2025/21 Weekly Update from the EU ISAC for Cities & Regions: Our (Almost) Daily Cyber Forecast on LinkedIn – Follow us / Invitation to Participate (and circulate) in ENISA’s NIS360 Sector Survey / Weekly [TLP:RED] / Barista moved to Mistral AI “Le Chat” /Why sharing of IoCs is challenging /  Join our “I4C+ MISP” and “ISAC Baseline (IBAS)” projects / MCE Annual Conference Oct 9&10, 2025

von oschwabean Veröffentlicht am

2025/21 Weekly Update from the EU ISAC for Cities & Regions: Our (Almost) Daily Cyber Forecast on LinkedIn – Follow us / Invitation to Participate (and circulate) in ENISA’s NIS360 Sector Survey / Weekly [TLP:RED] / Barista moved to Mistral AI “Le Chat” /Why sharing of IoCs is challenging /  Join our “I4C+ MISP” and “ISAC Baseline (IBAS)” projects / MCE Annual Conference Oct 9&10, 2025

** For Back Issues see https://isac4cities.eu/blog **

The City ISAC (I4C+) is an Information and Analysis Centre whose members are IT and cyber security decision makers exchanging knowledge to improve their cities and collective cyber resilience. I4C+ is a Special Interest Group (SIG) hosted by Major Cities Europe (MCE). Dr. Oliver Schwabe is a member of MCE and in his function Chair of the ISAC for Cities Plus (I4C+). He is the person in charge of this effort on behalf of MCE and the responsible contact person. I4C+ is recognized by the European Agency for Cybersecurity ENISA. See https://isac4cities.eu/.

Daily Cyber Forecast

Our GPT Barista is publishing an (almost) daily cyber forecast to our LinkedIn page at https://www.linkedin.com/company/eu-city-information-sharing-and-analysis-center-isac/. Follow!

Invitation to Participate (and circulate) in ENISA’s NIS360 Sector Survey

Over the past few months, our ENISA friends have been working on developing the NIS360 surveys — and they are happy to share that they are now ready to launch!

We would appreciate it if you could share the survey dedicated to public administrations with the members of ISAC4Cities.

The goal of the survey is to assess the cybersecurity maturity and criticality of sectors classified as essential or important under NIS2.

The input collected will directly inform the upcoming ENISA NIS360 Report, which will provide a comprehensive overview and comparison of sectors, highlighting where each sector stands. Through NIS360 surveys, ENISA aims to collect data on an annual basis to support companies and competent authorities in prioritising resources and strengthening cybersecurity practices over time.

You can access the survey via the following link: https://enablor.dk/auth/register/survey/8419079683a240e88266e257bf391b00?lang=en&enisa=true

We kindly invite you to complete the survey by September 15.

You can also find last year’s NIS360 report here: https://www.enisa.europa.eu/publications/enisa-nis360-2024.  However, this year, we aim to gather input from a broader range of entities in order to develop the most accurate and comprehensive picture of the sector possible.

If you have any questions, need further information, or are interested in continuing the dialogue and contributing your expertise to support our work, please do not hesitate to contact the ENISA team at NIS360@enisa.europa.eu <mailto:NIS360@enisa.europa.eu> .

Weekly [TLP:RED]

Please contact us directly for more information – these are summaries only and the “key” is in the actual stories shared privately. The stories are based on personal sensitive knowledge shared by peers in personal conversations under Chatham House Rules. This “stuff” may look obvious (?) – the magic lies between the lines and only becomes visible in a personal conversation. Full list at https://isac4cities.eu/tlpred.

This week´s thoughts are based on the scope of essential services your public administration subscribes to, operates, and manages, including what IT systems support their delivery.

  • Weekly [TLP:RED] for Publicly Elected Officials (Repeat # 33): Don´t move critical infrastructure services to the cloud.
  • Weekly [TLP:RED] for Essential Services Managers (Repeat # 33): Ensure all logging services for database services that are related to versioning of data are enabled.
  • Weekly [TLP:RED] for IT Leaders (Repeat # 33): Ensure all possible logging is turned on and all relevant log data continuously provided by third parties.

Ask Barista (GPT)

We have now launched a Barista pilot where colleagues get access to a custom designed ChatGPT app called “Barista” – I asked Barista who it is and it replied: “I’m Barista, your cybersecurity analyst assistant. I’m here to help security operations centre (SOC) teams, blue team defenders, and incident responders with things like: Log analysis (from Splunk, Sentinel, ELK, etc.), Writing detection rules (Sigma, KQL, SPL), Mapping alerts to MITRE ATT&CK, Remediation guidance (NIST, CIS, OWASP best practices), Threat hunting, system hardening, and incident response support, Automating security processes in hybrid and cloud environments”.

Exploration continues and will keep you updated – the next sensible step would be copying our MISP approach and implementing Mistral AI inside the network of a member plus then beginning to open that up for others / helping others install their own and connect – all powerful activities but need funding. We are having conversations regarding the resource needs for this (i.e., server?).

If you would like us to operate a query process for your GPT solutions (i.e., with internal data from your side) please do reach out.

Today I asked Barista why the sharing of Indicators of Compromise (IoCs) with third parties can be challenging and Barista suggested:

“Sensitivity and Confidentiality: IoCs often contain sensitive information that could reveal vulnerabilities within an organization’s network. Sharing this information could potentially expose an organization to further risks if the data falls into the wrong hands.

Trust Issues: Trust is a significant factor when sharing IoCs. Organizations need to trust that the third party will handle the information responsibly and not use it for malicious purposes or inadvertently leak it.

Legal and Compliance Concerns: There may be legal restrictions or compliance issues related to sharing IoCs. Organizations must navigate various regulations that govern data sharing and privacy, which can complicate the process.

Data Integrity and Context: IoCs need to be accurate and relevant. Without proper context, shared IoCs might not be useful or could lead to false positives. Ensuring that the data is correctly interpreted by the third party requires clear communication and additional resources.

Standardization: There is often a lack of standardization in how IoCs are formatted and shared. Different organizations may use different tools and platforms, making it difficult to integrate and utilize shared IoCs effectively.

Resource Intensive: Sharing IoCs requires resources for proper documentation, communication, and follow-up. Organizations may not have the necessary resources to dedicate to these activities.

Risk of Misuse: There is always a risk that shared IoCs could be misused, either intentionally or unintentionally. This could lead to further security incidents or damage to the organization’s reputation.

Competitive Disadvantage: In some cases, sharing IoCs might provide competitors with insights into an organization’s security posture, potentially leading to a competitive disadvantage.

To mitigate these challenges, organizations often use trusted platforms and frameworks for sharing IoCs, such as Information Sharing and Analysis Centers (ISACs), which provide a secure environment for sharing threat intelligence among trusted members. Additionally, using standardized formats and protocols can help ensure that IoCs are shared in a useful and secure manner.”

I4C+ MISP

One public administration colleague now has our MISP running in their own network and we are working on pulling together the many:many NDA needed to begin using it – more once that NDA is finalised. Each administration can get its own confidential area and there is then the opportunity to share with other administrations and publish to the ENISA MISP. Let us know if you would like to join.

Summary

Hi everyone, friends from Estonia, Ireland and Italy joining this morning and it seems there is a slow return from holidays. One colleague smiling widely when they told us they have three new staff members joining on coming Monday 😊

Another colleague challenged by its domain name being quarantined and hence not available – needed to have the necessary calls during our weekly – which sort of exposed the importance of being on top of domain name registrations etc. From a security standpoint also critical of course since losing control of a domain name opens the barn door for threat actors to redirect. Barista suggested:

“When a domain name is quarantined, it typically means that it has been flagged as malicious or suspicious by security systems, such as those used by web browsers, search engines, or cybersecurity organizations. This can happen due to various reasons, such as the domain being associated with phishing, malware distribution, or other malicious activities. Here are some potential cyber threats and implications of having a domain name quarantined:

1. **Reputation Damage**: Being quarantined can severely damage the reputation of the domain and the organization associated with it. Users may lose trust in the website and the brand.

2. **Loss of Traffic**: Web browsers and search engines may display warnings to users attempting to visit the site, which can significantly reduce traffic. Users are likely to be deterred by these warnings and avoid visiting the site.

3. **Blacklisting**: The domain may be added to blacklists used by various security solutions, which can prevent users from accessing the site altogether. This can affect not only direct traffic but also email deliverability if the domain is used for email services.

4. **Impact on Business Operations**: For businesses, a quarantined domain can disrupt online services, e-commerce activities, and customer interactions, leading to potential financial losses.

5. **SEO Impact**: Search engines may lower the ranking of the domain or remove it from search results entirely, impacting the site’s visibility and search engine optimization (SEO) efforts.

6. **Propagation of Malware or Phishing**: If the domain was indeed involved in malicious activities, being quarantined helps prevent the spread of malware or phishing attacks to users, which is beneficial from a security standpoint.

7. **Legal and Compliance Issues**: Depending on the nature of the activities associated with the domain, there could be legal repercussions or compliance issues that the organization may need to address.

8. **Operational Disruption**: The organization may need to invest time and resources to investigate the issue, clean up any malicious content, and request a review to have the domain removed from quarantine lists.

To mitigate these threats, it is crucial to identify and address the root cause of the quarantine, such as removing malicious content, securing the website, and following best practices for cybersecurity. Additionally, organizations should communicate transparently with their users and stakeholders about the steps being taken to resolve the issue.”

Finally, together with our friends in Tuscany Region and ECSO we will begin brainstorming on ideas for an AI webinar that will take place in November (either week 10-14/11 or week 24-28/11). If you are interested in supporting please do reach out.

Ah yes, and looks like we may be aligning to co-create an AI for Shared SOC funding proposal for an upcoming DEP call. I have a good feeling about this – we have tried multiple times to get such a proposal together and the pieces seem to be coming together now – more as things mature.

Cheers, 

Oliver

In the News
  • Major Cities of Europe, in collaboration with the City of Issy-les-Moulineaux, is pleased to announce the joint 2025 conference under the theme of “Piloting Disruptive Innovation in Cities and Regions”, which will be hosted at the UGC Congress Centre from October 9 to 10. Integrated into the Greater Paris Metropolis, Issy-les-Moulineaux is one of the most innovative cities in France and has long been recognized as a leader in digital innovation, circular economy, and environmental footprint reduction. The event is co-organized with Issy Media, the public company responsible for communication and innovation in Issy-les-Moulineaux. The conference will be conducted in English and French, with simultaneous translation available. See www.majorcities.eu for more details.
  ISAC Services (Member Funded)

We have published our services at Services Offered – EU ISAC for Cities (isac4cities.eu). Please do review and consider reaching out to include such in your activities and budgets.

Note that emerging new services are related to managing the MISP platform (and onboarding) plus Barista.

ISAC Baseline (IBAS) Project

The IBAS project continues and remember this sits on the Enablor platform serving a wider community. Enablor is currently supporting 3931 organisations with 4158 users and 10978 logins last year – a thriving community!

The ISAC benchmark platform offers a unique opportunity for public administrations to benchmark themselves against not only regulative requirements but also other local governments around Europe. Benchmarking data from European municipalities are now available in the ISAC Baseline Program providing participants with insight into how similar organizations perform and comply with legislation. Assessing the organization’s security level gives insight data on compliance with both legislation as well as automated mappings to security frameworks such as ISO 27001-2, CIS 18 and NIST CSF. The enablor platform can be used within your own organization and is a shortcut to collaborating with similar European organizations. If you are a region, you can also “sponsor” membership for your cities to create regional bench-learning groups. If you are a nation, then you can sponsor membership for your regions and cities as well of course.

Key value proposition? In the many discussions leading up to the launch, we see that the key value of participating is (a) access to a massive amount of detailed “real stories” on successful implementations across the NIS2 spectrum, and (b) significantly reduced efforts for reporting. If needed, we can also provide administrative support for transferring existing data into the enablor platform.

 

Please remember you can reach the whole group via city-isac-i4c-tlpwhite@majorcities.eu. A dedicated group for those cities signing the NDAs is available separately.

Also note our LinkedIn organisational page at https://www.linkedin.com/company/eu-city-information-sharing-and-analysis-center-isac/ and our discussion group at https://www.linkedin.com/groups/12773643/.  Do follow us / join.

Join our weekly Friday morning coffee chats from 9am-10am CET – feel free to come in your pyjamas. Let me know if you are missing an invite and I will send.

Thank you for the support, your City ISAC I4C+ Team.

Cheers and ever onwards

Oliver

Innovating our Future… Together

Chair City ISAC I4C+ / Dr. Oliver Schwabe.

Email: oliver.schwabe@isac4cities.eu Mobile: +49 (0) 1709053671. Web: https://i4c.isacs.eu/ & https://www.majorcities.eu/isac-for-cities-plus/  

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert