2024/12 Weekly Update from the MCE SIG “City ISAC I4C+” Highlights: Ready to go – VAUBAN” 2024 “Battle for the Golden Ticket” Monday 8 April 2024 from 2 pm to 4 pm CET / Patching will lead to time-delayed incidents / Retain access to staff email after they leave / Is the user the actual Goliath? / City ISAC Services published / First meeting of Cyber Resilient Regions Community on the 26th of June 2023
** For Back Issues see https://isac4cities.eu/blog **
The City ISAC (I4C+) is an Information and Analysis Centre whose members are IT and cyber security decision makers exchanging knowledge to improve their cities and collective cyber resilience. I4C+ is a Special Interest Group (SIG) hosted by Major Cities Europe (MCE). Dr. Oliver Schwabe is a member of MCE and in his function Chair of the ISAC for Cities Plus (I4C+). He is the person in charge of this effort on behalf of MCE and the responsible contact person. I4C+ is recognized by the European Agency for Cybersecurity ENISA. See https://isac4cities.eu/.
| Weekly [TLP:RED] |
Please contact us directly for more information – these are summaries only and the “key” is in the actual stories shared privately. The stories are based on personal sensitive knowledge shared by peers in personal conversations under Chatham House Rules. This “stuff” may look obvious (?) – the magic lies between the lines and only becomes visible in a personal conversation.
- Weekly [TLP:RED] for Publicly Elected Officials: Ensure that any AI systems used in the administration are appropriately and formally audited by independent third parties.
- Weekly [TLP:RED] for Essential Services Managers: Forbid the use of AI chat features to avoid inadvertent GDPR infringement you will be held liable for.
- Weekly [TLP:RED] for IT Leaders: Any patches can trigger incidents with significant time-delays. Make sure you have thoroughly mapped services over at least an 18-month time-period.
| Summary |
Hi everyone and hope you are well – three cities joining on Friday morning and especially welcomed one younger lady colleague from one of the cities – maybe a good idea to share our activities with those new in role as well since it might be a good way to help accelerate knowledge creation and their networking?
After doing a webcam tour of snow falling in one city and 28+ degrees being expected in another (wow – seems like middle of summer here in Germany by the way), we discussed the challenges of keeping Exchange server estates patched (especially when they are older versions) and coupled with that the common experience that patching leads to many other outages in legacy systems etc where the protocols do not work with newer patched Exchange. Remember though that these outages are not always immediately apparent – in one situation I have had the failure of an interface due to patching only became visible during the operation of an ANNUAL business process. In the end we laughed realising that most users just want their email and printing to work…
The above then led on to users commonly using their email for document archiving and the importance of retaining access to the email accounts of colleagues that leave the organization (remember you need to get this permission in writing / have an updated IT usage policy). Remember that user behaviour will never follow all policies (i.e., online storage of documents or data classification).
We also reminded ourselves that not all citizens have access to e-government services and got the following insight from Bing Chat:
“**6 percent** of Germans between the ages of **16 and 74** have never used the internet, which amounts to approximately **3.8 million people**. Interestingly, the proportion of “offliners” increases with age: **21 percent** of **65 to 74-year-olds**, **8 percent** of **55 to 64-year-olds**, and only **3 percent** of those under the age of 55 choose to forgo the world wide web¹. Life without the internet can be challenging, especially considering how much daily life has become intertwined with online services, from digital vaccine certificates to booking doctor’s appointments¹. Comparatively, Germany’s situation aligns with the rest of the European Union, where an average of **8 percent** of the population reported not using the internet last year. However, there are significant variations among EU member states, with countries like Ireland, Scandinavia, the Netherlands, and Luxembourg having fewer offliners (less than 5 percent), while Greece, Bulgaria, and Portugal have higher percentages of non-internet users¹.
Source: Conversation with Bing, 06/04/2024
(1) 3,8 million Germans have never used the internet – IamExpat in Germany. https://www.iamexpat.de/expat-info/german-expat-news/38-million-germans-have-never-used-internet.
(2) More than a third of Germans struggle with Internet problems. https://www.de-cix.net/en/about-de-cix/media/press-releases/new-de-cix-survey-more-than-a-third-of-germans-struggle-with-internet-problems-almost-daily.
(3) E-commerce trends in 2021: this is how Germans shop online – Bitkom. https://www.bitkom.org/EN/List-and-detailpages/Press/E-Commerce-Trends-2021.”
Finally, a thought, our logo aims to emphasize that the battle of administrations against the cyber threat is like David against Goliath, maybe it is also the story of cyber security (David) against user behaviour (Goliath)? :
Cheers
Oliver
Insights from Chatbots
I was curious about the opinion of Bing Chat about how cyber secure smart cities are. The AI responded as per below and “security by design” is probably worth revisiting in most of our digital efforts:
**Smart cities**, with their interconnected infrastructure and reliance on digital technologies, face unique **cybersecurity risks**. Let’s explore some of these challenges:
1. **Man-in-the-Middle Attacks**:
– In such attacks, hackers breach, interrupt, or spoof communications between two systems.
– For instance, in Israel, hackers targeted a commercial irrigation system, remotely turning the water supply on and off. A similar attack on a wastewater system could have severe consequences⁵.
2. **Device Hijacking**:
– With millions of devices operating within smart cities, attackers aim to hijack devices to assume control.
– Users may not even notice their compromised devices.
– Exploiting one device can lead to attacks on other networked devices. For example, a cybercriminal could exploit smart meters to launch ransomware attacks or siphon energy without payment⁵.
3. **Data Theft**:
– Smart cities collect vast amounts of data from surveillance cameras, traffic signals, parking meters, and connected devices.
– Cyberattackers can misuse personal information for fraudulent transactions and identity theft if devices are inadequately secured⁵.
4. **Distributed Denial-of-Service (DDoS) Attacks**:
– These attacks have increased significantly, disrupting infrastructure services and potentially causing financial losses and exposure of citizens’ private data⁶.
5. **Permanent Denial-of-Service (PDoS)**:
– Also known as “phlashing,” PDoS attacks aim for long-lasting damage by rendering devices permanently inoperable⁶.
6. **Complex Cyberattacks**:
– Smart cities face intricate cyber threats, including attacks on critical infrastructures, communication systems, and emergency systems⁷.
To mitigate these risks, smart city leaders must prioritize cybersecurity principles throughout governance, design, and operations. Ensuring secure planning, proactive supply chain risk management, and operational resilience is crucial for building resilient and safe smart cities⁴⁶.
Source: Conversation with Bing, 05/04/2024
(1) What Are the Cybersecurity Risks for Smart Cities?. https://www.idb.org/what-are-the-cybersecurity-risks-for-smart-cities/.
(2) Cybersecurity Best Practices for Smart Cities – CISA. https://www.cisa.gov/sites/default/files/2023-04/cybersecurity-best-practices-for-smart-cities_508.pdf.
(3) Cybersecurity Risk Assessment in Smart City Infrastructures. https://www.mdpi.com/2075-1702/9/4/78.
(4) Cybersecurity Best Practices for Smart Cities | CISA. https://www.cisa.gov/resources-tools/resources/cybersecurity-best-practices-smart-cities.
(5) Making smart cities cybersecure | Deloitte Insights. https://www2.deloitte.com/us/en/insights/focus/smart-city/making-smart-cities-cyber-secure.html.
(6) Secure Smart Cities – National Cybersecurity Center. https://cyber-center.org/ssc/.
(7) Engineers Keep Smart City Systems Secure From Cyber Attacks. https://climate-change.ieee.org/news/smart-city-security/.
(8) Cybersecurity Risk Assessment in Smart City Infrastructures. https://mdpi-res.com/d_attachment/machines/machines-09-00078/article_deploy/machines-09-00078-v2.pdf?version=1617940348.
| In the News |
- CISA Publishes New Webpage Dedicated to Providing Resources for High-Risk Communities: CISA published a new dedicated High-Risk Communities webpage comprised of cybersecurity resources to support civil society communities at heighted risk of digital security threats, including cyber hygiene guidance, a repository of local cyber volunteer programs, and free or discounted tools and services. See https://www.cisa.gov/news-events/alerts/2024/04/02/cisa-publishes-new-webpage-dedicated-providing-resources-high-risk-communities.
- Singapore Sets High Bar in Cybersecurity Preparedness: While Singaporean organizations have adopted the majority of their government’s cybersecurity recommendations, they aren’t immune: More than eight in 10 experienced a cybersecurity incident over the course of the year. See https://www.darkreading.com/cybersecurity-analytics/singapore-sets-high-bar-in-cybersecurity-preparedness.
- Torre Pacheco City Council victim of a ransomware attack. See https://blog.elhacker.net/2024/04/murcia-ayuntamiento-de-torre-pacheco-victima-ransomware-lockbit.html.
| City ISAC Services (Member Funded) |
We have published our services at https://isac4cities.eu/services-offered and are now proceeding to establish collaboration agreements with third parties we have been working with for a while. These will include joint marketing and enablement plans. Please do review and consider reaching out to include such in your activities and budgets.
| Project “DAVID” (Member Funded) |
No update. #Sigh… still waiting for the final MOU from our Big 5 partner and will publish details as soon as that is formally signed. Two work packages being planned:
- Work Package 1: NIS 2 Directive Review and Outlook: Conduct an interview-based assessment of NIS2 directive implementation with selected members (6) of I4C+. The results of the interviews will be used to identify weak spots in the directive and to provide a strategic outlook including strategy recommendations for the expected NIS3 directive. Identified gaps shall be summarized in a point of view reflecting the current security posture with respect to NIS2 requirements and potential expectations towards the NIS3. However, it is important to note that the outcome should not be used as a gap analysis of the assessor’s current security posture.
- Work Package 2: Defence in Depth: To strengthen I4C+ members’ cyber resilience, shape the understanding of joint-cyber security as an integral approach among members. Based on the outcome of the work outlined above, deliver a best practice catalogue including suggestions for a respective toolbox. Furthermore, inputs can be utilized to enhance the overview for the Defence in Depth to close respective gaps. Collected raw data will be given to the I4C+ for further analysis .
| Project “VAUBAN” – 2024 “Battle for the Golden Ticket” Monday 8 April 2024 from 2 pm to 4 pm CET. |
Ready to go for Monday / tomorrow and the link to connect is https://giorgioprister.my.webex.com/giorgioprister.my/j.php?MTID=mbca8b515933715492e1ffef143d855d8. Please feel free to forward in your networks. Please reach out if you are interested in actively supporting the event. See also https://isac4cities.eu/join-the-battle-for-the-golden-ticket-webinar-about-managing-it-security-april-8-2-to-4-pm-cet.
The basic storyline is:
“A city has just been notified of a pending breach due to third parties having access to the Golden Ticket. The city launches a WebEx with chat to get help from its peers. THIS is the WebEx.
- What does our example city want to do?
- What do our co-moderating cities recommend?
- What do YOU think / recommend?
- What does the hacker think?”
| Project “Regions4Cyber” |
Remember that ECSO launched its Cyber Resilient Regions Community on the 26th of June 2023. The first community meeting is planned for Wednesday 10 April from 3 pm – 4 pm CET. This community is a closed and safe space for Local and regional Authorities (LRAs) CISO’s or similar roles, Managing Directors and other cybersecurity/security or IT specialists to engage in cooperation, best practice exchange, networking, and capacity building to address their cybersecurity resilience. This community is run together with ECSO partners Regione Toscana, Major Cities of Europe (https://majorcities.eu/) and ISAC4Cities (https://isac4cities.eu/). If you are representing a REGION, please contact me and I will forward the invite.
Please remember you can reach the whole group via city-isac-i4c-tlpwhite@majorcities.eu. A dedicated group for those cities signing the NDAs is available separately.
Also note our LinkedIn organisational page at https://www.linkedin.com/company/eu-city-information-sharing-and-analysis-center-isac/ and our discussion group at https://www.linkedin.com/groups/12773643/. Do follow us / join.
Join our weekly Friday morning coffee chats from 9am-10am CET – feel free to come in your pyjamas. Let me know if you are missing an invite and I will send.
Thank you for the support, your City ISAC I4C+ Team.
Cheers and ever onwards
Oliver
Innovating our Future… Together
Chair City ISAC I4C+ / Dr. Oliver Schwabe.
Email: oliver.schwabe@isac4cities.eu Mobile: +49 (0) 1709053671. Web: https://i4c.isacs.eu/ & https://www.majorcities.eu/isac-for-cities-plus/