2024/7 Weekly Update from the MCE SIG “City ISAC I4C+” Highlights: VAUBAN Virtual Tabletop Monday April 8th 2pm-4pm CET / Host third parties on-site / Make sure you have personal liability insurance / Building Management Systems are a common weak spot
** For Back Issues see https://isac4cities.eu/blog **
The City ISAC (I4C+) is an Information and Analysis Centre whose members are IT and cyber security decision makers exchanging knowledge to improve their cities and collective cyber resilience. I4C+ is a Special Interest Group (SIG) hosted by Major Cities Europe (MCE). Dr. Oliver Schwabe is a member of MCE and in his function Chair of the ISAC for Cities Plus (I4C+). He is the person in charge of this effort on behalf of MCE and the responsible contact person. I4C+ is recognized by the European Agency for Cybersecurity ENISA. See https://isac4cities.eu/.
| Weekly [TLP:RED] |
Please contact us directly for more information – these are summaries only and the “key” is in the actual stories shared privately. The stories are based on personal sensitive knowledge shared by peers in personal conversations under Chatham House Rules. This “stuff” may look obvious (?) – the magic lies between the lines and only becomes visible in a personal conversation.
- Weekly [TLP:RED] for Publicly Elected Officials: Provide third parties with space in your offices to increase availability and response speeds.
- Weekly [TLP:RED] for Essential Services Managers: Report movers & leavers asap to HR and in parallel to IT to ensure access rights are removed as quickly as possible. Remove them yourselves for legacy systems if possible.
- Weekly [TLP:RED] for IT Leaders: Make sure you have personal liability insurance for your role.
| Summary |
Hi everyone and hope you are well – two cities and one region joining again this week and started off our discussion with the joys one member has with being audited by a national ministry and the professional movement of another member to a more audit related function in their organisation. As you know, audits can be powerful tools to highlight security remediations and support related funding requests . maybe a service for our own network in future as well?
The discussion on audits then got us into stories on how security breaches can lead to personal liability of CIOS/CISOs and the corresponding need to have personal liability insurance just in case – one member CIO has a €5m insurance for these sort of situations – paid for by the local administration of course. The local administration of a member was recently fined €100k for a GDPR breach related to retaining email logs for more than the 7 days permitted by new legislation for example – it is currently unclear whether the local administration will seek regress from the member who is CIO…
On the insurance side we also heard from another member that their city had moved away from formally insuring themselves from a variety of threats since the cost was just too high – alternatively they are insuring themselves, therefore accepting that in the case of an event they will simply need to shift budgets- Not sure if this is the best answers, so how about at least taking the annual costs of a cyber insurance and making sure they are invested in cyber security measures instead?
Another point we investigated was the role of building management IT systems in our security concepts – typically these are not run by IT and rather in the responsibility of facility services who by default may have less sensitivity to cyber security. This might especially be an issue since the business can usually quite easily install IT solution there without meeting the stringent security requirements of main networks – segmentation is of course one answer, but we should be aware that the building management systems might host some quite critical services (i.e., access controls to server rooms) – yes, yet another area we need to include in our thinking.
Finally, we discussed the value of having vendor technicians on-site as much as possible – ideally embedded in the organisation – and the important role they can play by continually supporting staff in various questions. One member encouraged vendor technicians to move from their home offices onto their sites for example.
Cheers
Oliver
Insights from Chatbots
I was curious about the opinion of Bing Chat about whether Building Management Systems are cyber secure. The AI explained that:
“Building Management Systems (BMS) play a crucial role in controlling and optimizing various aspects of building operations, including heating, ventilation, air conditioning (HVAC), lighting, security, and more. However, as these systems become increasingly connected to the internet, they face significant **cybersecurity challenges**. Let’s explore some key points:
1. **Vulnerabilities and Attack Surface**:
- BMS often utilize **insecure protocols** and legacy systems without adequate security controls.
- The **internet connectivity** introduced by IoT devices expands the attack surface for cybercriminals.
- Many organizations struggle to gain visibility into the extensive variety of BMS in use, making it difficult to protect them effectively¹.
2. **Challenges Faced by BMS**:
- **Legacy Systems**: BMS commonly rely on outdated technology, making them susceptible to exploitation.
- **Lack of Security Controls**: Inadequate security measures expose BMS to cyber threats.
- **Visibility Issues**: Organizations find it challenging to monitor and secure all BMS components¹.
3. **Mitigating BMS Cyber Risks**:
- **Robust Cybersecurity Measures**: Regular software updates, secure network architectures, and employee training are essential.
- **Password Security**: Replace default or weak passwords with strong ones.
- **Network Access Control**: Lock down network access to the controller level.
- **Remote Connectivity**: Use a Virtual Private Network (VPN) for secure remote access⁴⁷.
4. **Frameworks and Standards**:
- The **ISA/IEC 62443 standard** provides guidelines for implementing cybersecurity in industrial automation systems, including BMS.
- The **NIST Cybersecurity Framework** offers risk management guidelines across various industries, including building automation².
In summary, while BMS enhance operational efficiency, organizations must prioritize cybersecurity to safeguard critical assets and systems within smart buildings¹.
Source: Conversation with Bing, 18/02/2024
(1) The Power of Building Management System (BMS) Cybersecurity. https://claroty.com/blog/the-power-of-building-management-system-bms-cybersecurity.
(2) Cybersecurity for Building Management Systems. https://www.agsprotect.com/blog/cybersecurity-building-management.
(3) Use Building Management Systems checklist to prevent cybercrime. https://blog.se.com/buildings/building-management/2021/07/29/checklist-to-help-secure-your-building-management-systems-and-to-prevent-cybercrime/.
(4) Why building management system cybersecurity is critical [Q&A] – BetaNews. https://betanews.com/2023/11/24/why-building-management-system-cybersecurity-is-critical-qa/.
(5) Building Management Systems: The cyber security blind spot. https://www.computerweekly.com/ehandbook/Building-Management-Systems-The-cyber-security-blind-spot.
(6) Secure Building Management Systems from Cybersecurity Threats. https://www.nozominetworks.com/blog/securing-building-management-systems-from-cybersecurity-threats.
(7) Use Case: Building Management Systems (BMS) | Tenable. https://www.tenable.com/solution-briefs/use-case-cyber-security-for-your-building-management-systems-bms.
(8) A Guide to Building Management System Cybersecurity – Nozomi Networks. https://www.nozominetworks.com/resources/solving-cybersecurity-for-building-management-systems.
| In the News |
- After a former employee used their old access privileges for some unauthorised activity see CISA and MS-ISAC Release Advisory on Compromised Account Used to Access State Government Organization
- CIS has published the Priorities of the Joint Cyber Defense Collaborative for 2024 which should be of interest for our members as well.
| City ISAC Services (Member Funded) |
No update. The agreement with our hosting organisation Major Cities Europe has been finalised. Key themes are benchmarking NIS2/CIS Controls as the basis for robust risk management through Defence-In-Depth solutions and enabled through awareness building. As soon as final formal steps are completed, we can move forward with a formal offering to members.
| Project “DAVID” (Member Funded) |
In Germany we have a saying that good things come to those that wait… in this case our Big 5 partner has finally gotten their act together and next week we will be finalising the way forward on a joint engagement focused on the NIS2 Directive (identify weak spots in the directive and to provide a strategic outlook including strategy recommendations for the expected NIS3 directive), plus an assessment of Defence in Depth across our member community. If you are a local administration and interested in participating, please let me know.
| Project “VAUBAN” |
** Change in Date – Monday April 8th 2pm-4pm CET **
Pleased to announce the EU City ISAC I4C+ and Major Cities Europe present the 2024 VAUBAN interactive cyber simulation “The Battle for the Golden Ticket”. Draft text below and meeting invite attached.
“The Battle for the Golden Ticket”
The EU City ISAC I4C+, hosted by Major Cities Europe, will be holding the virtual version of its 2024 VAUBAN Tabletop Exercise on Monday 8 April 2024 from 2 pm to 4 pm CET.
The “Golden Ticket” gives administrator level access to all key IT systems of an organisation (including infrastructure). A person with the “Golden Ticket” can “turn off” any IT asset, and / or prevent anyone from accessing them. A threat actor with a “Golden Ticket” is a nightmare to any organisation.
Guided by two local administrations and supported by cyber experts and white hackers, we will jointly and interactively go through the story of the frantic fight of the Blue Team of a regional administration to prevent the confirmed initial breach of a professional Red Team from reaching the “Golden Ticket” (elevated privileges on all core systems) and the harrowing experience of local administrations faced by the potential shutdown of core financial services. At the end, participants will also explore how peer collaboration might have made this scenario less threatening, how principles of asymmetric warfare can help us identify pragmatic preventative actions, and why advances in Artificial Intelligence are making “Goliath” even more powerful…
The agenda of the event (120′) is:
1. Introduction (10′).
2. Act 1: The Alert – Notification of the potential breach and the decision whether to go offline or not (20′).
3. Act 2: The Shut-Down – How to go offline and what essential services are impacted (20′).
4. Act 3: The Crisis – How to maintain impacted essential services offline (20′).
5. Act 4: The Recovery – Managing the challenges of returning to online services (20′).
6. Lessons Learned and How Peer Collaboration can help (20′).
7. Wrap-Up (10′)
Registration is open to any individuals interested in cyber security for local administrations. The event should be of particular interest to elected public officials, managers of essential services for regional and local administrations, as well as IT (Security) leaders.
Key learning points will include understanding how easy such a breach can happen, how damaging such a breach can be, and how we can prepare for when this happens – because it is not “whether” this will happen, but “when”, and those least prepared are usually the first to be impacted.
| Project “Regions4Cyber” |
The ECSO’s Cyber Resilient Regions Community (CRR) has now been officially launched and is a new initiative that aims to build a European community of Local and Regional Authority’s (LRAs) that have a desire to increase their digital resilience. It will engage LRA’s Chief Information Security Officers (CISOs) and related roles, and IT or security specialists that have cybersecurity responsibilities into a community that aims to increase LRAs cybersecurity resilience. This community has been developed in cooperation with Regione Toscana, Major Cities of Europe (https://majorcities.eu/) and ISAC4Cities (https://isac4cities.eu/). A Signal group has been created, and the respective representatives of LRAs will be contacted to join the group. Afterwards, an initial survey will also be shared with the community to map the cybersecurity services of European LRAs and assess their needs. With the start of the community, a first meeting will be held in March or April to introduce the members to each other, have a first webinar, and discuss the calendar of the activities of the community. Please let me know if you would like to learn more.
Please remember you can reach the whole group via city-isac-i4c-tlpwhite@majorcities.eu. A dedicated group for those cities signing the NDAs is available separately.
Also note our LinkedIn organisational page at https://www.linkedin.com/company/eu-city-information-sharing-and-analysis-center-isac/ and our discussion group at https://www.linkedin.com/groups/12773643/. Do follow us / join.
Join our weekly Friday morning coffee chats from 9am-10am CET – feel free to come in your pyjamas. Let me know if you are missing an invite and I will send.
Thank you for the support, your City ISAC I4C+ Team.
Cheers and ever onwards
Oliver
Innovating our Future… Together
Chair City ISAC I4C+ / Dr. Oliver Schwabe.
Email: oliver.schwabe@isac4cities.eu Mobile: +49 (0) 1709053671. Web: https://i4c.isacs.eu/ & https://www.majorcities.eu/isac-for-cities-plus/