2025/16 Weekly Update from the EU ISAC for Cities & Regions: Barista offers WAF configuration guidance and support / We are NIS2 CTI sharing activity – name us / Exploring json import of CTI to the ISAC MISP platform / Friday calls 16 May and 23 May cancelled / ISAC Baseline (IBAS) Project continues – join us!
Note that the Friday sessions on 16 May and 23 May are cancelled.
** For Back Issues see https://isac4cities.eu/blog **
The City ISAC (I4C+) is an Information and Analysis Centre whose members are IT and cyber security decision makers exchanging knowledge to improve their cities and collective cyber resilience. I4C+ is a Special Interest Group (SIG) hosted by Major Cities Europe (MCE). Dr. Oliver Schwabe is a member of MCE and in his function Chair of the ISAC for Cities Plus (I4C+). He is the person in charge of this effort on behalf of MCE and the responsible contact person. I4C+ is recognized by the European Agency for Cybersecurity ENISA. See https://isac4cities.eu/.
| Weekly [TLP:RED] |
Please contact us directly for more information – these are summaries only and the “key” is in the actual stories shared privately. The stories are based on personal sensitive knowledge shared by peers in personal conversations under Chatham House Rules. This “stuff” may look obvious (?) – the magic lies between the lines and only becomes visible in a personal conversation.
This week´s thoughts are based on the scope of essential services your public administration subscribes to, operates, and manages, including what IT systems support their delivery.
- Weekly [TLP:RED] for Publicly Elected Officials (Repeat # 28): Public polls are key to budgetary allocation.
- Weekly [TLP:RED] for Essential Services Managers (Repeat # 28): We will always run on Excel with many data connections – regularly backup those Excels on a separate laptop and make sure they work there.
- Weekly [TLP:RED] for IT Leaders (Repeat # 28): Our environments are chaotic – focus on security controls versus treatments.
Ask Barista
Barista is our new young AI friend and a small experiment in trying to understand where AI might be able to bring us REAL value. Early days yet and using publicly available AI tools to explore our direction of travel. Ideally, Barista will become our constant AI companion who we can chat with to become better in cyber – with a special focus on our diverse public administration colleagues. Barista is also always happy about “tips” 😊
While we continue to explore specific notifications shared by colleagues, this week we asked Barista “How can we avoid creation of a false positive triggered by the WAF rules, which interprets a complex password string as an SQL tautology injection attempt due to its symbolic structure.” Barista suggested “Web Application Firewalls (WAFs) can mistakenly flag legitimate inputs, such as complex passwords, as potential SQL injection attacks. To avoid false positives, use parameterized queries or prepared statements for SQL, refine WAF rules to better distinguish legitimate input, apply multi-layered input validation, escape special characters, log and monitor false positives to adjust rule thresholds, and leverage machine learning-based protection. Consider configuring exceptions for specific fields like passwords if your WAF allows it.” Barista also offered to help reconfigure our specific WAF – if you would like to test its suggestion for your WAF let me know and I will pass it along.
Summary
Hi everyone, friends from Bulgaria and Italy joining this Friday morning (our friends from Ireland struggled to attend due to traffic lights and Sunday drivers)! Another colleague could not make it due to a clash with a national public administration ISAC event led by the police head of the Cybercrime Department and manager of their national Cybersecurity Center. The presentations were apparently both shocking and eye-opening, filled with real-life examples of cyberattacks and the mistakes that were made. It was a truly impactful experience in our colleague’s view. The success of the event was driven by the support of the president of the national Association of Cities, who is a highly positioned politician and helped secure these experts for the workshop – in some countries this is also called the Local Government Association. He strongly recommended that we consider organizing something similar since it would provide tremendous value to all and significantly raise awareness across our network. If we want to do this, then we will need to find a friend in the police cybercrime environment who would be interested in sharing – any suggestions?
Note also, that as shared by a colleague, “Art. 29 of NIS2 directive prescribe to the member states to support sharing initiatives (in addition to the mandatory notification activities). So the creation of sectorial Isacs if welcome. As a confirmation of this “prescription” national authorities, in the application form for registering our entity in the national registry of entities subject to the NIS2 explicitly asks which sharing initiatives we belong to… we are one these of course! This is a clear message about the necessity to create and participate such a kind of initiatives. While the official notification of “incidents” remains a “national matter”, the voluntary sharing of infos needs to be as geographically broader as possible. The cyber crime is international … the prevention and reaction needs to be international too.”
As you have noticed we are re-invigorating our efforts to use the MISP platform https://misp.isacs.eu/ for sharing of notifications. A handful of our members are working on this and if you would like to join please let me know – since we are currently self-funding this effort progress will of course depend on personal bandwidths – be patient with us😊. While the technical support team is currently helping us onboard colleagues (not any easy activity unfortunately due to WAF technical issues), we have seen that the platform seems to contain notification data from the weekly OSINT reports – it seems as if the json file shared weekly by ENISA as part of the OSINT reports gets uploaded there. Currently reaching out to our ENISA friends to get a little assistance in doing this – or can anyone advise on how to convert the ENISA json file to a MISP standard or STIX format? In the end, we have learned that any CTI we receive, probably needs to be manually converted into such a format and then manually uploaded into the MISP – direct connections from any of our security providers trigger a wide range of legal issues we do want to avoid. Below an image of the MISP notification dashboard.
Regarding the above it may also be a good idea to have Barista run on the data set available there. Remember that Barista is our new young AI friend and a small experiment in trying to understand where AI might be able to bring us REAL value. While we are playing with publicly available AI tools it is clear that we will need to run him in our own server environment in the end due to the confidentiality of the data he will need to explore. Barista will become our constant AI companion who we can chat with to become better in cyber – with a special focus on our diverse public administration colleagues. Barista is also always happy about “tips” 😊
Interesting perhaps also that the MISP onboarding is challenged by a tension between the MISP password generator and the firewall rules, i.e. creation of a false positive triggered by the WAF rules, which interprets a complex password string as an SQL tautology injection attempt due to its symbolic structure. Working with the MISP support team to figure out how to avoid this in future and thus not need a direct call with them to resolve.
A further important point is of course putting data sharing agreements in place so that we can share CTI via the MISP. While we have reached out to the EU Council of ISACs to see whether anyone has some experience, we have also reached out to a colleague involved in something like this at a national level to see whether we can perhaps re-use agreements they have drafted for this.
Regarding the MISP platform we also discussed how members could use it to manage their own CTI and then have an ISAC administrator approve those suited for sharing within the City ISAC community and then more widely to the overarching ISAC community – this approval process is of course key to ensuring that relevant and helpful CTI is shared and until Barista grows up this will need to be a manual effort. Barista may then also have “twins” inside the user organisations that drive workflow automatic etc to lower resource needs for implementing improvements.
The above also led to a discussion with our friends at I-Trust (enablor project), to see whether notifications might be correlated automatically with NIS2 or similar controls that we are all running. The MISP CTI could provide good input into the maturity of controls we have and help with generating appropriate evidence and targeted improvement measures.
Cheers,
Oliver
| In the News |
- The ECSO Award Finals 2025 are just around the corner – and this time, we’re heading to The Hague on 21–22 May at the vibrant HSD Campus (Wilhelmina van Pruisenweg 104, 2595 AN Den Haag). In this event, some of the most promising European start-ups and scale-ups in cybersecurity will compete for the ECSO Startup Award, selected by a jury of investors from the ECSO INvest4Cyber community, and the ECSO CISO Choice Award, selected by a jury composed of European CISOs from the ECSO CISO Community. See https://forms.office.com/pages/responsepage.aspx?id=zu7aB_B3YkqIL6ekzlAgVNsi2W5t8T9LroJPdH6BJnxUQUQ0UkhCMVQ4Q0dLQVpHMFlTQTRKRlg3Qy4u&utm_source=ECSO+Award+Finals+20…+(Mass+Mailing+created+on+2025-04-10)+%5b3%5d&utm_medium=Email&route=shorturl.
- Major Cities of Europe, in collaboration with the City of Issy-les-Moulineaux, is pleased to announce the joint 2025 conference under the theme of “Piloting Disruptive Innovation in Cities and Regions”, which will be hosted at the UGC Congress Centre from October 9 to 10. Integrated into the Greater Paris Metropolis, Issy-les-Moulineaux is one of the most innovative cities in France and has long been recognized as a leader in digital innovation, circular economy, and environmental footprint reduction. The event is co-organized with Issy Media, the public company responsible for communication and innovation in Issy-les-Moulineaux. The conference will be conducted in English and French, with simultaneous translation available. See www.majorcities.eu for more details.
| ISAC Services (Member Funded) |
We have published our services at Services Offered – EU ISAC for Cities (isac4cities.eu). Please do review and consider reaching out to include such in your activities and budgets.
Note that emerging new services are related to managing the MISP platform (and onboarding) plus Barista.
| ISAC Baseline (IBAS) Project |
The IBAS project continues and remember this sits on the Enablor platform serving a wider community. Enablor is currently supporting 3931 organisations with 4158 users and 10978 logins last year – a thriving community!
The ISAC benchmark platform offers a unique opportunity for public administrations to benchmark themselves against not only regulative requirements but also other local governments around Europe. Benchmarking data from European municipalities are now available in the ISAC Baseline Program providing participants with insight into how similar organizations perform and comply with legislation. Assessing the organization’s security level gives insight data on compliance with both legislation as well as automated mappings to security frameworks such as ISO 27001-2, CIS 18 and NIST CSF. The enablor platform can be used within your own organization and is a shortcut to collaborating with similar European organizations. If you are a region, you can also “sponsor” membership for your cities to create regional bench-learning groups. If you are a nation, then you can sponsor membership for your regions and cities as well of course.
Key value proposition? In the many discussions leading up to the launch, we see that the key value of participating is (a) access to a massive amount of detailed “real stories” on successful implementations across the NIS2 spectrum, and (b) significantly reduced efforts for reporting. If needed, we can also provide administrative support for transferring existing data into the enablor platform.
Please remember you can reach the whole group via city-isac-i4c-tlpwhite@majorcities.eu. A dedicated group for those cities signing the NDAs is available separately.
Also note our LinkedIn organisational page at https://www.linkedin.com/company/eu-city-information-sharing-and-analysis-center-isac/ and our discussion group at https://www.linkedin.com/groups/12773643/. Do follow us / join.
Join our weekly Friday morning coffee chats from 9am-10am CET – feel free to come in your pyjamas. Let me know if you are missing an invite and I will send.
Thank you for the support, your City ISAC I4C+ Team.
Cheers and ever onwards
Oliver
Innovating our Future… Together
Chair City ISAC I4C+ / Dr. Oliver Schwabe.
Email: oliver.schwabe@isac4cities.eu Mobile: +49 (0) 1709053671. Web: https://i4c.isacs.eu/ & https://www.majorcities.eu/isac-for-cities-plus/