2024/13 Weekly Update from the MCE SIG “City ISAC I4C+” Highlights: CIS18 Compliance precedes NIS2 Compliance / VAUBAN”  2024 “Battle for the Golden Ticket” with over 60 Participants / CRR Community Webinar on Cyber Skills 22 April 14:30-16:00 / On Prem more secure since we can scan? / Cyber Security Communities of Practice are critical / Arnhem Rail Station shows Adult Videos

von oschwabean Veröffentlicht am

2024/13 Weekly Update from the MCE SIG “City ISAC I4C+” Highlights: CIS18 Compliance precedes NIS2 Compliance / VAUBAN”  2024 “Battle for the Golden Ticket” with over 60 Participants / CRR Community Webinar on Cyber Skills 22 April 14:30-16:00 / On Prem more secure since we can scan? / Cyber Security Communities of Practice are critical / Arnhem Rail Station shows Adult Videos

** No Call Next Week **

** For Back Issues see https://isac4cities.eu/blog **

The City ISAC (I4C+) is an Information and Analysis Centre whose members are IT and cyber security decision makers exchanging knowledge to improve their cities and collective cyber resilience. I4C+ is a Special Interest Group (SIG) hosted by Major Cities Europe (MCE). Dr. Oliver Schwabe is a member of MCE and in his function Chair of the ISAC for Cities Plus (I4C+). He is the person in charge of this effort on behalf of MCE and the responsible contact person. I4C+ is recognized by the European Agency for Cybersecurity ENISA. See https://isac4cities.eu/.

Weekly [TLP:RED]

Please contact us directly for more information – these are summaries only and the “key” is in the actual stories shared privately. The stories are based on personal sensitive knowledge shared by peers in personal conversations under Chatham House Rules. This “stuff” may look obvious (?) – the magic lies between the lines and only becomes visible in a personal conversation.

  • Weekly [TLP:RED] for Publicly Elected Officials: Offerings for NIS2 compliance audits are exploding and you will fail. Become CIS18 compliant first.
  • Weekly [TLP:RED] for Essential Services Managers: Need to delay a digital project – ask for the results of the penetration test.
  • Weekly [TLP:RED] for IT Leaders: When your mayor recommends a supplier, add them to the bottom of your shortlist.
Summary

Hi everyone and hope you are well – five cities and one region joining on Friday morning and especially happy to welcome back a city colleague who had been unable to attend due to conflicting meetings – Yes, we missed him!

Started off with a (funny? sad?) story of a colleague who had held a longer meeting on NIS2 with their national security department and was told that they could not provide “out of office hours” support. #sigh… they hold multiple security roles (especially when it comes to crisis communication and decision making) that need 24x7x365 points of contact right?

We then learned there is a hype of NIS2 compliance audit offerings by third parties (sort of like the early days of GDRP) and reflected that the result of any audit will definitely be a “fail” so the question becomes more having a plan than anything else. In this respect, some work we did last year came up with a pretty straight forward solution we as an ISAC can support implementing as well -> List your services,  prioritize them by (a) GDPR relevance and (b) operated, map the IT services supporting the selection, do CIS18 on the IT services, create a risk register and then a (multi-year) remediation plan / budget based on that. Any NIS2 audit (or national equivalent) will probably include some unique questions, however with this approach you have all based covered. As usual, we are available to help resource / structure this effort if you like – just reach out.

We then shared notes on a recent discussion on helping to improve active directory security and reminded ourselves of Purple Knight (see https://medium.com/@jshake/pingcastle-vs-purple-knight-active-directory-security-b818fa7fc36d) – great to learn that one city picked up the recommendation from another and is now using it successfully/actively.

We then got back to the perennial challenge of matching tender requirements with vendor offers / specifications and reminded ourselves that it is up to us to ensure that vendors are matching the tender requirements EXACTLY -> this is what the job of vendor managers is and don´t forget that as we outsource more and more (versus operating on premise) we must get a lot better at this role.

Another interesting point was the story of a colleague who bought on premise software (that ended up with 100s of vulnerabilities showing in the relevant preparatory scans) and then wondered whether the SAAS / Cloud offering of that software was any better – we don´t think so and as a result on premise installations at least let us see and remediate any vulnerabilities.

Last week there was also the first meeting of the joint regional cyber security effort led by ECSO. Four regions joined for the kick-off. Lots of interesting questions shared and above all perhaps the reflection that while regions and cities may be different politically (i.e., see NUTs region classifications), they may share many similar services depending on size for example. If you are a city or regional administration and would like to learn more, please contact me and I will forward the invitations.

Cheers

Oliver

Insights from Chatbots

I was curious about the opinion of Bing Chat about how cyber security communities of practice can help protect our citizens. The AI responded as per below:

“**Cyber Security Communities of Practice** play a crucial role in safeguarding citizens by promoting awareness, knowledge sharing, and collaboration in the field of cybersecurity. Here’s how they contribute to citizen protection:

1. **Raising Awareness**:

   – Communities of practice organize workshops, webinars, and training sessions to educate citizens about cyber threats, safe online practices, and risk mitigation.

   – By disseminating information, they empower individuals to recognize phishing attempts, secure their devices, and protect personal data.

2. **Best Practices Sharing**:

   – These communities facilitate the exchange of best practices among practitioners. By learning from each other’s experiences, members can implement effective security measures.

   – Citizens benefit from these shared insights, as organizations and individuals adopt proven strategies to enhance their cybersecurity posture.

3. **Collaboration and Threat Intelligence**:

   – Communities foster collaboration between government agencies, private companies, and individuals.

   – By sharing threat intelligence, they enhance early detection and response to cyber incidents. This collective effort helps prevent attacks that could harm citizens.

4. **Capacity Building**:

   – Communities provide training and skill development opportunities. This ensures that cybersecurity professionals stay up-to-date with the latest threats and technologies.

   – Well-trained practitioners can better protect citizens by securing critical infrastructure, networks, and services.

5. **Advocacy and Policy Influence**:

   – These communities advocate for stronger cybersecurity policies and regulations.

   – By influencing policy decisions, they contribute to a safer digital environment for citizens.

In summary, Cyber Security Communities of Practice contribute to citizen protection by raising awareness, sharing knowledge, fostering collaboration, and advocating for robust cybersecurity measures. ¹²³⁴⁵.

Source: Conversation with Bing, 13/04/2024

(1) RAISING AWARENESS OF CYBERSECURITY – ENISA. https://www.enisa.europa.eu/publications/raising-awareness-of-cybersecurity/@@download/fullReport.

(2) New EU Cybersecurity Strategy and new rules to make physical and …. https://ec.europa.eu/commission/presscorner/api/files/document/print/en/ip_20_2391/IP_20_2391_EN.pdf.

(3) Strengthening cybersecurity across the EU: The Cyber Citizen Initiative. https://cybersecurity-centre.europa.eu/news/strengthening-cybersecurity-across-eu-cyber-citizen-initiative-2023-11-09_en.

(4) The Importance of Civil Society in the World of Cybersecurity. https://globalcyberalliance.org/the-importance-of-civil-society-in-the-world-of-cybersecurity/.

(5) Cyber Citizen Initiative | Digital Skills and Jobs Platform. https://digital-skills-jobs.europa.eu/en/inspiration/resources/cyber-citizen-initiative.

(6) undefined. https://creativecommons.org/licenses/by/4.0/%29.”

Here is the image it generated for me:

In the News
City ISAC Services (Member Funded)

We have published our services at https://isac4cities.eu/services-offered and are now proceeding to establish collaboration agreements with third parties we have been working with for a while. These will include joint marketing and enablement plans. Please do review and consider reaching out to include such in your activities and budgets.

The first joint-effort we will be tackling is with our colleagues from I-Trust: I-Trust works with assessments of security compliance and digitalization in both the private and the public sector.  The results are collected in I-Trust enablor platform, which is developed for efficient collection and processing of data into Benchmarks. I-Trust is an official CIS Controls Supporter and provides a wide range of best practice recommendations for Cyber Security. See https://i-trust.dk/en/. We will be looking to run a webinar to learn more about work they are doing with public administrations to benchmark their cyber security efforts and then learn more from participants about the value of doing so. A special offer for joining these efforts will be made to our members.

Project “DAVID” (Member Funded)

Still no update. #Sigh… still waiting for the final MOU from our Big 5 partner and will publish details as soon as that is formally signed. Two work packages being planned:

  • Work Package 1: NIS 2 Directive Review and Outlook: Conduct an interview-based assessment of NIS2 directive implementation with selected members (6) of I4C+. The results of the interviews will be used to identify weak spots in the directive and to provide a strategic outlook including strategy recommendations for the expected NIS3 directive. Identified gaps shall be summarized in a point of view reflecting the current security posture with respect to NIS2 requirements and potential expectations towards the NIS3. However, it is important to note that the outcome should not be used as a gap analysis of the assessor’s current security posture.
  • Work Package 2: Defence in Depth: To strengthen I4C+ members’ cyber resilience, shape the understanding of joint-cyber security as an integral approach among members. Based on the outcome of the work outlined above, deliver a best practice catalogue including suggestions for a respective toolbox. Furthermore, inputs can be utilized to enhance the overview for the Defence in Depth to close respective gaps. Collected raw data will be given to the I4C+ for further analysis .
Project “VAUBAN” – 2024 “Battle for the Golden Ticket” Monday 8 April 2024 from 2 pm to 4 pm CET.

We had a great event (https://isac4cities.eu/join-the-battle-for-the-golden-ticket-webinar-about-managing-it-security-april-8-2-to-4-pm-cet) with overall 60 participants (and 50 participants staying over 100 minutes). Thank you again to the colleagues from Potsdam, Prato and Gent for co-moderating! Now looking for an opportunity to run this event face-to-face, so please let me know of any relevant conferences we might be able to approach?

Below a small follow-up from the Potsdam colleagues regarding the decision they made to disconnect their data centre from the Internet you might find interesting (note this is the unedited text from a Google Translate from German to English):

“We had a very difficult time making the decision to separate the systems from the Internet. The evaluation afterwards is correspondingly simple and we also ask ourselves whether it was so necessary and expedient. However, the situation at the time also plays a role.

As a municipality, we operate our own data center and are responsible for citizens’ data. At that time we had no SOC and no EDR/XDR.

The decision to switch off should always be made based on risk.

We had to decide between the following risks:

a) Disconnect system. As a result, the system is checked, hardened, patched and put back into operation. Estimated costs in the lower seven-digit amount / 3-month term / restriction in business processes (damage without costs/loss of business processes).

b) Do not disconnect the system. System is/is compromised and we have to rebuild everything from scratch. Estimated costs over 30 million / 24 months duration / restriction in business processes (damage without costs/loss of business processes)

In both cases, the costs of business processes, legal costs and potential data protection penalties are not included.

What remains is the assessment of the probability of occurrence. Due to the LKA’s advice, this went from high to very high for both cases. If I weigh up both risks against each other, from my point of view the decision in a) was logical and I would still vote for it today.”

Project “Regions4Cyber”

Subject: [Webinar] Skills for cybersecurity: from basic cyber hygiene to advanced capabilities. A challenge for citizens, businesses and Public Administrations – 22nd April, 14:30-16:00 

Dear European Local and Regional Authorities, ECSO would like to invite you to participate in its “Skills for cybersecurity: from basic cyber hygiene to advanced capabilities. A challenge for citizens, businesses and Public Administrations” Webinar, taking place on the22nd of April, from 14:30 to 16:00.This webinar is organised in the framework of the European Year of Skills.

The webinar is part of the Cyber Resilient Regions Community (CRR) initiative run by ECSO with Tuscany Region, Major Cities of Europe and EU City ISAC I4C+. The session focuses on cybersecurity skills with a look at challenges and opportunities and the involvement of a broad EU audience.

The webinar will be an open debate with presentations from ECSO on its Road2Cyber Platform followed by regional initiatives from the Tuscany and Brittany regions focusing on how the territories are advancing at different levels from basic cyber hygiene to advanced skills. Then, we will proceed to an open panel discussion with the presenters and the audience.

The Cyber Resilient Regions Community (CRR) initiative aims to build a European community of Local and Regional Authority’s (LRAs) that have a desire to increase their digital resilience. It will engage LRA’s Chief Information Security Officers (CISOs) and related roles, and IT or security specialists that have cybersecurity responsibilities into a community that aims to increase LRAs cybersecurity resilience. Surveys, events, chats with experts and peers are among the activities promoted within the CRR initiative. 

If you are interested to join, please register at the following link: https://events.teams.microsoft.com/event/0ba49be5-0ac2-4d35-b4d1-d54115634b3b@07daeece-77f0-4a62-882f-a7a4ce502054. This webinar is of open access, so if you know other organisations that would be interested to join, do not hesitate to share this link.

 

Please remember you can reach the whole group via city-isac-i4c-tlpwhite@majorcities.eu. A dedicated group for those cities signing the NDAs is available separately.

Also note our LinkedIn organisational page at https://www.linkedin.com/company/eu-city-information-sharing-and-analysis-center-isac/ and our discussion group at https://www.linkedin.com/groups/12773643/.  Do follow us / join.

Join our weekly Friday morning coffee chats from 9am-10am CET – feel free to come in your pyjamas. Let me know if you are missing an invite and I will send.

Thank you for the support, your City ISAC I4C+ Team.

Cheers and ever onwards

Oliver

Innovating our Future… Together

Chair City ISAC I4C+ / Dr. Oliver Schwabe.

Email: oliver.schwabe@isac4cities.eu Mobile: +49 (0) 1709053671. Web: https://i4c.isacs.eu/ & https://www.majorcities.eu/isac-for-cities-plus/  

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert