2024/18 Weekly Update from the MCE SIG “City ISAC I4C+” Highlights: “Accelerating NIS2 Compliance with Benchmarking and AI Support” – 15:00-16:30 CET – Monday, 3rd June 2024 / Run your services on free pilot licenses / Ensure pilot GDPR and Security compliance BEFORE launching / Do not change to make your vendors profitable / Make sure you backup to another cloud provider for DR

2024/18 Weekly Update from the MCE SIG “City ISAC I4C+” Highlights:  Webinar “Accelerating NIS2 Compliance with Benchmarking and AI Support” – 15:00-16:30 CET – Monday, 3rd June 2024 / Run your services on free pilot licenses / Ensure pilot GDPR and Security compliance BEFORE launching / Do not change to make your vendors profitable / Make sure you backup to another cloud provider for DR

** For Back Issues see https://isac4cities.eu/blog **

The City ISAC (I4C+) is an Information and Analysis Centre whose members are IT and cyber security decision makers exchanging knowledge to improve their cities and collective cyber resilience. I4C+ is a Special Interest Group (SIG) hosted by Major Cities Europe (MCE). Dr. Oliver Schwabe is a member of MCE and in his function Chair of the ISAC for Cities Plus (I4C+). He is the person in charge of this effort on behalf of MCE and the responsible contact person. I4C+ is recognized by the European Agency for Cybersecurity ENISA. See https://isac4cities.eu/.

Weekly [TLP:RED]

Please contact us directly for more information – these are summaries only and the “key” is in the actual stories shared privately. The stories are based on personal sensitive knowledge shared by peers in personal conversations under Chatham House Rules. This “stuff” may look obvious (?) – the magic lies between the lines and only becomes visible in a personal conversation.

This week´s thoughts are based on the scope of essential services your public administration subscribes to, operates, and manages, including what IT systems support their delivery.

• Weekly [TLP:RED] for Publicly Elected Officials: You could run many services on temporary pilots based on free pilot licenses.
• Weekly [TLP:RED] for Essential Services Managers: Get GDPR compliance confirmation BEFORE you pilot.
• Weekly [TLP:RED] for IT Leaders: An isolated test environment with up-to-date security monitoring that allows third party pilot installs can be quite helpful.

Summary

Hi everyone and hope you are well – three cities joining from Belgium, Estonia and Italy on Friday morning (plus the head of Major Cities Europe) to spend our hour learning more about a planned AI pilot at one of our member cities – we had the project manager taking us through the experiences of setting up a free pilot in their testing environment.

The aim of the session was to learn more about the “real” story of the project (versus what various news releases were communicating) and we received an excellent brief on the effort. Simply put this is project is in the process of being set up to implement AI-enhanced edge computing devices in public buses to monitor traffic violations with a planned extension to monitor the condition of infrastructure along the travel routes (i.e., fire hydrants, road surface etc.). We learned a lot about the flanking efforts needed to resolve GDPR related questions, the opportunities offered by edge computing to manage / evaluate the locally captured data, and explored what makes “AI” in this sort of context (versus being simply some sort of enhanced image recognition system).

The pilot is planned to run initially in an isolated local sandpit environment with only notifications with minimum information being communicated to the central (micro-segmented) systems. There are questions around the future business model (i.e., revenue sharing partnerships based on penalty fees) and in the course learned that in some other cities, the contracts will actually impose responsibilities for administrations to REDUCE traffic management approaches (i.e., speed bumps) to enable appropriate revenue generation – highly questionable in our opinion for many reasons. Strange world and lots of story sharing about how similar efforts are happening in other administrations. The future tendering requirements were of course also explored with some interesting insights.

So, what does all of this have to do with cyber security? Well, this is a typical situation where innovative digital projects are being launched where cyber security requirements must be addressed at the outset to avoid running into major problems later down the road. Encouragingly, the project is reaching out to national authorities to gain permissions in various spaces (i.e., GDPR) for the pilot, while it is still open whether the (emergent) security requirements (i.e., for https://certification.enisa.europa.eu/index_en) will be met. Many questions now popping up that will be critical to resolve before even piloting. Really positive was the ability to discuss various experiences of the colleagues joining. Piloting thus becomes perhaps more of a learning experience to then set up a NEW project properly (remember that tendering may actually exclude the piloting vendor). Before I forget – regarding the example described above – the vendor is US based and it was unclear whether they would be storing any captured data on US based servers – which is sort of a GDPR problem as we know.

Overall, a very interesting session and we look forward to further opportunities to learn more “real” stories – from a cyber perspective, the earlier we can get involved with “smart” / “digital” projects the better of course.

AI suggested the following image for a cyber secure sandpit for digital pilots:

Cheers

Oliver

Insights from Chatbots

I was curious about the opinion of Bing Chat about why it is important for public administrations to have data processing agreements with all relevant subcontractors. The AI responded as per below:

“**Data processing agreements (DPAs)** play a crucial role in ensuring the responsible handling of personal data by public administrations and their subcontractors. Here’s why they are important:

1. **Legal Compliance**: DPAs are essential for complying with data protection laws, such as the **General Data Protection Regulation (GDPR)** in the European Union. These agreements establish the responsibilities, obligations, and liabilities of both the data processor (subcontractor) and the data controller (public administration) regarding data processing activities³. By having a DPA in place, public administrations demonstrate their commitment to safeguarding individuals’ privacy rights.

2. **Privacy Protection**: DPAs help protect the privacy of individuals whose data is being processed. They ensure that personal data is handled securely, transparently, and in accordance with legal requirements. Public administrations must be aware of the key principles of data protection, including informing individuals about data processing activities².

3. **Risk Mitigation**: DPAs define the roles and responsibilities of each party involved in data processing. By clarifying these aspects, DPAs reduce the risk of misunderstandings, breaches, or unauthorized data handling. When subcontractors understand their obligations, the likelihood of data mishandling decreases.

4. **Accountability**: DPAs promote accountability. Public administrations can demonstrate their commitment to responsible data management by having clear agreements in place. If a subcontractor fails to comply with the DPA, the public administration can take appropriate action, including imposing sanctions².

5. **Transparency**: DPAs enhance transparency by specifying how data will be processed, stored, and protected. When individuals request access to their data, public administrations can efficiently respond based on the agreed-upon terms.

In summary, DPAs are vital tools for ensuring legal compliance, protecting privacy, and maintaining trust in data processing practices within public administrations and their subcontractor relationships³. By adhering to these agreements, public administrators can uphold the integrity of their data management processes and better serve their constituents.

Source: Conversation with Bing, 22/05/2024

(1) Complete Guide for Data Processing Agreement (DPA). https://www.relyservices.com/blog/data-processing-agreement-guide .

(2) Public administrations and data protection – European Commission. https://commission.europa.eu/law/law-topic/data-protection/reform/rules-business-and-organisations/public-administrations-and-data-protection_en.

(3) Taking data seriously: A call to public administrators – Policy Options. https://policyoptions.irpp.org/magazines/april-2022/taking-data-seriously-a-call-to-public-administrators/.

(4) Data Processing Agreement (DPA): Definition, Importance, and Key Components. https://www.usemultiplier.com/glossary/data-processing-agreement.

(5) What Is a DPA? Data Processing Agreements Explained – Termly. https://termly.io/resources/articles/data-processing-agreement/. ”  

In the News

• “Unprecedented” Google Cloud event wipes out customer account and its backups https://arstechnica.com/gadgets/2024/05/google-cloud-accidentally-nukes-customer-account-causes-two-weeks-of-downtime/?utm_campaign=DAM&utm_medium=email&_hsenc=p2ANqtz-_XzChxboHkGr01D770EKJu9LcOlUZvDJ8HWvrR2uGHKd9SyC06h1OyHB2SFdyGw0W-yjEwEFcHX5NRG0KFU6jxl8NXSi1TQLw6ofYvmWcsi8lY3Eo&_hsmi=307860724&utm_content=307860724&utm_source=hs_email. Make sure you backup to another cloud provider!
• Microsoft to start enforcing Azure multi-factor authentication in July https://www.bleepingcomputer.com/news/microsoft/microsoft-will-start-enforcing-azure-multi-factor-authentication-MFA-in-july-2024/?utm_campaign=DAM&utm_medium=email&_hsenc=p2ANqtz-_BAYv3LlRV5NuX2Rt49w-iWVUfbl_Hjdyx0i6qeP_zyVqtLet_tv25uHkKoJqGT3vBDRBWDhdCVh3kIfCxD2GvXepl0aHcgByRGj5rfpEvxq6cV_w&_hsmi=307860724&utm_content=307860724&utm_source=hs_email.
• IBM Institute for Business Value release report “Unify your fragmented security: Accelerate transformation with platformization. As cyberattacks increase, organizations need to build resilience with a platform-wide approach to scale efficiency and automation. A report in partnership with Palo Alto Networks.” https://www.ibm.com/thought-leadership/institute-business-value/en-us/report/next-gen-platform-cybersecurity?utm_medium=Email&utm_source=Outbound&utm_content=IBVWW&utm_term=20MFX&utm_campaign=196365&utm_id=OutboundMK1ENCTA2&mkt_tok=Mjk4LVJTRS02NTAAAAGTNe6VuDvdYrzzAjoOt7W_h1us1eFX_4btPdltMd1En2rVJ_GBFZ3k69o26yUPLVjW4E76m2kftwD0j54rRkaZdA-w6bgtbpnutTT52aepmcMcVazw.

City ISAC Services (Member Funded)

We have published our services at https://isac4cities.eu/services-offered and are now proceeding to establish collaboration agreements with third parties we have been working with for a while. These will include joint marketing and enablement plans. Please do review and consider reaching out to include such in your activities and budgets.

One key service is about “Creating Intelligence” and related to (Joint) Cyber Awareness Building I – Shared Holistic View: With expert partners, we run intensive three-day workshops that enable your organisation to develop a profound understanding of the cybersecurity issues it faces. The goal of the workshops is to facilitate your organisation’s identification and description of its most critical assets and their cybersecurity vulnerabilities. We will enable you to develop a holistic picture of the cybersecurity situation and associated vulnerabilities, in your organisation, and help you to formulate actions to mitigate any potential downside effects.

We now also have a date/time for our webinar on “Accelerating NIS2 Compliance with Benchmarking and AI Support” – See https://isac4cities.eu/webinar-on-accelerating-nis2-compliance-with-benchmarking-and-ai-support-1500-1630-cet-monday-3rd-june-2024.

15:00-16:30 CET – Monday, 3rd June 2024

Register HERE

Language of the webinar: English

This webinar is organised by the EU City ISAC I4C+ and Major Cities Europe in association with the Danish cyber benchmarking company i-Trust, the US based Public Technology Institute and the ECSO Cyber Resilient Regions Community.

The webinar focuses on helping local and regional public administrations to accelerate their journey to NIS2 compliance with the help of generally available AI solutions such as Microsoft Co-Pilot in combination with expert assessment questions that also allow for benchmarking across local and regional public administrations across the European Union.

The webinar will be an open debate building on a presentation of the Enablor benchmarking platform from i-Trust and how it is used in practice by a public administration on its path to NIS2 compliance, a demonstration of how Microsoft Co-Pilot can be used to effectively explore the assessment questions and an open panel discussion with the presenters and the audience.

The webinar will help public administrations master the growing challenge of achieving NIS2 compliance through benchmarking, simple AI, and peer-to-peer knowledge sharing.

The webinar is intended to inform publicly elected officials, essential service, and IT managers.

Programme

15:00 – 15:05 Welcoming remarks by the EU City ISAC I4C+

15:05 – 15:15 Enablor Platform Presentation (Klaus Kristensen / Kristian Asmussen – i-trust)

15:15 – 15:20 Q&A

15:20 – 15:30 The Enablor experience of the Municipality of Aabenraa, Region of Southern Denmark, Denmark (Thomas Majholt – Aabenraa)

15:30 – 15:35 Q&A

15:35 – 15:45 Using AI to accelerate NIS2 Compliance (Dr. Alan Shark – Public Technology Institute. Author of “AI – A Primer for State and Local Governments”)

15:45 – 15:50 Q&A

15:50 – 16:20 Panel discussion moderated by Dr. Oliver Schwabe (EU City ISAC I4C+)

16:20 – 16:30 Conclusions and next steps

See also https://isac4cities.eu/webinar-on-accelerating-nis2-compliance-with-benchmarking-and-ai-support-1500-1630-cet-monday-3rd-june-2024.

Project “VAUBAN” – 2024 Multi-ISAC Tabletop

You might remember that our City ISAC is a founding member of the EU Council of ISACs where we have many EU ISAC members from sectors like health, energy, finance, water, energy etc. As part of the work with the EU Council of ISACs we are also building out our relationship with ENISA. ENISA is planning a face-to-face Multi-ISAC event in October and we, the City ISAC, may have an opportunity to run a 120 minute tabletop with many ISACs in the room plus a wide range of ENISA representatives. The preliminary discussions have gone well, and we now have a 120 minute time slot in the morning of the second day. The tabletop will address all ISACs in the room and be based on a public administration being breached and asking for the support of the community to help tackle the challenge. The exercise will address all NIS2 domains and offer the ISACs a chance to jointly help. Stay tuned!

Project “Regions4Cyber”

No updates.

Please remember you can reach the whole group via city-isac-i4c-tlpwhite@majorcities.eu. A dedicated group for those cities signing the NDAs is available separately.

Also note our LinkedIn organisational page at https://www.linkedin.com/company/eu-city-information-sharing-and-analysis-center-isac/ and our discussion group at https://www.linkedin.com/groups/12773643/.  Do follow us / join.

Join our weekly Friday morning coffee chats from 9am-10am CET – feel free to come in your pyjamas. Let me know if you are missing an invite and I will send.

Thank you for the support, your City ISAC I4C+ Team.

Cheers and ever onwards

Oliver

Innovating our Future… Together

Chair City ISAC I4C+ / Dr. Oliver Schwabe.

Email: oliver.schwabe@isac4cities.eu Mobile: +49 (0) 1709053671. Web: https://i4c.isacs.eu/ & https://www.majorcities.eu/isac-for-cities-plus/