2024/23 Weekly Update from the MCE SIG “City ISAC I4C+” Highlights: Risk Bowties are powerful tools / Your own “murks” is healthier / Cyber Exercise at EU ISACs Summit 2024 confirmed / Benefits of Benchmarking against Peers / Gen AI for reduced data gathering effort?
** For Back Issues see https://isac4cities.eu/blog **
The City ISAC (I4C+) is an Information and Analysis Centre whose members are IT and cyber security decision makers exchanging knowledge to improve their cities and collective cyber resilience. I4C+ is a Special Interest Group (SIG) hosted by Major Cities Europe (MCE). Dr. Oliver Schwabe is a member of MCE and in his function Chair of the ISAC for Cities Plus (I4C+). He is the person in charge of this effort on behalf of MCE and the responsible contact person. I4C+ is recognized by the European Agency for Cybersecurity ENISA. See https://isac4cities.eu/.
| Weekly [TLP:RED] |
Please contact us directly for more information – these are summaries only and the “key” is in the actual stories shared privately. The stories are based on personal sensitive knowledge shared by peers in personal conversations under Chatham House Rules. This “stuff” may look obvious (?) – the magic lies between the lines and only becomes visible in a personal conversation.
This week´s thoughts are based on the scope of essential services your public administration subscribes to, operates, and manages, including what IT systems support their delivery.
- Weekly [TLP:RED] for Publicly Elected Officials: Overestimating project costs funds critical daily work.
- Weekly [TLP:RED] for Essential Services Managers: An imperfect “citizen” solution is better for mental health than an imperfect “supplier” solution.
- Weekly [TLP:RED] for IT Leaders: Patch network devices with 24-hour delay to see effect in other organisations first.
| Summary |
Hi everyone and hope you are well – four cities joining from Bulgaria, Estonia, Ireland and Italy on Friday morning and seems no one was directly impacted by the recent CrowdStrike incident. Two colleagues were joining us from their official vacations – having a good conversation is always worth the effort! Indeed, our to-do lists never get shorter and I will admit to also sometimes using vacation days (or weekend mornings) to catch up on things that need to get done. For some colleagues they also have no-one else to pick up the phone when the official security ministries / organisations call to inform of a potential threat – “Solo mio”…. Below image is Co-Pilot´s attempt to create a picture of us individual artists…
This then got us to thinking about how perhaps “Do It Yourself” for many solutions at least gives us the comfort of knowing that it is our fault if something goes wrong (versus paying premium money for third parties to provide flawed solutions) – one colleague from Germany calls these imperfect solutions “murks”, and your own “murks” is often more tolerable than the “murks” of suppliers? Personally, I get less annoyed by imperfect solutions I implemented myself – and hey, any solution is going to be imperfect – take care of your mental health and try to “do it yourself” as much as possible.
We also looked at the cyber security bowtie of one colleague – just google this for some basic examples – and reflected on its role of connecting business and IT contexts. The basic structure from left to right is the (a) root causes of incidents, i.e., phishing attack, leading to (b) a security event, i.e., ransomware situation, that then has a (c) business impact, i.e., inability to deliver e-government services. Preventative controls are to the left of the situation, detective/remediating controls are to the right of the situation, and directive controls underlie the situation. For this colleague it is proving to be highly effective as the framework for implementing controls and simple enough to create the business ownership needed to ensure the controls are doing what they are supposed to do. On a side note, you may be interested to hear that regarding password policies (directive control), one colleague-is rolling out Windows Hello and migrating staff to a policy where the password only changes once per year and service accounts will also change with the same frequency. All service accounts have VERY long, complex passwords and user passwords will be complex and a minimum of 15 characters supported by a ban list. Designing bowties is an art and we have many TLP:RED examples to share in personal conversations if you are interested. Let me know if you are interested in a small session to review your own controls framework from the bowtie perspective – very powerful approach.
Good news shared was also that we are now confirmed to be participating at the EU ISACs Summit 2024 at ENISA premises on 17-18 October (https://www.enisa.europa.eu/events/eu-isacs-summit-2024/eu-isacs-summit-2024) where our cyber exercise is also confirmed. Key representatives of EU ISACs will meet in person and exchange knowledge and information on their activities, successes and challenges as well as have an opportunity to meet with ENISA staff and learn about our work. A representative of the European Commission and from European Cybersecurity Competence Centre will also attend the meeting.
Finally, we reminded ourselves of the [Cyber Resilient Regions Community] European Local and Regional Authorities Cybersecurity Community Meeting on Monday 29 July at 11 am CET. Open to all public administrations so please let me know if you are missing the invite and I will forward. The meeting will be led by Gianluca Vannuccini, CIO of Tuscany Region.
Before I forget, what we did not discuss is one activity of a member to implement GenAI to run structured risk review sessions to improve quality of data gathered while reducing manual effort. Further use to investigate for potential data patterns and key systemic risks is also planned.
Cheers
Oliver
Insights from Chatbots
I was curious about the opinion of Bing Chat about what a risk bow tie is. The AI responded as per below:
“A risk bow tie is a visual tool used in risk management to help identify, analyze, and manage risks. The diagram is shaped like a bow tie, creating a clear differentiation between proactive and reactive risk management. Here’s a brief overview of the components of a risk bow tie:
1. **Hazard**: The starting point of the bow tie, representing something that has the potential to cause harm.
2. **Top Event**: The moment when control over the hazard is lost, but no damage has occurred yet.
3. **Threats**: Factors that can cause the top event to occur.
4. **Consequences**: The potential outcomes if the top event happens.
5. **Barriers**: Measures in place to prevent the top event from occurring (proactive) or to mitigate the consequences if it does occur (reactive).
The power of a bow tie diagram is that it provides an overview of multiple plausible scenarios in a single picture, making it easier to understand and communicate risks¹²³⁴⁵⁶.
Source: Conversation with Copilot, 27/07/2024
(1) The bowtie method – Barrier Based Risk Management Knowledge base …. https://www.wolterskluwer.com/en/solutions/enablon/bowtie/expert-insights/barrier-based-risk-management-knowledge-base/the-bowtie-method.
(2) BowTie: a visual tool to keep an overview of risk management practices. https://www.gov.uk/government/news/bowtie-a-visual-tool-to-keep-an-overview-of-risk-management-practices.
(3) Bow Tie Methodology for Assessing Risks & Identifying Controls. https://bing.com/search?q=risk+bow+tie.
(4) Bow Tie Method of Risk Assessment – Tracker Networks. https://www.trackernetworks.com/risk-bow-tie-enterprise-risk-management.
(5) Why use a bowtie as a risk management tool | Wolters Kluwer. https://www.wolterskluwer.com/en/expert-insights/bowtie-as-a-risk-management-tool.
(6) Basic Principles of a Bow Tie Analysis – Protecht – The Protecht Group. https://www.protechtgroup.com/en-au/blog/basic-principles-bow-tie-analysis.
(7) en.wikipedia.org. https://en.wikipedia.org/wiki/Bow_tie..”
| In the News |
- Tuscany Region, in collaboration with ECSO, is organising a Networking & Brainstorming Event titled “European Regions & the progressive uptake of AI: what skills to protect and empower citizens?”. The event will take place in RT’s headquarters in Brussels on the 18th of September. The event aims at involving experts, stakeholders and practitioners to explore means of protecting and empowering citizen and territories when facing new threats coming from AI, with a look at public policies and strategies. They are looking for expert speakers who could join the round table in person, to bring the experience of their regions or organisations on topics linked to AI. Please let me know if you are interested and I will share more details / make introductions.
- ‘Serious hacker attack’ forces Frankfurt university to shut down IT systems https://therecord.media/serious-hacker-attack-shutdown-frankfurt?utm_campaign=DAM&utm_medium=email&_hsenc=p2ANqtz-8HdrzlJjXsmRNzn8NgTPHi_nVHsF3hLl483LSE-zmuibzOuTgthFnW_cGYQUBMFfrqPVemmu1_hABsr_Grq5E-hrfKcyNY_9ePL63FouOwm1ZkXXw&_hsmi=315006728&utm_content=315006728&utm_source=hs_email
- New Cyber Calls out: https://ec.europa.eu/info/funding-tenders/opportunities/docs/2021-2027/digital/wp-call/2024/call-fiche_digital-eccc-2024-deploy-cyber-07_en.pdf
- Attack on Frankfurt University of Applied Sciences https://www.hessenschau.de/panorama/hacker-attacke-auf-frankfurter-university-of-applied-sciences-v1,uas-frankfurt-hacker-100.html
- Greece’s Land Registry agency breached in wave of 400 cyberattacks https://www.bleepingcomputer.com/news/security/greeces-land-registry-agency-breached-in-wave-of-400-cyberattacks/
| City ISAC Services (Member Funded) |
We have published our services at https://isac4cities.eu/services-offered and are now proceeding to establish collaboration agreements with third parties we have been working with for a while. These will include joint marketing and enablement plans. Please do review and consider reaching out to include such in your activities and budgets.
In our socialising of the I-Trust/Enablor benchmarking offer we are slowly moving ahead with various presentations and discussions. Most of the colleagues already follow and are accredited against various standards (i.e., the UK government recommended Cyber Essentials Plus framework, About Cyber Essentials – NCSC.GOV.UK and IASME for their cyber security needs, as well as a number of other assessments such as the NCSC CAF (Cyber Assessment Framework) Cyber Assessment Framework – NCSC.GOV.UK. The main concern is that you can have too much of a good thing and any additional baselining or benchmarking would really need to be at the expensive of stopping something else and potentially duplicating compliance work in a number of areas, with requests for extensive further cyber related information for Cyber security insurance as an example. We do however see that comparing assessments between public administrations can be a very helpful learning experience and for an effective conversation, a common standard (like CIS18 etc) with relevant reporting should be used. So yes, additional effort, but well worth it to “sharpen the axe”.
| Project “VAUBAN” – 2024 Multi-ISAC Tabletop |
You might remember that our City ISAC is a founding member of the EU Council of ISACs where we have many EU ISAC members from sectors like health, energy, finance, water, energy etc. As part of the work with the EU Council of ISACs we are also building out our relationship with ENISA. ENISA is planning a face-to-face Multi-ISAC event in October and we, the City ISAC, may have an opportunity to run a 120 minute tabletop with many ISACs in the room plus a wide range of ENISA representatives. The preliminary discussions have gone well, and we now have a 120-minute time slot in the morning of the second day. The tabletop will address all ISACs in the room and be based on a public administration being breached and asking for the support of the community to help tackle the challenge. The exercise will address all NIS2 domains and offer the ISACs a chance to jointly help.
After a few discussions we are going to explore an initial scenario where the task of the Red Team is to gain access to the disaster recovery solution for critical services operated by a local administration and to then inject a malware loader into that.
We were delayed in convening the RED TEAM planning activity and will launch that shortly – if you are interested in joining, please let me know.
Please remember you can reach the whole group via city-isac-i4c-tlpwhite@majorcities.eu. A dedicated group for those cities signing the NDAs is available separately.
Also note our LinkedIn organisational page at https://www.linkedin.com/company/eu-city-information-sharing-and-analysis-center-isac/ and our discussion group at https://www.linkedin.com/groups/12773643/. Do follow us / join.
Join our weekly Friday morning coffee chats from 9am-10am CET – feel free to come in your pyjamas. Let me know if you are missing an invite and I will send.
Thank you for the support, your City ISAC I4C+ Team.
Cheers and ever onwards
Oliver
Innovating our Future… Together
Chair City ISAC I4C+ / Dr. Oliver Schwabe. Email: oliver.schwabe@isac4cities.eu Mobile: +49 (0) 1709053671. Web: https://i4c.isacs.eu/ & https://www.majorcities.eu/isac-for-cities-plus/