2025/6 Weekly Update from the EU ISAC for Cities & Regions: Collaboration growing with Aviation, Space, Retail & Hospitality and Financial Services ISACs / Ongoing input being gathered for ENISA report on Criticality Assessment of NIS2 sectors / Exploring research into Identity Access Management approaches / How to deal with vendor audit requests? Thoughts needed / Which tools REALLY helped?
** For Back Issues see https://isac4cities.eu/blog **
The City ISAC (I4C+) is an Information and Analysis Centre whose members are IT and cyber security decision makers exchanging knowledge to improve their cities and collective cyber resilience. I4C+ is a Special Interest Group (SIG) hosted by Major Cities Europe (MCE). Dr. Oliver Schwabe is a member of MCE and in his function Chair of the ISAC for Cities Plus (I4C+). He is the person in charge of this effort on behalf of MCE and the responsible contact person. I4C+ is recognized by the European Agency for Cybersecurity ENISA. See https://isac4cities.eu/.
| Weekly [TLP:RED] |
Please contact us directly for more information – these are summaries only and the “key” is in the actual stories shared privately. The stories are based on personal sensitive knowledge shared by peers in personal conversations under Chatham House Rules. This “stuff” may look obvious (?) – the magic lies between the lines and only becomes visible in a personal conversation.
This week´s thoughts are based on the scope of essential services your public administration subscribes to, operates, and manages, including what IT systems support their delivery.
- Weekly [TLP:RED] for Publicly Elected Officials (Repeat # 18): Cyber startups are popular but only a cheap enhancement if they themselves are secure – validate.
- Weekly [TLP:RED] for Essential Services Managers (Repeat # 18): Discover where USB ports are being used to read/write data and find alternatives – they are the open backdoor for breaches. This includes USB drives, cameras etc.
- Weekly [TLP:RED] for IT Leaders (Repeat # 18): Ensure all laptops connect at least monthly directly to the network for 24 hours to receive updates. The longer devices are remote, the greater the chance of an update divergence leading to growing security concerns.
| Summary |
Hi everyone, colleagues from Belgium, Croatia, and Estonia joining this Friday morning plus a colleague from ENISA.
We are now intensifying our collaboration with the Aviation ISAC (https://www.a-isac.com/) , Space ISAC https://spaceisac.org/, the Retail & Hospitality ISAC https://rhisac.org/, and the Financial Services ISAC https://www.fsisac.com/. Aim is to explore how we can support each other in a more tangible manner. The Multi-ISAC tabletop in Athens last October showed that there are opportunities around this (i.e., joint-support in the event of major breaches and / or shared services), however it is a new area of collaboration and therefore needs practice). The idea of a “Multi-ISAC Playbook” has been circulating for a while and perhaps we will explore potential funding sources for the effort more intensively.
We also discussed an ENISA report on “ENISA Cybersecurity Maturity; Criticality Assessment of NIS2 sectors” (pending publication) that our friends at ENISA kindly asked us to comment on. Multiple colleagues have already provided feedback that I will be consolidating. Our key thoughts can perhaps be summarised by the comment of a colleague that “addressing all public organisations in one group doesn’t give a platform for addressing sector specific issues and doesn’t give the ability to address sector specifics risks.” The responsibilities of local and regional public administrations across the EU vary widely so that a “one size fits all” approach might need to be revisited. What also occupies me is that we need to help ensure robust primary research is used to inform such policy making.
Note that we are also beginning to explore setting up a small research effort around the use of Identity Access Management solutions in local and public administrations. The aim is to understand how this “glue” for securing our diverse and fragmented IT landscapes might be consolidated in support of more robust defence-in-depth frameworks. Currently defining the research effort more clearly and thinking about potential industry sponsors.
Really interesting discussion then triggered by the ENISA colleague reflecting on some of her previous work history. She suggested asking ourselves, after an incident has cleared, what security tools we REALLY used… highly interesting since it seems that we actually seldom use the bells and whistles of solution when push comes to shove…. should have us thinking and at least one other colleague was going to test the question internally.
Finally, we reflected on how security solutions are perceived differently by different stakeholders and found the parable of the six blind men and the elephant (https://en.wikipedia.org/wiki/Blind_men_and_an_elephant) quite fitting 😊
On a side note –Oracle announced an audit to a colleague after detecting a download of what is otherwise free software, which may contain a small Oracle plugin that requires payment. After checking their infrastructure, they found that they have five free installations and one that contained the Oracle plugin. The developer was unaware of this, and it was immediately deleted since it wasn’t there intentionally. Their installation method feels like a trap for users, but that seems to be their approach. Now, Oracle is requesting an audit of their infrastructure and citing California law. Based on their logs, they can only see the public IP address of the network, which is shared by a large number of free open-space areas for citizens and city infrastructure. Any thoughts on how they should handle their request to scan their internal network? We see many similar challenges with vendors also re-activating paid services after upgrades / server restarts – not really a friendly behavior!
Cheers,
Oliver
Insights from AI
Following up on the above thoughts about Identity Access Management (IAM) being the “glue” of cybersecurity across our IT landscapes I asked CoPilot “what is the importance of identity access management in securing fragmented and diverse IT infrastructures?” The AI responded:
“Identity Access Management (IAM) is crucial for securing fragmented and diverse IT infrastructures for several reasons:
Enhanced Security: IAM ensures that only authorized users can access specific resources, minimizing the risk of unauthorized access and data breaches. It uses features like multi-factor authentication (MFA) and role-based access controls to strengthen security.
Improved Compliance: Many regulatory frameworks require strict access controls and audit trails. IAM helps organizations meet these requirements by providing robust identity verification and access provisioning processes2.
Efficient Access Management: With IAM, organizations can streamline access control across various systems, applications, and devices, whether on-premises, remote, or cloud-based. This ensures that users have the appropriate level of access based on their roles and responsibilities.
Reduced Risk of Insider Threats: IAM helps mitigate risks posed by malicious insiders or accidental misuse of access rights by ensuring that users only have the permissions necessary for their roles.
Scalability and Flexibility: As organizations grow and their IT infrastructures become more complex, IAM provides a scalable solution to manage access across diverse environments.
In essence, IAM is foundational to maintaining the confidentiality, integrity, and availability of systems, applications, and data in today’s cybersecurity landscape.”
| In the News |
- ISAC baseline extended with NIST CSF 2.0: In a number of countries, NIST CSF is referred to in the NIS2 legislation. As a result, we have updated the ISAC Baseline platform with NIST CSF 2.0 and mapped to ISO 27001-2 and CIS 18. This means that you can work actively with the different standards and, among other things, extract reports on your organization’s status in relation to NIS2 legislation using NIST CSF 2.0 including benchmark to other cities and organizations.
- We are now intensifying our collaboration with the Space ISAC https://spaceisac.org/, the Retail & Hospitality ISAC https://rhisac.org/ and the Financial Services ISAC https://www.fsisac.com/.
- Flanders buys 10k CoPilot licenses: https://www.belganewsagency.eu/flanders-secures-europes-largest-microsoft-copilot-contract-to-improve-government-efficiency
| City ISAC Services (Member Funded) |
We have published our services at Services Offered – EU ISAC for Cities (isac4cities.eu). Please do review and consider reaching out to include such in your activities and budgets.
| ISAC Baseline (IBAS) Project |
Note that the launch event for participating cities and regions will be on 20 February. This will include basic navigation and data entry to arrive at first individual and comparative results against the benchmark data. See https://isac4cities.eu/public-administration-isac-baseline for more details on this opportunity.
The ISAC benchmark platform offers a unique opportunity for public administrations to benchmark themselves against not only regulative requirements but also other local governments around Europe. Benchmarking data from European municipalities are now available in the ISAC Baseline Program providing participants with insight into how similar organizations perform and comply with legislation. Assessing the organization’s security level gives insight data on compliance with both legislation as well as automated mappings to security frameworks such as ISO 27001-2, CIS 18 and NIST CSF. The enablor platform can be used within your own organization and is a shortcut to collaborating with similar European organizations. If you are a region, you can also “sponsor” membership for your cities to create regional bench-learning groups. If you are a nation, then you can sponsor membership for your regions and cities as well of course.
Key value proposition? In the many discussions leading up to the launch, we see that the key value of participating is (a) access to a massive amount of detailed “real stories” on successful implementations across the NIS2 spectrum, and (b) significantly reduced efforts for reporting. If needed, we can also provide administrative support for transferring existing data into the enablor platform.
Please remember you can reach the whole group via city-isac-i4c-tlpwhite@majorcities.eu. A dedicated group for those cities signing the NDAs is available separately.
Also note our LinkedIn organisational page at https://www.linkedin.com/company/eu-city-information-sharing-and-analysis-center-isac/ and our discussion group at https://www.linkedin.com/groups/12773643/. Do follow us / join.
Join our weekly Friday morning coffee chats from 9am-10am CET – feel free to come in your pyjamas. Let me know if you are missing an invite and I will send.
Thank you for the support, your City ISAC I4C+ Team.
Cheers and ever onwards
Oliver
Innovating our Future… Together
Chair City ISAC I4C+ / Dr. Oliver Schwabe.
Email: oliver.schwabe@isac4cities.eu Mobile: +49 (0) 1709053671. Web: https://i4c.isacs.eu/ & https://www.majorcities.eu/isac-for-cities-plus/