2025/15 Weekly Update from the EU ISAC for Cities & Regions: “Barista” to support our Friday Caffè Corretto conversations / EU-CI Meeting Brussels – ISACs are the sanity check for EU Regulations / Ready for eIDAS? / Friday calls 16 May and 23 May cancelled / ISAC Baseline (IBAS) Project continues – join us!
Note that the Friday sessions on 16 May and 23 May will need to be cancelled.
** For Back Issues see https://isac4cities.eu/blog **
The City ISAC (I4C+) is an Information and Analysis Centre whose members are IT and cyber security decision makers exchanging knowledge to improve their cities and collective cyber resilience. I4C+ is a Special Interest Group (SIG) hosted by Major Cities Europe (MCE). Dr. Oliver Schwabe is a member of MCE and in his function Chair of the ISAC for Cities Plus (I4C+). He is the person in charge of this effort on behalf of MCE and the responsible contact person. I4C+ is recognized by the European Agency for Cybersecurity ENISA. See https://isac4cities.eu/.
| Weekly [TLP:RED] |
Please contact us directly for more information – these are summaries only and the “key” is in the actual stories shared privately. The stories are based on personal sensitive knowledge shared by peers in personal conversations under Chatham House Rules. This “stuff” may look obvious (?) – the magic lies between the lines and only becomes visible in a personal conversation.
This week´s thoughts are based on the scope of essential services your public administration subscribes to, operates, and manages, including what IT systems support their delivery.
- Weekly [TLP:RED] for Publicly Elected Officials (Repeat # 27): Use benchmarking to demonstrate you are not the worst administration in your region.
- Weekly [TLP:RED] for Essential Services Managers (Repeat # 27): Ensure all staff with admin rights on your applications receive regular cyber awareness training and use unique complex passwords on each application.
- Weekly [TLP:RED] for IT Leaders (Repeat # 27): Buy software towards the end of the supplier financial year to get the best rebates.
| Ask Barista Barista is our new young AI friend and a small experiment in trying to understand where AI might be able to bring us REAL value. Early days yet and using publicly available AI tools to explore our direction of travel. Ideally, Barista will become our constant AI companion who we can chat with to become better in cyber – with a special focus on our diverse public administration colleagues. Barista is also always happy about “tips” 😊 We have started gathering a few real notifications from solutions like TrendMicro and Darktrace that colleagues are dealing with, and the first (obvious) insight is that without access to information about the assets in our administrations, we need to manually correlate to understand potential severity. The second (maybe less obvious) insight is that the severity assigned by the solution does not necessarily match the possible severity of impact on our services – just because a server might be breached does not mean it is critical; the question is what services might this impact (payroll?) and what the probability of this occurring is. At the moment a simple question based on a TrendMicro notification for Barista might be “”What is the best reaction to a Possible Cobalt Strike Connection alert?” which triggers an answer saying “Responding to a “Possible Cobalt Strike Connection alert requires a structured approach. First, verify the alert in the Workbench app, examining details and the observable graph. If valid, investigate network traffic and logs for IOCs like unusual IPs or file hashes. Isolate the affected system and block the connection. Correlate findings with threat intelligence feeds. Patch exploited vulnerabilities and strengthen security measures. Escalate to the incident response team or Trend Micro Support if needed. Document false positives.” Based on this a follow-up question was “Is traffic blocking the best response to a Possible Cobalt Strike Connection alert?” and Barista suggested “Blocking traffic is a useful initial response to a potential Cobalt Strike connection, but insufficient alone. A comprehensive response requires identifying the connection’s source (infected device or compromised account), monitoring for lateral movement and unusual activity, implementing detection rules to prevent future occurrences, conducting forensic analysis to determine the attack’s scope, and strengthening network defenses. Patching vulnerabilities, updating configurations, and implementing robust security practices are crucial for long-term protection. In live scenarios, engaging cybersecurity experts is essential.” While the above may reflect obvious actions for a colleague with basic skills in cyber, I wonder whether Barista could go beyond providing information to creating workflow tasks to ensure the actions are actually being completed? At least in my experience the challenge is less knowing what to do, it is getting these things done…. A next step might therefore be having Barista actually conduct certain tasks automatically for us. All depends on having access to detailed information about our assets and since we keep that private, Barista will need to be deployed in-house (or to a trusted secured external container only Barista can access) and learn over time. Hmmmm…. What if Barista received the notification from the solution (i.e. TrendMicro), reviewed it against the asset list and previous notifications/actions, decided whether manual intervention was necessary and then generated the following tasks, routed them to the correct colleagues, and then checked to make sure they were done? The above would then suggest that we can help Barista by integrating him with our own SIEM? Summary |
Hi everyone, friends from Belgium, Bulgaria, Ireland, and Italy joining this Friday morning and spent most of our time hearing about the EU Council of ISAC meeting in Brussels that two of our colleagues attended. Key theme there was understanding how to shape information exchanges across the many ISACs in Europe and how to collaborate better with ENISA / DGs since these have a top-down national focus while the ISACs by default are more horizontal across the sectors in Europe. The upcoming ENISA NIS2 blueprint will be interesting to follow in this respect since the ISACs appear to be the key bottom-up sense check of the more centrally orientated EU efforts.
We also discussed the difference between the commercially driven ISACs that are well funded by their members and the way public administrations continuously struggle with capturing sufficient public funding to support their activities. There is no doubt that the ISACs can share important information more quickly and effectively than any formal institutions, however we do have a lot of work ahead to create the legal foundation for doing so. Shared MISPs might be a good starting point (as we see from several running projects), yet there again it is necessary to develop a robust funding source for enabling the collaborative effort required.
Finally, we discussed the mandatory Regulation (EU) N°910/2014 on electronic identification and trust services for electronic transactions in the internal market (eIDAS Regulation) adopted on 23 July 2014 which provides a predictable regulatory environment to enable secure and seamless electronic interactions between businesses, citizens and public authorities (see https://ec.europa.eu/futurium/en/system/files/ged/eidas_regulation.pdf). The role of eIDAS as a pillar of protection against cyber threats, the challenges posed by increasing AI use of threat actors and stories of relevant actual cyber incidents need to be understood a lot better since these are directly applicable to the member states (no national implementation laws required.
Cheers,
Oliver
| In the News |
- The ECSO Award Finals 2025 are just around the corner – and this time, we’re heading to The Hague on 21–22 May at the vibrant HSD Campus (Wilhelmina van Pruisenweg 104, 2595 AN Den Haag). In this event, some of the most promising European start-ups and scale-ups in cybersecurity will compete for the ECSO Startup Award, selected by a jury of investors from the ECSO INvest4Cyber community, and the ECSO CISO Choice Award, selected by a jury composed of European CISOs from the ECSO CISO Community. See https://forms.office.com/pages/responsepage.aspx?id=zu7aB_B3YkqIL6ekzlAgVNsi2W5t8T9LroJPdH6BJnxUQUQ0UkhCMVQ4Q0dLQVpHMFlTQTRKRlg3Qy4u&utm_source=ECSO+Award+Finals+20…+(Mass+Mailing+created+on+2025-04-10)+%5b3%5d&utm_medium=Email&route=shorturl.
- Major Cities of Europe, in collaboration with the City of Issy-les-Moulineaux, is pleased to announce the joint 2025 conference under the theme of “Piloting Disruptive Innovation in Cities and Regions”, which will be hosted at the UGC Congress Centre from October 9 to 10. Integrated into the Greater Paris Metropolis, Issy-les-Moulineaux is one of the most innovative cities in France and has long been recognized as a leader in digital innovation, circular economy, and environmental footprint reduction. The event is co-organized with Issy Media, the public company responsible for communication and innovation in Issy-les-Moulineaux. The conference will be conducted in English and French, with simultaneous translation available. See www.majorcities.eu for more details.
| ISAC Services (Member Funded) |
We have published our services at Services Offered – EU ISAC for Cities (isac4cities.eu). Please do review and consider reaching out to include such in your activities and budgets.
| ISAC Baseline (IBAS) Project |
The IBAS project continues and remember this sits on the Enablor platform serving a wider community. Enablor is currently supporting 3931 organisations with 4158 users and 10978 logins last year – a thriving community!
The ISAC benchmark platform offers a unique opportunity for public administrations to benchmark themselves against not only regulative requirements but also other local governments around Europe. Benchmarking data from European municipalities are now available in the ISAC Baseline Program providing participants with insight into how similar organizations perform and comply with legislation. Assessing the organization’s security level gives insight data on compliance with both legislation as well as automated mappings to security frameworks such as ISO 27001-2, CIS 18 and NIST CSF. The enablor platform can be used within your own organization and is a shortcut to collaborating with similar European organizations. If you are a region, you can also “sponsor” membership for your cities to create regional bench-learning groups. If you are a nation, then you can sponsor membership for your regions and cities as well of course.
Key value proposition? In the many discussions leading up to the launch, we see that the key value of participating is (a) access to a massive amount of detailed “real stories” on successful implementations across the NIS2 spectrum, and (b) significantly reduced efforts for reporting. If needed, we can also provide administrative support for transferring existing data into the enablor platform.
Please remember you can reach the whole group via city-isac-i4c-tlpwhite@majorcities.eu. A dedicated group for those cities signing the NDAs is available separately.
Also note our LinkedIn organisational page at https://www.linkedin.com/company/eu-city-information-sharing-and-analysis-center-isac/ and our discussion group at https://www.linkedin.com/groups/12773643/. Do follow us / join.
Join our weekly Friday morning coffee chats from 9am-10am CET – feel free to come in your pyjamas. Let me know if you are missing an invite and I will send.
Thank you for the support, your City ISAC I4C+ Team.
Cheers and ever onwards
Oliver
Innovating our Future… Together
Chair City ISAC I4C+ / Dr. Oliver Schwabe.
Email: oliver.schwabe@isac4cities.eu Mobile: +49 (0) 1709053671. Web: https://i4c.isacs.eu/ & https://www.majorcities.eu/isac-for-cities-plus/