2024/42 Weekly Update from the MCE SIG NEW: NO CALLS 27 Dec & 3 Jan / Is the EU too fragmented for effective deployment of NIS2? / ISAC Baseline participation growing / Default IP blocking can be an effective security measure – How fast does an unloaded swallow fly? / Does Father Christmas have a cyber security department to keep gifts safe? (Now hiring?)
** For Back Issues see https://isac4cities.eu/blog **
No calls on 27 December and 3 January – Christmas Break!
The City ISAC (I4C+) is an Information and Analysis Centre whose members are IT and cyber security decision makers exchanging knowledge to improve their cities and collective cyber resilience. I4C+ is a Special Interest Group (SIG) hosted by Major Cities Europe (MCE). Dr. Oliver Schwabe is a member of MCE and in his function Chair of the ISAC for Cities Plus (I4C+). He is the person in charge of this effort on behalf of MCE and the responsible contact person. I4C+ is recognized by the European Agency for Cybersecurity ENISA. See https://isac4cities.eu/.
| Weekly [TLP:RED] |
Please contact us directly for more information – these are summaries only and the “key” is in the actual stories shared privately. The stories are based on personal sensitive knowledge shared by peers in personal conversations under Chatham House Rules. This “stuff” may look obvious (?) – the magic lies between the lines and only becomes visible in a personal conversation.
This week´s thoughts are based on the scope of essential services your public administration subscribes to, operates, and manages, including what IT systems support their delivery.
- Weekly [TLP:RED] for Publicly Elected Officials (Repeat # 11): The best crisis centre coordinators are ex-military with combat experience; get one.
- Weekly [TLP:RED] for Essential Services Managers (Repeat # 11): Developing citizen solutions on nationally / regionally provided cloud services (i.e., PowerApps, Sharepoint, PowerBI) is often the most effective way to improve processes – let IT (security) guide you though.
- Weekly [TLP:RED] for IT Leaders (Repeat # 11): A “potential” compromise treated seriously is probably the fastest way to get all IT assets patched up to date…
| Summary |
Hi everyone, I hope you are doing well. Belgium, Bulgaria, Croatia, Italy and Ireland joining this Friday morning plus our friends from ENISA.
Our initial discussion was around the experiences of friends of a colleague who had some professional electrical work completed in their home. It turned out a disaster and they had to spend a few weeks without electricity in their new house… Investigation then revealed that the work had not been done as professionally as promised / expected, even though the supplier appeared to know what they are doing. For me a clear reminder that just because an organisation CLAIMS something, does not mean the individuals then implementing it are able to meet those claims. Sound familiar? The key point is that while we must ensure that supplier organisations meet criteria, it all boils down to the individuals performing the work – build the relationship with those individuals and show presence during the work – it helps.
ENISA shared a survey about public administrations that they are running with a focus on asking national stakeholders to gather insights into the implementation of cybersecurity rules within the public administration sector across different governance levels. The input is intended to help ENISA better understand the structures, definitions, and scope of public administration entities in the context of the NIS2 Directive. The survey seeks to address the following key questions: 1. Supervision of Cybersecurity Rules / 2. Definitions of Public Administration Entities / and 3. Risk-Based Assessment for Public Administrations. While we are not sharing the specific survey link here (since we are not the target group of respondents, a pointer that a core question is “What is the definition of a public administration entity of central / regional / local government?” which leads to a question on which NACE codes are relevant for public administrations (see also https://ec.europa.eu/eurostat/web/products-manuals-and-guidelines/-/ks-ra-07-015). A lot of effort going into trying to improve the design and reach of directives – the EU really is a very colourful space in this respect. As each member state implements the NIS2 Directive, different approaches become visible – i.e., for Belgium see https://atwork.safeonweb.be/tools-resources/nis-2-quickstart-guide, for Italy see https://www.acn.gov.it/portale/documents/20119/564002/Linee+guida+ACN+rafforzamento+resilienza.pdf/d143d555-eeb0-766b-8e50-46f5f3012bd9?t=1732087369622. In Belgium they also created a new framework that is a mix of cybersecurity frameworks (NIST CSF, ISO 27001 / ISO 27002, CIS Controls and IEC 62443). It would be really interesting to run a small research project to extend https://www.enisa.europa.eu/publications/cyber-resilience-act-requirements-standards-mapping to capturing / assessing / comparing how the various EU member states are localising the NIS2 Directive – we agreed that the “core” remains NIST/CIS18, but then wrapped into a nationalisation approach with multiple tweaks. Key message – if you do CIS18 you are meeting higher level standards (we have one region that has been doing this for years and I believe has been very successful at optimising its resource needs to meet all the audit / compliance requirements.
On an operational side we shared experiences using Darktrace and agreed that it really is a powerful / helpful solution assuming it is implemented widely enough. Not the cheapest of course, however one of the expert solutions that deserves its own place in our Defence in Depth frameworks. I do wonder whether solutions like these could be purchased by groups of public administrations across a variety of EU member states.
Finally, we reflected a little on how to reduce the amount of IT services the “business” is buying outside of IT (since this by default presents a security issue). SaaS services can typically be bought directly via credit cards and hence one colleague shared their approach to ensure that any such Ips are blocked by default, which then triggers the “business” to request unblocking which should then trigger our security review processes. May not sound easy and the setup does take time, however in the end it seems a robust way forward. If we do get such notifications / requests we might reflect on the infamous bridge crossing scene in Monte Python´s Holy grail movie (snip) – wait until the swallow question 😊 Image of the gatekeeper (IT Security?) below:
WEEKLY SURVEY: Last week, we began a weekly series of simple surveys based on the CIS 18 18 CIS Critical Security Controls (see https://www.cisecurity.org/controls/cis-controls-list) – only one response received so we will need to re-evaluate the approach here. Maybe not the best thing to be doing – “fail fast” after a single attempt? Hmmm…
BENCHLEARNING: The ISAC Baseline project now includes three EU member states, and we look forward to expanding in 2025 – three other nations showing interest and as NIS2 rolls out / downwards it can provide a huge benefit in pragmatically meeting requirements by learning how others are doing that successfully. Note that the biggest challenge to benchlearning is https://en.wikipedia.org/wiki/Cognitive_bias – have a read and reflect on what is preventing you from learning from the best?
Cheers,
Oliver
Insights from AI
Considering the approaching festivities, I asked CoPilot “does Father Christmas produce cyber secure gifts?” The AI responded:
“Ah, the magical realm of Father Christmas! While he’s known for delivering joy and wonder, the cybersecurity of his gifts might be another story.
In the spirit of fun, let’s imagine: if Father Christmas were to ensure his gifts were cyber secure, he’d probably have a team of elves specializing in cybersecurity, implementing measures like:
Strong Passwords: Every smart toy or gadget would come with strong, unique passwords.
Software Updates: Devices would be pre-configured to automatically update their software to protect against vulnerabilities.
Encryption: Data transmitted by any tech gift would be encrypted to safeguard privacy.
Parental Controls: All children’s devices would have robust parental control settings to ensure safe usage.
Education: There’d be an adorable, elf-animated instructional video teaching kids (and adults) about staying safe online.
While the reality is that ensuring cybersecurity falls on manufacturers and users, it’s a fun thought to imagine Santa’s North Pole workshop keeping up with the latest in cyber hygiene.”
| In the News |
- No specific updates this week
| City ISAC Services (Member Funded) |
We have published our services at Services Offered – EU ISAC for Cities (isac4cities.eu). Please do review and consider reaching out to include such in your activities and budgets.
| Project Cyber Securing Public Administrations “CySec4PA” – DIGITAL-ECCC-2024-DEPLOY-CYBER-07-CYBERSEC-02 |
We have decided not to pursue this proposal further since we have not been able to find an alternative Lead Proposer. Keeping an eye on future calls and will keep everyone updated.
Please remember you can reach the whole group via city-isac-i4c-tlpwhite@majorcities.eu. A dedicated group for those cities signing the NDAs is available separately.
Also note our LinkedIn organisational page at https://www.linkedin.com/company/eu-city-information-sharing-and-analysis-center-isac/ and our discussion group at https://www.linkedin.com/groups/12773643/. Do follow us / join.
Join our weekly Friday morning coffee chats from 9am-10am CET – feel free to come in your pyjamas. Let me know if you are missing an invite and I will send.
Thank you for the support, your City ISAC I4C+ Team.
Cheers and ever onwards
Oliver
Innovating our Future… Together
Chair City ISAC I4C+ / Dr. Oliver Schwabe.
Email: oliver.schwabe@isac4cities.eu Mobile: +49 (0) 1709053671. Web: https://i4c.isacs.eu/ & https://www.majorcities.eu/isac-for-cities-plus/