2024/22 Weekly Update from the MCE SIG “City ISAC I4C+” Highlights: Do your IoT solutions comply with the Laws of Robotics? / IT Security is only the “Executive” function / Controls are key – and you need three
** For Back Issues see https://isac4cities.eu/blog **
The City ISAC (I4C+) is an Information and Analysis Centre whose members are IT and cyber security decision makers exchanging knowledge to improve their cities and collective cyber resilience. I4C+ is a Special Interest Group (SIG) hosted by Major Cities Europe (MCE). Dr. Oliver Schwabe is a member of MCE and in his function Chair of the ISAC for Cities Plus (I4C+). He is the person in charge of this effort on behalf of MCE and the responsible contact person. I4C+ is recognized by the European Agency for Cybersecurity ENISA. See https://isac4cities.eu/.
| Weekly [TLP:RED] |
Please contact us directly for more information – these are summaries only and the “key” is in the actual stories shared privately. The stories are based on personal sensitive knowledge shared by peers in personal conversations under Chatham House Rules. This “stuff” may look obvious (?) – the magic lies between the lines and only becomes visible in a personal conversation.
This week´s thoughts are based on the scope of essential services your public administration subscribes to, operates, and manages, including what IT systems support their delivery.
- Weekly [TLP:RED] for Publicly Elected Officials: Officially champion security measures – IT is only your executive.
- Weekly [TLP:RED] for Essential Services Managers: Ensure you can initiate disciplinary action for policy breaches.
- Weekly [TLP:RED] for IT Leaders: Do not act as “proxy” for business – act as their “executive”.
| Summary |
Hi everyone and hope you are well – five cities joining from Belgium, Croatia, Estonia, Ireland and Italy on Friday morning and seems some of our nations currently being subject to massive cyber attacks especially in healthcare, telecoms, finance and government ministries. The main driver appears to be public statements by elected officials related to international affairs which are causing the targeted nations to redirect some of their hacking resources. Personally I do find the healthcare focus to be especially repulsive, however it does seem that “ethics” are no longer a relevant theme in conflict – do the https://en.wikipedia.org/wiki/Geneva_Conventions apply in cyber warfare?
As we swapped incident stories one especially sticks in my memory – in one hospital the automated trolleys began moving independently! We are unsure whether this was due to losing contact to the central control system (and hence executing default local programs for such a case (i.e., return to charging station sort of) or something else. Point though is that control was lost over them… This should be a fundamental concern to any IoT based solutions – what happens when we lose central control?
The above then got us into discussions on the perennial challenge of password security with one example where an admin password in critical legacy system was a single character only. The organisation decided this was acceptable since users had to first pass GAD security to get to that application however, let us be honest, this is simply not acceptable. This then brought us to the issue of controls and that in the end we need THREE for every (CIS18 or similar) security line item, therefore (a) a control in the form of a policy, i.e., minimum password requirements, (b) a control monitoring for policy compliance, and (c) a control enforcing remediation of any compliance breaches…. Remember that controls prevent a situation from getting worse while treatments actually reduce the impact of the control failure.
Implementing a control is something that IT/Security does as the “proxy” for the business and as proxies we are often subject to significant push-back from users. The moment we can solicit business leadership on the controls though, that pushback will significantly be reduced. We must make sure that senior business leadership champions our controls and IT/Security is only the “executive”. Enforcing controls becomes impossible the moment users do not face disciplinary actions for non-compliance, and that is only possible if business leadership makes it their own agenda.
We wrapped up with the discussion of one member whether it is better to have one complex password that remains unchanged versus permitting weaker passwords that change regularly. The truth is probably somewhere in-between, and MFA can help reduce the length of the time windows between mandatory password changes. In the end however we need to reflect why we are trying to avoid complex passwords, MFA and short time intervals between changes (since this is a largely automated process). Are we reluctant because we are worried about user reactions? Again, perhaps evidence that security is a social phenomenon?
Below image is Co-Pilot´s attempt to picture create of the Three Laws of Robotics (https://en.wikipedia.org/wiki/Three_Laws_of_Robotics)
Cheers
Oliver
Insights from Chatbots
I was curious about the opinion of Bing Chat about the relationship between IoT and the Laws of Robotics. The AI responded as per below:
“The relationship between the Internet of Things (IoT) and Asimov’s Laws of Robotics lies in the ethical and operational principles that guide the behavior of autonomous systems. Here are some key points:
1. **Safety and Harm Prevention**: Asimov’s First Law states that a robot may not harm a human or allow a human to come to harm. Similarly, IoT devices, especially those in critical applications like healthcare or autonomous vehicles, must be designed to prioritize user safety and prevent harm.
2. **Obedience and Control**: The Second Law requires robots to obey human orders unless it conflicts with the First Law. IoT devices often follow commands from users or central systems, but they must also have safeguards to prevent actions that could cause harm.
3. **Self-Preservation**: The Third Law emphasizes a robot’s need to protect its own existence as long as it doesn’t conflict with the first two laws. IoT devices need to maintain their functionality and security to continue providing services without causing harm or becoming compromised.
4. **Ethical Considerations**: Asimov’s Zeroth Law, which prioritizes humanity’s welfare, can be extended to IoT systems. These devices should be designed with ethical considerations to ensure they contribute positively to society and do not pose broader risks.
In essence, while IoT devices are not robots in the traditional sense, the principles behind Asimov’s Laws can guide their development and deployment to ensure they operate safely, ethically, and effectively¹²³.
Source: Conversation with Copilot, 08/07/2024
(1) Three laws of robotics | Definition, Isaac Asimov, & Facts. https://www.britannica.com/topic/Three-Laws-of-Robotics.
(2) Three Laws of Robotics – Wikipedia. https://en.wikipedia.org/wiki/Three_Laws_of_Robotics.
(3) Asimov’s laws of robotics: implications for information technology-Part …. https://cse.buffalo.edu/~rapaport/Papers/Papers.by.Others/clarke-asimov-1.pdf.
(4) Asimov’s Three Laws of Robotics, Applied to AI – Psychology Today. https://www.psychologytoday.com/ie/blog/the-digital-self/202310/asimovs-three-laws-of-robotics-applied-to-ai.
(5) A retrospective of Isaac Asimov at 102 and his Three Laws – Science | AAAS. https://www.science.org/doi/pdf/10.1126/scirobotics.adg3178.”
| In the News |
- Estonia: DPI announces genetic testing company database data breach https://www.dataguidance.com/news/estonia-dpi-announces-genetic-testing-company-database
- Cyberattack Cripples University Hospital Centre Zagreb in Croatia https://www.bitdefender.com/blog/hotforsecurity/cyberattack-cripples-university-hospital-centre-zagreb-in-croatia/
- Cyber attack on Asst Sacco and Fatebenefratelli https://www.unionesarda.it/en/italy/cyber-attack-on-asst-sacco-and-fatebenefratelli-um1la09r
| City ISAC Services (Member Funded) |
We have published our services at https://isac4cities.eu/services-offered and are now proceeding to establish collaboration agreements with third parties we have been working with for a while. These will include joint marketing and enablement plans. Please do review and consider reaching out to include such in your activities and budgets.
| Project “VAUBAN” – 2024 Multi-ISAC Tabletop |
You might remember that our City ISAC is a founding member of the EU Council of ISACs where we have many EU ISAC members from sectors like health, energy, finance, water, energy etc. As part of the work with the EU Council of ISACs we are also building out our relationship with ENISA. ENISA is planning a face-to-face Multi-ISAC event in October and we, the City ISAC, may have an opportunity to run a 120 minute tabletop with many ISACs in the room plus a wide range of ENISA representatives. The preliminary discussions have gone well, and we now have a 120-minute time slot in the morning of the second day. The tabletop will address all ISACs in the room and be based on a public administration being breached and asking for the support of the community to help tackle the challenge. The exercise will address all NIS2 domains and offer the ISACs a chance to jointly help.
After a few discussions we are going to explore an initial scenario where the task of the Red Team is to gain access to the disaster recovery solution for critical services operated by a local administration and to then inject a malware loader into that.
We were delayed in convening the RED TEAM planning activity and will launch that shortly – if you are interested in joining, please let me know.
Please remember you can reach the whole group via city-isac-i4c-tlpwhite@majorcities.eu. A dedicated group for those cities signing the NDAs is available separately.
Also note our LinkedIn organisational page at https://www.linkedin.com/company/eu-city-information-sharing-and-analysis-center-isac/ and our discussion group at https://www.linkedin.com/groups/12773643/. Do follow us / join.
Join our weekly Friday morning coffee chats from 9am-10am CET – feel free to come in your pyjamas. Let me know if you are missing an invite and I will send.
Thank you for the support, your City ISAC I4C+ Team.
Cheers and ever onwards
Oliver
Innovating our Future… Together
Chair City ISAC I4C+ / Dr. Oliver Schwabe.
Email: oliver.schwabe@isac4cities.eu Mobile: +49 (0) 1709053671. Web: https://i4c.isacs.eu/ & https://www.majorcities.eu/isac-for-cities-plus/