2024/6 Weekly Update from the MCE SIG “City ISAC I4C+” Highlights: VAUBAN Virtual Tabletop Monday April 8th 2pm-4pm CET / The “Carnival” Network Segment / Don´t Trust your Toothbrush / AI recommends Public Safety as our Top Priority
** For Back Issues see https://isac4cities.eu/blog **
The City ISAC (I4C+) is an Information and Analysis Centre whose members are IT and cyber security decision makers exchanging knowledge to improve their cities and collective cyber resilience. I4C+ is a Special Interest Group (SIG) hosted by Major Cities Europe (MCE). Dr. Oliver Schwabe is a member of MCE and in his function Chair of the ISAC for Cities Plus (I4C+). He is the person in charge of this effort on behalf of MCE and the responsible contact person. I4C+ is recognized by the European Agency for Cybersecurity ENISA. See https://isac4cities.eu/.
| Weekly [TLP:RED] |
Please contact us directly for more information – these are summaries only and the “key” is in the actual stories shared privately. The stories are based on personal sensitive knowledge shared by peers in personal conversations under Chatham House Rules. This “stuff” may look obvious (?) – the magic lies between the lines and only becomes visible in a personal conversation.
- Weekly [TLP:RED] for Publicly Elected Officials: Publicly share stories on the cyber security successes of your administration.
- Weekly [TLP:RED] for Essential Services Managers: Encourage the use of secure online services for file transfers with external organisations.
- Weekly [TLP:RED] for IT Leaders: Place non-standard IT assets (i.e., iPads for senior leaders) in their own network segments.
| Summary |
Hi everyone and hope you are well – two cities and one region joining this week as carnival season launches across the world – may well be a driver of phishing scams and remember that not all of your staff is always there -> colleagues returning from breaks may well still have phishing emails in their inboxes that were not cleared out. In particular you missed a discussed around how payments of staff & suppliers is the second highest priority in service recovery (after ensuring people safety) and how senior leaders are often jealous of leaders in other administrations having “cooler” IT assets than they do, i.e., others have iPads and they “only” have Android provider solutions… This may lead to “shame” and hiding their own devices? A real issue in many organisations and not something we can prevent – oh well, so we give them what they want, make sure it is secure and put them in their own network segment (let us call it the “Carnival Segment”?)
(Image generated by Bing Chat on 10 February 2024)
Another member then shared the slides of a short cyber awareness session they were holding as a reminder for their department. The “attention getter” was “”Three million malware-infected smart toothbrushes used in Swiss DDoS attacks.”” (see https://www.axios.com/2024/02/09/toothbrush-cyberattack-viral-fact-check) and proceeded to emphasise the importance of reporting potential phishing emails (hope you have a relevant icon in your email solution), being extra sensitive to external emails, clicking slower and perhaps making sure that all emails show a preview of the first few lines. The session was designed for a maximum of 10 minutes and mainly intended to refresh the awareness of colleagues (well, earlier this year a major phishing campaign was in fact mastered due to hundreds of “aware” colleagues reporting potential threatening emails they were receiving!).
We got back to carnival planning then with a reminder that in one member´s administration the Chinese citizens were celebrating their New Year as well – some great processions planned it seems. The amazing thing about carnival is that these fantastic events are all realized by volunteers who are typically not paid for their passionate contributions (over most of the year in fact). Creating similar conditions around cyber in local administrations is what we are exploring – all suggestions welcome!
Cheers
Oliver
PS The EU Council of ISACs (EU-CI) held its monthly meeting on Wednesday (ISACs from Aviation, Health, Automobile, Rail, Hospitality, Energy among others). Working on our communication and collaboration strategy plus intensifying our relationships with the European Cybersecurity Competence Centre and Network (ECCC – https://cybersecurity-centre.europa.eu/index_en) – there have also been some staff changes there and in the DG that we need to catch up on. Lots of “national” efforts underway while the sectoral ISAC activities seem to be seen from this perspective as well unfortunately. ENISA continues to encourage and support the sectoral ISAC activities we are bundling in the EU-CI.
Insights from Chatbots
I was curious about the opinion of Bing Chat about the most critical services of a local administration. The AI explained that “local administrations provide **critical services** that are essential for the well-being and functioning of a community.” The top ranked service returned was “Public Safety and Law Enforcement” (Local police departments ensure public safety by preventing crime, responding to emergencies, and maintaining order. Fire departments handle fire prevention, firefighting, and emergency medical services)”. Remember that ambulance services are typically aligned to healthcare services which are normally run by “regional” administrations. This has me reflecting on our priorities in cyber defence – currently we are very internally focused along the lines of GDPR protection and maintaining payment capabilities for example. Sensing there needs to be a conversation about priorities….
| In the News |
- Spanish A Coruña council suffers a ransomware attack – Cybercriminals have hijacked the servers of the Teo Council and blocked access to officials’ computers.See https://www.escudodigital.com/ciberseguridad/concejo-corunes-sufre-ataque-ransomware_57934_102.html.
- German city group Korneuburg suffers ransomware attack and shuts down network. See https://www.korneuburg.gv.at/Cyberangriff_auf_Stadtgemeinde.
- German Kelheim district suffers ransomware attack and shuts down network. See https://www.br.de/nachrichten/bayern/nach-cyber-angriff-externe-experten-im-landratsamt-kelheim,U38NKQa.
- Deepfake scammer walks off with $25 million in first-of-its-kind AI heist | Ars Technica
| City ISAC Services (Member Funded) |
The agreement with our hosting organisation Major Cities Europe has been finalised. Key themes are benchmarking NIS2/CIS Controls as the basis for robust risk management through Defence-In-Depth solutions and enabled through awareness building. As soon as final formal steps are completed we can move forward with a formal offering to members.
| Project “DAVID” (Member Funded) |
No updates. Continuing to plan a virtual open space event to roughly outline the possible cooperation requirements for municipalities in the event of a security incident. In a subsequent step, the catalogue of requirements would have to be developed and the requirements for such services would have to be defined through administrative assistance or inter-municipal cooperation processes. The virtual event would then be followed up by an in-person workshop, so that ideally by the end of 2024 not only the requirements have been defined and the implementation clarified, but also a “light” exercise has taken place to test the concept. This effort will be led by a local administration with the support of a third-party public-private-partnership IT service/infrastructure provider.
| Project “VAUBAN” |
** Change in Date – Monday April 8th 2pm-4pm CET **
Pleased to announce the EU City ISAC I4C+ and Major Cities Europe present the 2024 VAUBAN interactive cyber simulation “The Battle for the Golden Ticket”. Draft text below and meeting invite attached.
“The Battle for the Golden Ticket”
The EU City ISAC I4C+, hosted by Major Cities Europe, will be holding the virtual version of its 2024 VAUBAN Tabletop Exercise on Monday 8 April 2024 from 2 pm to 4 pm CET.
The “Golden Ticket” gives administrator level access to all key IT systems of an organisation (including infrastructure). A person with the “Golden Ticket” can “turn off” any IT asset, and / or prevent anyone from accessing them. A threat actor with a “Golden Ticket” is a nightmare to any organisation.
Guided by two local administrations and supported by cyber experts and white hackers, we will jointly and interactively go through the story of the frantic fight of the Blue Team of a regional administration to prevent the confirmed initial breach of a professional Red Team from reaching the “Golden Ticket” (elevated privileges on all core systems) and the harrowing experience of local administrations faced by the potential shutdown of core financial services. At the end, participants will also explore how peer collaboration might have made this scenario less threatening, how principles of asymmetric warfare can help us identify pragmatic preventative actions, and why advances in Artificial Intelligence are making “Goliath” even more powerful…
The agenda of the event (120′) is:
1. Introduction (10′).
2. Act 1: The Alert – Notification of the potential breach and the decision whether to go offline or not (20′).
3. Act 2: The Shut-Down – How to go offline and what essential services are impacted (20′).
4. Act 3: The Crisis – How to maintain impacted essential services offline (20′).
5. Act 4: The Recovery – Managing the challenges of returning to online services (20′).
6. Lessons Learned and How Peer Collaboration can help (20′).
7. Wrap-Up (10′)
Registration is open to any individuals interested in cyber security for local administrations. The event should be of particular interest to elected public officials, managers of essential services for regional and local administrations, as well as IT (Security) leaders.
Key learning points will include understanding how easy such a breach can happen, how damaging such a breach can be, and how we can prepare for when this happens – because it is not “whether” this will happen, but “when”, and those least prepared are usually the first to be impacted.
| Project “Regions4Cyber” |
The survey is being revised slightly to align with some other activities of ECCR and ECS – we should be able to re-share and launch initial personal interviews in a week or so.
Please remember you can reach the whole group via city-isac-i4c-tlpwhite@majorcities.eu. A dedicated group for those cities signing the NDAs is available separately.
Also note our LinkedIn organisational page at https://www.linkedin.com/company/eu-city-information-sharing-and-analysis-center-isac/ and our discussion group at https://www.linkedin.com/groups/12773643/. Do follow us / join.
Join our weekly Friday morning coffee chats from 9am-10am CET – feel free to come in your pyjamas. Let me know if you are missing an invite and I will send.
Thank you for the support, your City ISAC I4C+ Team.
Cheers and ever onwards
Oliver
Innovating our Future… Together
Chair City ISAC I4C+ / Dr. Oliver Schwabe.
Email: oliver.schwabe@isac4cities.eu Mobile: +49 (0) 1709053671. Web: https://i4c.isacs.eu/ & https://www.majorcities.eu/isac-for-cities-plus/