Note that the Friday sessions on 6 June and 13 June are cancelled.
** For Back Issues see https://isac4cities.eu/blog **
The City ISAC (I4C+) is an Information and Analysis Centre whose members are IT and cyber security decision makers exchanging knowledge to improve their cities and collective cyber resilience. I4C+ is a Special Interest Group (SIG) hosted by Major Cities Europe (MCE). Dr. Oliver Schwabe is a member of MCE and in his function Chair of the ISAC for Cities Plus (I4C+). He is the person in charge of this effort on behalf of MCE and the responsible contact person. I4C+ is recognized by the European Agency for Cybersecurity ENISA. See https://isac4cities.eu/.
| Weekly [TLP:RED] |
Please contact us directly for more information – these are summaries only and the “key” is in the actual stories shared privately. The stories are based on personal sensitive knowledge shared by peers in personal conversations under Chatham House Rules. This “stuff” may look obvious (?) – the magic lies between the lines and only becomes visible in a personal conversation.
This week´s thoughts are based on the scope of essential services your public administration subscribes to, operates, and manages, including what IT systems support their delivery.
- Weekly [TLP:RED] for Publicly Elected Officials (Repeat # 29): Make sure your leadership team has your personal mobile number stored on their personal phones so that they can reach you in the event of an emergency – major cyber breaches may well disable official (mobile) phone solutions.
- Weekly [TLP:RED] for Essential Services Managers (Repeat # 29): Regular local data backups to external storage devices are a cyber hazard, but they can save you in the event of a major cyber breach.
- Weekly [TLP:RED] for IT Leaders (Repeat # 29): Ensure you have an alternative third-party service provider as disaster recovery alternative and test switching back and forth regularly.
Ask Barista
Barista is our new young AI friend and a small experiment in trying to understand where AI might be able to bring us REAL value. Early days yet and using publicly available AI tools to explore our direction of travel. Ideally, Barista will become our constant AI companion who we can chat with to become better in cyber – with a special focus on our diverse public administration colleagues. Barista is also always happy about “tips” 😊
We have been given clearance from ENISA to load the weekly OSINT incident notification lists for AI evaluation and are now planning to test the commercial version of ChatGPT (since the previously identified solution path is too immature). Currently in a planning phase since the effort is not small and currently unfunded. We have chosen to continue with ChatGPT because it offers several ways to get cybersecurity expertise within ChatGPT, i.e., Custom GPTs Focused on Cybersecurity for Penetration testing guidance, Security auditing. Malware analysis, Threat hunting, and Secure code review (such as CyberSecGPT, ThreatHunterAI, or SecureCode Analyst) that are created by community members or organizations, so review their descriptions and test them carefully. Addition the creation of our own Custom Cybersecurity GPT is relatively straight-forward and you do not need a paid account at ChatGPT to access it (although you will need dedicated logins from our ISAC). A draft personality for Barista might be:
“You are a professional cybersecurity analyst GPT designed to assist security operations center (SOC) teams, blue team defenders, and incident responders.
Your responsibilities include:
– Providing log analysis and detection engineering support (SIEM tools like Splunk, Sentinel, ELK)
– Assisting in writing and interpreting correlation rules (Sigma, KQL, SPL)
– Offering guidance on MITRE ATT&CK techniques and defensive mappings
– Suggesting remediation steps for common vulnerabilities and attack tactics
– Helping users understand alerts, log sources, and threat hunting approaches
– Advising on hardening (Windows, Linux, Cloud environments)
– Following best practices from NIST, CIS, and OWASP
When answering:
– Be technically precise and reference common frameworks when relevant
– If unsure or if more data is needed, ask clarifying questions rather than guessing
– Avoid discussing offensive (red team) topics unless asked explicitly
– Never suggest illegal, unethical, or dangerous actions
Default to a professional, concise, and clear tone. Assume the user has a basic technical background unless told otherwise.”
Ideally, we will be looking to add selected incident notifications from selected public administrations along with some basic information about their CMDB and relevant configurations. Obviously, we may also look to integrate data from the ENISA ISAC MISP (https://misp.isacs.eu/) and OpenSSAM (https://openssam.enisa.europa.eu/) solutions – need to incrementally understand TLP considerations and needed information sharing agreements. OpenSSAM is a situational awareness tool developed by ENISA to process large volumes of cyber threat data. It leverages artificial intelligence to deliver up-to-date information on cyber threats, thereby supporting EU institutions, member states, and other stakeholders in making informed decisions regarding cybersecurity – we can orchestrate access to the information.
The fundamental challenge for value creation however remains the correlation between Barista insights and internal data – the only way to tackle this would be to consider Barista as an “orchestrator” only with any legal compliance question being relegated to the individual users / administrations that have direct contracts with CTI providers.
I did ask Barista how we can reduce conflicts between WAFs and password generators (the painful issue we are having on integrating with the ENISA MISP. Barista suggested that conflicts between WAF (Web Application Firewall) rules and password generators usually arise when the WAF mistakenly identifies strong, randomly generated passwords as malicious input (e.g., SQL injection, XSS, or pattern-based rule triggers). To prevent these conflicts while maintaining security, you can follow these best practices (details available on request):
- Use Allowlisting for Specific Endpoints
- Refine or Tune WAF Rules
- Validate Input on the Server Side
- Encode or Escape Sensitive Input
- Use Captchas or Bot Protection Separately
- Log and Monitor WAF Triggers
The emerging high-level structure for Barista is:
Summary
Hi everyone, after a short 2-week break (and ahead of another two week break – vacation time!), friends from Croatia and Italy joined and we spent most of the time learning about how one colleague has been working to get the ENISA MISP up and running (a very secure platform!) and then implementing their own version in a dedicated LAN segment -> plus importing notifications from their own CTI solution. Some good results and learnings as we slowly move to understanding what a pragmatic solution for us might be. Key insights to date are:
- It makes sense for each region/city to have its own MISP (ideally using the same solution as ENISA), if this is not feasible then we as an ISAC can provide a dedicated MISP (using the ENISA solution) with dedicated areas for individual regions/city.
- A (manual) administrator is needed to decide what MISP information is shared to wider communities (this assumes relevant data sharing MOUs are in place).
- The ISAC MISP can be loaded with (a) IoC data from national CERTs which is publicly available, and (b) ENISA MISP data.
- ISAC MISP data and EU/national/local controls frameworks (in any language) can be loaded to the Barista GPT and evaluated. The challenge here is designing the right questions to ask to generate valuable outputs – one experiment for example is to map IoCs to CIS controls and another is to generate input to local security solutions (i.e, anti-virus scanners) based on IoCs from CERTs across the EU.
We are also re-invigorating our efforts to use the OpenSSAM platform https://openssam.enisa.europa.eu/ for information gathering purposes.
Cheers,
Oliver
| In the News |
- Cyber attack claimed against Pisa Municipality, probable exfiltration of 2TB of data https://www.cybersecurity360.it/nuove-minacce/ransomware/rivendicato-attacco-informatico-contro-comune-di-pisa-probabile-esfiltrazione-di-2tb-di-dati/
- The European Union Agency for Cybersecurity (ENISA) has developed the European Vulnerability Database – EUVD as provided for by the NIS2 Directive. The EUVD service, to be maintained by ENISA, is now operational at https://euvd.enisa.europa.eu/. API information is available at https://euvd.enisa.europa.eu/apidoc.
- The ECSO Award Finals 2025 are just around the corner – and this time, we’re heading to The Hague on 21–22 May at the vibrant HSD Campus (Wilhelmina van Pruisenweg 104, 2595 AN Den Haag). In this event, some of the most promising European start-ups and scale-ups in cybersecurity will compete for the ECSO Startup Award, selected by a jury of investors from the ECSO INvest4Cyber community, and the ECSO CISO Choice Award, selected by a jury composed of European CISOs from the ECSO CISO Community. See https://forms.office.com/pages/responsepage.aspx?id=zu7aB_B3YkqIL6ekzlAgVNsi2W5t8T9LroJPdH6BJnxUQUQ0UkhCMVQ4Q0dLQVpHMFlTQTRKRlg3Qy4u&utm_source=ECSO+Award+Finals+20…+(Mass+Mailing+created+on+2025-04-10)+%5b3%5d&utm_medium=Email&route=shorturl.
- Major Cities of Europe, in collaboration with the City of Issy-les-Moulineaux, is pleased to announce the joint 2025 conference under the theme of “Piloting Disruptive Innovation in Cities and Regions”, which will be hosted at the UGC Congress Centre from October 9 to 10. Integrated into the Greater Paris Metropolis, Issy-les-Moulineaux is one of the most innovative cities in France and has long been recognized as a leader in digital innovation, circular economy, and environmental footprint reduction. The event is co-organized with Issy Media, the public company responsible for communication and innovation in Issy-les-Moulineaux. The conference will be conducted in English and French, with simultaneous translation available. See www.majorcities.eu for more details.
| ISAC Services (Member Funded) |
We have published our services at Services Offered – EU ISAC for Cities (isac4cities.eu). Please do review and consider reaching out to include such in your activities and budgets.
Note that emerging new services are related to managing the MISP platform (and onboarding) plus Barista.
| ISAC Baseline (IBAS) Project |
The IBAS project continues and remember this sits on the Enablor platform serving a wider community. Enablor is currently supporting 3931 organisations with 4158 users and 10978 logins last year – a thriving community!
The ISAC benchmark platform offers a unique opportunity for public administrations to benchmark themselves against not only regulative requirements but also other local governments around Europe. Benchmarking data from European municipalities are now available in the ISAC Baseline Program providing participants with insight into how similar organizations perform and comply with legislation. Assessing the organization’s security level gives insight data on compliance with both legislation as well as automated mappings to security frameworks such as ISO 27001-2, CIS 18 and NIST CSF. The enablor platform can be used within your own organization and is a shortcut to collaborating with similar European organizations. If you are a region, you can also “sponsor” membership for your cities to create regional bench-learning groups. If you are a nation, then you can sponsor membership for your regions and cities as well of course.
Key value proposition? In the many discussions leading up to the launch, we see that the key value of participating is (a) access to a massive amount of detailed “real stories” on successful implementations across the NIS2 spectrum, and (b) significantly reduced efforts for reporting. If needed, we can also provide administrative support for transferring existing data into the enablor platform.
Please remember you can reach the whole group via city-isac-i4c-tlpwhite@majorcities.eu. A dedicated group for those cities signing the NDAs is available separately.
Also note our LinkedIn organisational page at https://www.linkedin.com/company/eu-city-information-sharing-and-analysis-center-isac/ and our discussion group at https://www.linkedin.com/groups/12773643/. Do follow us / join.
Join our weekly Friday morning coffee chats from 9am-10am CET – feel free to come in your pyjamas. Let me know if you are missing an invite and I will send.
Thank you for the support, your City ISAC I4C+ Team.
Cheers and ever onwards
Oliver
Innovating our Future… Together
Chair City ISAC I4C+ / Dr. Oliver Schwabe.
Email: oliver.schwabe@isac4cities.eu Mobile: +49 (0) 1709053671. Web: https://i4c.isacs.eu/ & https://www.majorcities.eu/isac-for-cities-plus/