2024/31 Weekly Update from the MCE SIG “City ISAC I4C+” Highlights: Key Incident Scenarios to Agree / Integrate with Strategic Roadmap of Administration / Maintain your own Backups / Remember Cyber Awareness Month
** For Back Issues see https://isac4cities.eu/blog **
The City ISAC (I4C+) is an Information and Analysis Centre whose members are IT and cyber security decision makers exchanging knowledge to improve their cities and collective cyber resilience. I4C+ is a Special Interest Group (SIG) hosted by Major Cities Europe (MCE). Dr. Oliver Schwabe is a member of MCE and in his function Chair of the ISAC for Cities Plus (I4C+). He is the person in charge of this effort on behalf of MCE and the responsible contact person. I4C+ is recognized by the European Agency for Cybersecurity ENISA. See https://isac4cities.eu/.
| Weekly [TLP:RED] |
Please contact us directly for more information – these are summaries only and the “key” is in the actual stories shared privately. The stories are based on personal sensitive knowledge shared by peers in personal conversations under Chatham House Rules. This “stuff” may look obvious (?) – the magic lies between the lines and only becomes visible in a personal conversation.
This week´s thoughts are based on the scope of essential services your public administration subscribes to, operates, and manages, including what IT systems support their delivery.
- Weekly [TLP:RED] for Publicly Elected Officials: Ensure your strategic roadmap has a cyber component.
- Weekly [TLP:RED] for Essential Services Managers: Maintain your own backups on different servers.
- Weekly [TLP:RED] for IT Leaders: Ongoing network scanning for files containing passwords is a must.
| Summary |
Hi everyone, I hope you are doing well. Four cities / regions joining from Bulgaria, Croatia, Estonia, and Ireland, on Friday morning (plus colleagues from ENISA) and enjoyed a colleague sharing how they are working through the national association of municipalities to diffuse the cyber theme to the hundreds of smaller public administrations (like the way last week we heard about a region implementing SOCs for these organisations as well). Cyber is an integral part of the work of such associations and by default should also be an integral part of the strategic roadmaps these administrations should have in any case – THAT is where cyber needs to be “embedded” for sustainable success.
One colleague then shared some stories around how they were detailing the “Comply-Secure-Contain” approach with key incident scenarios to secure themselves against, i.e., Standard Ransomware Attack, Data Exfiltration Attack with Ransomware as Cover, Data Exfiltration Attack with Accidental Change of Data, Overwrite Wiper Attack, and Encryption Wiper Attack. Specifically, each scenario is being agreed with senior leadership and then detailed as per the example below to set the foundation for longer term planning:
Standard Ransomware Attack: A threat-actor gains access to GAD and conducts a standard ransomware attack with payment demand.
- An email phishing campaign occurs. Automated tooling quickly identifies the phishing campaign and blocks it. Some emails are however delivered before block occurs.
- Control: Preventative – User awareness
- Treatment: Mitigate – Invest to increase detection / reaction speed of automated tooling
- Investment request to improve tooling
- One email with an attachment containing malware is clicked through by a user (a known repeat offender). A malware loader is installed and executes providing the threat-actor access to the command line.
- Control: Preventative – Repeat offender training
- Malware loader installation and execution is not identified by the Defence in Depth / SOC because the attackers gain access the administrator credentials, which were left on the user’s machine during its build and use the credentials to turn off the security tooling.
- Control: Preventative – Build process compliance monitoring
- Control: Changing third party IT supplier admin passwords after build
- The attackers browse the shared file-stores and identify a file exported as a backup to a personal password vault solution. The file contains the password to a user administration tool, which provides access to domain administration credentials.
- Control: Detective – Network file scanning
- The attackers use the domain account to place an encryption module in a system share and detonate it (using PowerShell).
- Control: Detective – Network file scanning
- The threat actor presents a payment demand with sample files as evidence of breach,
The important thing is that the agreement of the “Comply-Secure-Contain” approach with key incident scenarios develops greater understanding for the efforts needed to maintain basic cyber hygiene over a longer period. Sponsors buy-in should never be underestimated please – it takes a lot of work to get it but enables and protects your efforts. If you want to learn more about the approach and design your own, we can help build this – just reach out.
The above then got us into a little frustrating discussion about whether such approaches can work within public administrations whereby it remains unclear to me why a structured plan with solid sponsor buy-in seems so difficult to put in place; it is certainly working for many organisations and simply throwing up our hands in despair does not help. What is clear though is that such changes need a “wave” of energy, and such is typically enabled through a relevant project and typically that also needs some external resources with new energy. Our ISAC is there to provide such momentum and external reference point for sponsors – it does not always need to be one of the Big 5 consulting firms. These sorts of plans need endorsement through the City ISAC and then by default through the EU Council of ISACs plus alignment with ENISA.
Finally, a colleague shared preparations for a local tabletop exercise later this year and explained how they were leveraging the supporting of local consultancies to ensure it is conducted in local language. We also reminded our ENISA colleagues of how critical this local language support is and that perhaps key documents should be made available in the key EU languages in any case?
Remember also it is Cybersecurity Awareness Month and CISA has yet again launched some very helpful activities / tools see https://www.cisa.gov/resources-tools/resources/secure-our-world-resources-cybersecurity-awareness-month-2024-toolkit with the aim of reinforcing the four key behaviours:
- Use strong passwords and a password manager
- Turn on multi-factor authentication
- Recognize and report phishing
- Update software
This week I asked AI to create an image of Plato’s cave allegory related to cybersecurity 😊 AI came up with:
Cheers,
Oliver
Insights from AI
I was curious about the opinion of Microsoft CoPilot about what the strategic roadmap for public administrations should be. The AI responded as per below:
“The strategic roadmap for public administrations typically involves several key components aimed at improving efficiency, transparency, and service delivery. Here are some of the main elements:
1. **Strategic Planning**: This involves setting clear, long-term goals and objectives. Public administrations often use strategic planning to align their resources and efforts with their mission and vision².
2. **Public Administration Reform (PAR)**: This includes initiatives to modernize administrative processes, improve governance, and enhance public service delivery. Effective PAR requires strong leadership, clear division of responsibilities, and collaboration between government institutions and stakeholders¹.
3. **Financial Sustainability**: Ensuring that reforms and initiatives are financially sustainable is crucial. This involves careful budgeting, financial planning, and securing necessary funding⁴.
4. **Accountability and Transparency**: Implementing mechanisms to ensure accountability and transparency in public administration helps build public trust. This can include regular audits, performance evaluations, and open data initiatives¹.
5. **Innovation and Technology**: Leveraging technology to improve public services is a key aspect of modern public administration. This can include digital transformation initiatives, e-governance, and the use of data analytics to inform decision-making².
6. **Continuous Improvement**: Public administrations should adopt a culture of continuous improvement, regularly assessing and refining their strategies and processes to better meet the needs of the public².
These components form a comprehensive approach to strategic management in public administration, helping to create more effective, efficient, and responsive government institutions.
Source: Conversation with Copilot, 23/09/2024
(1) Strategic Management in Public Administration | Oxford Research …. https://oxfordre.com/politics/abstract/10.1093/acrefore/9780190228637.001.0001/acrefore-9780190228637-e-1396.
(2) Strategic Framework of Public Administration Reform. https://par-portal.sigmaweb.org/areas/1/.
(3) Strategic framework of public administration reform – OECD. https://www.sigmaweb.org/ourexpertise/strategic-framework-public-administration-reform.htm.
(4) Strategic framework of public administration reform – OECD. https://www.sigmaweb.org/byexpertise/strategicframeworkofpublicadministrationreform/2/index.htm.
(5) Public administration of the future – Europa. https://reform-support.ec.europa.eu/system/files/2023-05/FlagshipTSI2024_PublicAdministrationFuture.pdf.
(6) undefined. https://doi.org/10.1093/acrefore/9780190228637.013.1396.
(7) en.wikipedia.org. https://en.wikipedia.org/wiki/Public_administration.”
| In the News |
- No specific update this week
| City ISAC Services (Member Funded) |
We have published our services at https://isac4cities.eu/services-offered.Please do review and consider reaching out to include such in your activities and budgets.
One of the services we offer is custom design and endorsement of long-term plans for cyber security embedded in the strategic roadmap of your administration along with a coherent investment plan. Maybe something to reflect on as you begin shaping the 2025 budgets?
| Project “PHALANX” – 2024 Multi-ISAC Tabletop |
No specific updates: You might remember that our City ISAC is a founding member of the EU Council of ISACs where we have many EU ISAC members from sectors like health, energy, finance, water, energy etc. As part of the work with the EU Council of ISACs we are also building out our relationship with ENISA. ENISA is planning a face-to-face Multi-ISAC event in October and we, the City ISAC, have an opportunity to run a 120 minute tabletop with many ISACs in the room plus a wide range of ENISA representatives in the morning of the second day. The tabletop will address all ISACs in the room and be based on a public administration being breached and asking for the support of the community to help tackle the challenge. The exercise will address all NIS2 domains and offer the ISACs a chance to jointly help. The context will be “The City of Fantasia operates, subscribes to and manages services for its 600k citizens in the sectors of: Public Administration (Operate), Energy (Manage), Transport (Manage), Healthcare (Manage), Drinking Water (Manage), Wastewater (Manage), Emergency Services (Manage), Digital Infrastructure (Subscribe), and ICT Service Management (Subscribe). The City has a regional airport, an industrial harbour and three major industrial production sites (chemicals, automotive, and battery).” -> then a professional actor appears with a thunder run strategy to make citizen life very uncomfortable!
Please remember you can reach the whole group via city-isac-i4c-tlpwhite@majorcities.eu. A dedicated group for those cities signing the NDAs is available separately.
Also note our LinkedIn organisational page at https://www.linkedin.com/company/eu-city-information-sharing-and-analysis-center-isac/ and our discussion group at https://www.linkedin.com/groups/12773643/. Do follow us / join.
Join our weekly Friday morning coffee chats from 9am-10am CET – feel free to come in your pyjamas. Let me know if you are missing an invite and I will send.
Thank you for the support, your City ISAC I4C+ Team.
Cheers and ever onwards
Oliver
Innovating our Future… Together
Chair City ISAC I4C+ / Dr. Oliver Schwabe.
Email: oliver.schwabe@isac4cities.eu Mobile: +49 (0) 1709053671. Web: https://i4c.isacs.eu/ & https://www.majorcities.eu/isac-for-cities-plus/