of entry/exit points or even limited scalability maintaining only a minimum coverage of the surroundings (i.e., only the main building).

Moreover, newest trends in physical security such as pattern recognition and machine learning techniques are rarely employed to classify persons, vehicles, and other objects moving within the controlled area and to extract profiles and relevant semantic information for event processing and further analysis with correlation platforms. Current processes often require large effort of the operator and the security personnel when monitoring a huge number of sensors on a day-to-day basis.

Another important issue that needs to be taken into account is that, due to the increase in malicious actions nowadays and the large amount of services provided, the threats in modern CIs involve quite more complex aspects than the ordinary physical security systems can handle. Furthermore, all kinds of issues endangering CI facilities, including airborne threats, are on the table for that matter and need to be confronted. As malicious acts and terrorism threats turn to be more advanced and sophisticated nowadays, it seems that current approaches should be enhanced with more flexible solutions that could integrate more advanced mechanisms along with an increased degree of assessing resilience. Additionally, the impact that physical threats may have on cyber aspects (cyber-physical threat) seems often to be disregarded or dealt separately, and this is too important especially for the telecom Cls. Presently, physical intrusion is not only meant for theft or to cause physical damages but rather to enable hazards and damages at the cyber domain of a CI, i.e., to install malicious dormant software or enable hacking actions. To this respect, modern and novel techniques are needed to address cyber-physical threats along with holistic solutions to provide suitable correlation of physical and cyber events.

In the previous Sections, an overview of the current security and protection sensors and mechanisms against physical threats in CIs was described, while the gaps in the implementation were identified. As discussed, the increased security requirements nowadays imply the employment of new approaches and solutions. In this context, modern innovative sensing mechanisms are presented for the detection of physical and cyber-physical threats. The presentation will focus on the functionalities of various platforms of active and passive sensors for direct detection (i.e., physical intrusion, airborne threats, etc.) along with wireless networks acting themselves as sensing units. All these techniques are implemented within the framework of the EU H2020 RESISTO project [6].

Video and Audio sensors are widely used in surveillance operations and protection of critical infrastructures. However, the emerging sophisticated types ofthreats impose the demand for adding intelligence, resulting in integrated audio and video analytics tools. In this context, intelligence algorithms are applied in audio and video streams for the real-time detection of events and for the early identification of illicit activity. Pattern recognition and machine learning techniques are used to extract acoustic events (i.e., gunshot, screaming, glass breaking) or to classify persons, vehicles, and other objects that are moving within the controlled area of the infrastructure.

A smart surveillance system that constitutes from video sensors (cameras), embedded on other computational units and video analytics algorithms, consists the Video Analytics Component (VAC). Video segments of interest are generated (upon the detection of alert) and stored for further use and notification of security personnel. Various types of CCTV cameras (i.e., fixed Outdoor IP-based CCTV camera and a PTZ camera) can be used to provide seamless image of the area of interest, supporting Pan, Tilt, and Zoom operations so that the camera is moved to a desired location.

Highly sensitive microphones, such omnidirectional and array ones (microphones operating in tandem), can be used as well for the Audio Analytics Component (AAC). The omni type is meant for acoustic event detections, while the array is meant to locate the source of the sound event. Both types can be attached to an embedded PC (e.g., Raspberry 3), where the first level of detection algorithms is executed. Beyond the acoustic event detection, audio analytics are enhanced with intelligent algorithms capable for localization of the source of the detected event (estimating the position ofthe acoustic source). This feature is used as an input for the steering of the video sensors (i.e., PTZ video sensor) in order to adjust their position to the source of the acoustic event. The whole tool is developed by Aditess Ltd, Cyprus within the framework of the RESISTO project.

By this way, the added intelligence transforms the sensors to an integrated audio/video-based surveillance system; each component can be also used as standalone or be integrated as an overall sub-system to a holistic integrated platform. The added value of this integration, between audio and visual sensors, lies in the ability to provide to the security operator a real-time picture of the field where the event occurred, through a generated video clip and an alert notification. Furthermore, cross-correlations ofaudio and video analysis results are developed in order to provide more accurate and precise alerts. This intelligent process reduces the effort of the operator by monitoring in a 24/7 base a huge number of sensors. Additionally, the early detection of events and the ability to extract semantic information (i.e., type and location of event, illegal access in restricted area) can provide useful data to event processing and correlation platforms for further analysis.

Drones and mini Unmanned Aerial Vehicles (mini-UAV systems) are an emerging new concept worldwide which, with a relatively low cost, are used in a variety of applications, commercial to surveillance ones. Apart from existing commercial platforms, customized platforms can be designed, such as of multirotor, helicopter, and fixed-wind types, as those developed by Aditess Ltd, Cyprus, within the framework of the RESISTO project.

These UAV platforms can be optimized for certain surveillance and inspection needs with various payloads such as lightweight miniature cameras and electro-optic sensors (i.e., daylight, IR, thermal cameras), GPS modules, chemical sensors as well as intelligent web-based software for the coordination of UAV platforms and sensor setup in order to fulfill every security requirement. This configuration includes the selection of the appropriate platform and payload along with the communication with the ground control station (GCS), based on several criteria including the mission analysis (path, time, covered distance, range), communication (Air to Ground and Ground to Infrastructure using LTE/4G or physical network if applicable), and risk metrics among others.

The Mini-UAV systems can also enable navigation in controlled civilian airspace according to relevant aviation standards and certification requirements that will become applicable, addressing homeland security applications and flight operations. Especially for rural and remote areas, friendly drones and UAVs can enhance the video surveillance system with aerial images and be used to evaluate the emerging anti-drone technologies.

The rapidly proliferating use of unmanned devices, in many aspects of commercial and everyday life, has brought about new and emerging challenges. In many cases, such as regulating air traffic and security, early detection of such objects is more than crucial. Furthermore, drones and UAVs can be maliciously used as potential types of human-driven physical threats against civilian critical infrastructures imposing the need for relevant detection measures. To this respect, especially for civilian CI cases, the focus is given specifically in detecting airborne threats as UAVs and drones, flying at rather short ranges from the targeted CI. The aim is to be able to use low-cost sensors that can provide early warnings of an airborne threat and potential intrusion, to a central security platform.

In light ofthe emerging use ofunmanned devices, UAVs or drones are nowadays more and more considered as potential human-driven physical threats. Anomalies and airborne threats to CIs or specific telecom ones (i.e., remote antenna parks and/or telecom pillars on high rooftops) are mainly monitored through visual methods (i.e., cameras); the threat has to be in rather close proximity to be detected which leaves less time for reaction. Counter-UAV technology has already seen extensive use and a continuously growing interest. Main challenges include detection effectiveness, false negatives/positives, distinguishing legitimate and illegitimate drone use, legal framework, and lack of standards [7].

The specific airborne threat detection system, developed by the Institute of Communication and Computer Systems (ICCS), Greece, within the framework of the RESISTO project, is a set of tools designed and developed to detect the presence of UAVs as airborne threats and to provide alarm signals. The system consists of active and passive sensors, namely radar and acoustic sensors, respectively [8]. These system’s components can be used either separately or in combination. The detectors are a small lightweight continuous wave Doppler radar combined with acoustic sensors, such as array of high sensitivity microphones for the reception of signals emitted by such UAV platforms. Those signals may be in the microwave/RF (e.g., remote controls) or the sound/acoustic frequency region (e.g., drones propulsion). Hence, the focus is on exploiting the combined imprint of UAVs as captured by microphone and radar systems.

A Doppler radar uses the Doppler Effect to derive velocity data about moving objects at a distance. An accurate measurement ofthe original transmitted frequency and the reflected return frequency (echo) determines the Doppler frequency shift, which is a direct indication of the target’s speed, the radial component of a target’s velocity relative to the radar. The measured speed is relative to the range of the target (radial distance) along with the target’s angle of arrival. The Doppler CW radar is able to detect and track fast-moving targets providing good visibility in harsh conditions (dusk, rain, or snow). In contrast to optical or infrared systems, Doppler radars detect more accurately small-sized objects in the (optimal) 3 GHz—30 GHz frequency band with adequate sensing ranges. However, it should be noted that radar’s detection capability depends on the target’s Radar Cross Section (RCS: the effective aperture of the target) and the ability to distinguish between small objects and clutter that the sensor will also pick up especially for objects with low RCS as the drones are [9]. Generally, the RCS reflects the degree that the target can be detected and depends on a variety of parameters such as the relative position of the target in respect to the radar, the frequency of operation along with the relative incident and scattering angles, and, most importantly, the target characteristics, namely the aperture/profile, its material, and dimensions relatively to the wavelength. Low RCS makes the detection within cluttered environments very demanding with trade-offs between false alarm rates and detection probabilities [10]. To this respect, low RCS of airborne objects, such as UAVs and drones, is tackled with advanced signal processing and the combined use of other sensors such as the acoustic ones.

The acoustic sensors used in the present system are a set of high sensitivity dynamic microphones forming an array. Acoustic sensors have many advantages that include non-line-of-sight, omni-directionality, passiveness, low-cost, and low-power, playing a potential key role in situational awareness; since they do not depend on the target’s size, but rather on its acoustic signature, i.e., the sound of the engine. Nevertheless, acoustic sensing depends on the environmental conditions and related sources of acoustic attenuation (e.g., temperature, wind speed, and direction). Acoustic microphone arrays are used as a second sensor modality to detect broadband acoustic emissions from approaching targets, either forming linear arrays or diagonal (i.e., 4 microphones arranged in a cross format), which yield to be the most optimal ones. By exploiting the target’s strong emitted sound harmonics mainly in the 20 Hz—2 kHz range, moving targets can be detected and tracked regardless of their size by acoustic sensors [11].

Having captured the sound signal of the target, signal detection and processing methods can be used. For example, time-domain waveform cross correlation of the captured waveform with a previously recorded sound waveform of the target as a reference along with performing in parallel Harmonic Line Association in the frequency domain, in order the necessary results to be extracted. Advanced signal processing and machine intelligence/machine learning techniques are applied to the radar and acoustic data, both in the time-domain and the frequency-domain to achieve detection and to estimate the target’s angle of arrival and range/velocity. In terms of the detection and tracking, the radar sensors detect the presence of the small unmanned aircraft by its radar signature (often employing algorithms to distinguish between other small, low-flying objects), while the acoustic ones detect drones by recognizing the unique sounds produced by their motors. The system can detect the target’s movement when the drone is approaching or moves away; even when the drone is at hover mode, the derived conclusion is that the radar mainly detects the fast movement of the propellers. Neural network techniques are expected to increase the ability of distinguishing low RCS targets and to advance the overall performance.

Combinations of the two methods are beginning to emerge as integrated solutions for monitoring the airspace over critical infrastructures: aligning the results and theoretical basis with modern system implementations, progressing by this way the relevant state of the art for a low cost, low power combination. Recent technology trends show that detecting low RCS moving targets can be made feasible by implementing mixed techniques [12]; the emission of high-frequency waves (active methods) may be complemented by receiving the acoustic output (passive) of such systems to accomplish detection. These emerge as a promising solution also combined with visual methods (i.e., cameras) or electro-optical systems which detect the UAVs based on their visual signature and infrared (IR) ones based on their heat signature.

The whole system may act either as stand-alone or as plug-in module in a wider platform architecture providing alerts and potential intrusion events corresponding to the presence of potential moving airborne threats. The use of multiple detection elements is intended to overcome the inherent limitations ofeach technologyand to increase the probability of a successful detection, given that no individual method is entirely failproof. Therefore, the employed combination of active and passive sensors may provide additionally situational awareness and perimeter CIs defense against low-flying threat aircrafts.

Considering the emerging 5G telecom infrastructures, Internet of Things (IoT) networks are expected to be expanded in the near future and to dominate in everyday life with the use of wireless networks and wireless sensor networks distributed in large areas and infrastructures. Thus, it is of great importance that these telecom facilities are capable of adequately tackling physical as well as cyber-physical threats. While sensing networks with advanced features are foreseen, it is reasonable that these networks obtain additional security functionalities, in order to be capable of detecting and responding to risks and physical threats, being either human driven or as consequences of natural disasters.

This notion presupposes certain added functionalities both in the hardware and software/firmware of these wireless networks as current and future parts of CIs so that to act by themselves as detecting systems. In the following, two examples of such types of applications are being given, as developed in the framework of the RESISTO project by Integrasys SA, Spain, also involving features of the Guard-Time SA KSI Blockchain, Estonia. These applications are the RADIOFILTER and RANMONITOR ones and are briefly described below:

RADIOFILTER is a tool which offers detection, location, and reporting of WLAN-based threats and attacks to critical infrastructures protected assets.

The tool is based on a network of N-distributed passive Secured Cyber Sensors, deployed at an infrastructure, which continuously scan the data-link traffic and relay this information to a central processing node (Central Node). This setup enables the system to monitor the data-link (layer 2) traffic parameters in 802.11 WLAN networks in order to detect, locate, and report 802.11 WLAN-based threat events. The events and useful related information can be visualized through an external Web User Interface for stand-alone use. The integrity of the cyber sensors’ firmware is taken care of by a firmware update server connecting to an external Guardtime KSI server for generating KSI-blockchain signatures of the sensor firmware as a cryptographic timestamp. These firmware security anchors are used to check that the new firmware version has not been maliciously tampered with.

The specific RADIOFILTER application is ideal in cases that a CI operator needs to protect the inner part of a building, whereas a WLAN Network (i.e., 802.11) is installed, from confidential information stealing and service disruption risks. In such case, the operator’s internal WLAN network needs to be protected from unauthorized devices installed. These intrusion devices are not the access points, devices, and client connections whitelisted by the CI operator, which have location and connectivity restriction and are allowed inside the infrastructure (centralized, ad hoc, local, and internet allowed for each WLAN client). In other words, the WLAN only accepts a specific set of client devices and any unauthorized device connection is dealt as an unauthorized intrusion.

Following a relevant survey, the RADIOFILTER radio monitoring sensors are placed within the inner part of the building. Each monitoring cyber sensor is powered by a small single-board computer (i.e., Raspberry) and is able to monitor the IEEE 802 b/g/n/ac, (2.4 GHz and 5 GHz bands) WLAN technologies. The sensor also includes a secure element used to encrypt and store critical data such as root certificates and firmware security anchors. The system collects data captured by the cyber sensors from all the access points, devices, and connections in the infrastructure; estimates a specific access point or device location using a fingerprinting method based on machine learning techniques; checks the different infrastructure whitelist databases for event detection; and generates events in case that an unauthorized device attempts to be connected.

By this way, various cases of unauthorized connections can be detected. For example, A non-whitelisted mobile phone with WLAN connectivity (Unauthorized Device Event Detection) or a non-whitelisted WLAN Access Point (Unauthorized Access Point Event Detection) may be a threat event. As soon as the mobile phone’s WLAN connection or the Access Point’s connection are activated, these events are detected, as the BSSID (MAC Address) ofthe device or Access Point are not in the relevant operator’s whitelists. The same takes place also in the case that a non-whitelisted WLAN ad hoc connection between authorized clients (Unauthorized Connection Event Detection) is used. Thus, a new threat event detect message is generated and displayed on the RADIOFILTER Web User Interface as a flashing indicator upon the location’s map.

RANMONITOR offers detection and reporting of threats and attacks to LTE Radio Access Network (RAN). The main RAN attacks that the tool is able to monitor are the following: full-band or partial interference, protocol-aware jamming, rogue base station, IMSI-catcher (International Mobile Subscriber Identity), and poorly configured base stations.

The tool is based on one or several Radio-Cyber RAN Sensors that can be deployed anywhere, which passively scan the cellular radio spectrum as well as the downlink control channel information and relay this information to a central processing node (Central Node). This setup enables the system to monitor the cell parameters and status in LTE RAN networks in order to detect, locate, and report threat and attack events which can be visualized also through a Web User Interface for stand-alone use.

The RANMONITOR concept of operation is similar to the RADIOFLTER’s one; however, the sensors are different since they are suitable for LTE RANs networks. Each monitoring radio-cyber RAN sensor powered by a standard computer module allows for appropriate signal acquisition and processing while the monitoring functions are performed by a radio cellular modem and by a Software Defined Radio (SDR) platform able to scan all surrounding channels. The RANMONITOR tool is suitable for LTE mobile network operators in order to protect the availability of the service from any degradation in a set of cells located in a specific area, in other words, to protect the network users against attacks generated from, i.e., IMSI-catcher devices.

Following a survey to provide an estimation of the proper location, the RAN sensors are suitably placed as well as the general parameters of the system are configured so that upon operation a set of threats and attack events to be detected by the tool. These threats include jammer performing a protocol-aware jamming attack, an unintentional interferer causing full-band or partial interference, as well as rogue base stations.

In the case that an unauthorized LTE cell (rogue base station) attempts to get connected and starts broadcasting its physical level information parameters, the RANMONITOR tool extracts the base station identification parameters checking with the mobile operators’ network information, cell list, and cell map databases. Thus, an Unauthorized Cell Event is detected by RANMONITOR tool since this cell was not in the RAN cell list. The new event and its related information appear at the tool’s events log table, and also the rogue cell is indicated at the RANMONITOR Web User Interface, including the detected cells and band visualization at the moment of the intrusion.

The present chapter describes the status ofthe sensors and security measures that are currently used in critical infrastructures while, additionally, presents novel detection mechanisms to enhance detection, protection, and security against intrusions and modern sophisticated physical threats. As it is seen, sensors and tools with various maturity level are offered in order to fill in the gaps in physical security in existing CIs and to provide advanced features in detection and protection processes addressing the modern needs in confronting risks and attacks. The concept of employing wireless networks as sensing networks by themselves, using firmware methods is also presented. The foreseen tools involve applications of emerging technologies in order to address intrusion events in light ofthe nowadays situations both in attacks and in technology trends.

Apart from the detection systems’ description, the aim of the specific chapter, concerning security, is also to prove the concept that new types of sensing systems for the detection of modern threats can be successfully integrated to an overall holistic platform that would address the whole circle from prevention, detection, protection, response, and mitigation in critical infrastructures enhancing in the end their overall resilience.