2025/9 Weekly Update from the EU ISAC for Cities & Regions: MCE Annual Conference “Piloting Disruptive Innovation in Cities and Regions” in Issy-Les-Moulineaux Oct 9 & 10. 2025 – Call for incident stories / Existence and effectiveness of controls are two separate things / A fool with a tool is still a fool – Ape with AK47 Example / Connecting with the EU Energy ISAC

von oschwabean Veröffentlicht am

2025/9 Weekly Update from the EU ISAC for Cities & Regions: MCE Annual Conference “Piloting Disruptive Innovation in Cities and Regions” in Issy-Les-Moulineaux Oct 9 & 10. 2025 – Call for incident stories / Existence and effectiveness of controls are two separate things / A fool with a tool is still a fool – Ape with AK47 Example / Connecting with the EU Energy ISAC

** For Back Issues see https://isac4cities.eu/blog **

The City ISAC (I4C+) is an Information and Analysis Centre whose members are IT and cyber security decision makers exchanging knowledge to improve their cities and collective cyber resilience. I4C+ is a Special Interest Group (SIG) hosted by Major Cities Europe (MCE). Dr. Oliver Schwabe is a member of MCE and in his function Chair of the ISAC for Cities Plus (I4C+). He is the person in charge of this effort on behalf of MCE and the responsible contact person. I4C+ is recognized by the European Agency for Cybersecurity ENISA. See https://isac4cities.eu/.

Weekly [TLP:RED]

Please contact us directly for more information – these are summaries only and the “key” is in the actual stories shared privately. The stories are based on personal sensitive knowledge shared by peers in personal conversations under Chatham House Rules. This “stuff” may look obvious (?) – the magic lies between the lines and only becomes visible in a personal conversation.

This week´s thoughts are based on the scope of essential services your public administration subscribes to, operates, and manages, including what IT systems support their delivery.

  • Weekly [TLP:RED] for Publicly Elected Officials (Repeat # 21): Benchmark your cyber security – being good is attractive and can be flaunted.
  • Weekly [TLP:RED] for Essential Services Managers (Repeat # 21): Keep copies of your legacy system admin passwords – just in case the current admin does not leave on friendly terms.
  • Weekly [TLP:RED] for IT Leaders (Repeat # 21): Long term technical assistants to the CIO/CISO are the critical knowledge repository for successors – treat them well!
Summary

Hi everyone, colleagues from Croatia and Italy joining this Friday morning and we spent most of our time exploring how we are using the Trendmicro Trend Vision One platform to “go to green” in our cyber assurance approaches. The below image shows one way the attack surface can be monitored with a suggestion to stay within the “green” band – which basically means that you have this “under control”. The way to achieve this is by linking every notification received to an activity you are working on – that brings you into the green band as evidence that this is being “controlled” and hence being audit compliant. The important thing is that audit compliance does NOT mean actually being able to prevent such events from re-occurring, it is simply that you have activities trying to do this. For us as security professions this is perhaps one of our biggest issues in dealing with assurance audits – we confuse the question about whether we have controls in place, with whether the controls we have in place are effective. Audits typically ask about whether the controls are in place and then encourage us to make them more effective – “passing” the audit however is about the existence of the controls and platforms like the one we looked at create evidence that this is the case – really important of course. In your next audit reflect on whether you are asking the right question – existence and effectiveness of controls are two very different things and audit are focused on the former. It was very interesting to explore how colleagues are using this specific solution and we definitely learned from each other on how to do this better on the journey of going to “green”. Although we do need to remember that not being green is typically a good thing if you are looking for funding to improve controls effectiveness. In any case, if you want to learn more about using this specific solution to go to green then let me know – from an audit perspective at least, the secret lies in how to use the tool and not the actual protection activities you are driving.

A more general example might be the CIS-RAM safeguard 1.4 Maintain Detailed Asset Inventory – yes you need to have a process in place that is monitoring this (policy), yes, you need a solution that is supporting the implementation of that policy (tool), and yes, you need regular reports demonstrating that you are implementing the policy – audit question passed. The “quality” / “effectiveness” of the control is a very different question.

The above discussion then reminded us of the current IBAS project where we can benchmark our cyber security activities with peers. In today´s discussion we did not benchmark how we are making specific controls more effective; we learned how to demonstrate the existence of controls in a measurable manner – in the end a process question (related to how the monitoring solution is configured).

And yes, a fool with a tool is still a fool – see Ape with an AK47 as an example https://www.youtube.com/watch?v=QxYmm5yCJBg!

We then discussed the just announced Major Cities Europe Conference in October and that it might be interesting to fill our session with stories of how we dealt with major incidents instead of running a tabletop. If you have dealt with a major cyber incident in the past years and would be willing to tell the “true” story, then please let us know!

Cheers, 

Oliver

Insights from AI

I asked CoPilot “what is the difference between having a cyber security control and having an effective cyber security control?” The AI responded:

“The difference lies in the distinction between mere existence and functionality:

Cybersecurity Control: This refers to any measure, tool, policy, or process implemented to protect systems, networks, or data from cyber threats. For instance, a firewall, an anti-malware program, or a password policy qualifies as a control. However, simply having it in place doesn’t guarantee that it’s working effectively.

Effective Cybersecurity Control: This means that the control is not only present but also operating as intended to mitigate risks, prevent attacks, and achieve security objectives. An effective control is regularly tested, monitored, and updated to adapt to evolving threats, ensuring it actually protects what it’s designed to safeguard.

Think of it like having a lock on your door. Just having the lock (the control) isn’t enough—it needs to be functional, secure, and used correctly to effectively protect your home. Similarly, an effective cybersecurity control requires proper implementation, regular maintenance, and alignment with broader security goals.”    

In the News
  • We are now collaborating directly with the European Energy Information Sharing & Analysis Centre – see https://www.ee-isac.eu/
  • Major Cities of Europe, in collaboration with the City of Issy-les-Moulineaux, is pleased to announce the joint 2025 conference under the theme of “Piloting Disruptive Innovation in Cities and Regions”, which will be hosted at the UGC Congress Centre from October 9 to 10. Integrated into the Greater Paris Metropolis, Issy-les-Moulineaux is one of the most innovative cities in France and has long been recognized as a leader in digital innovation, circular economy, and environmental footprint reduction. The event is co-organized with Issy Media, the public company responsible for communication and innovation in Issy-les-Moulineaux. The conference will be conducted in English and French, with simultaneous translation available. See www.majorcities.eu for more details.
ISAC Services (Member Funded)

We have published our services at Services Offered – EU ISAC for Cities (isac4cities.eu). Please do review and consider reaching out to include such in your activities and budgets.

ISAC Baseline (IBAS) Project

To support the ongoing IBAS project the ISAC Baseline platform was updated with the Croatian law for NIS2 as well as the Lithuanian law.  The requirements of the laws are mapped to the CIS18 and ISO 2700x standards.  The legal requirements are also mapped to the ISAC Baseline questionnaires so that the ISAC Baseline platform is an effective collaboration forum for ISAC members.  Further updates with national laws and standards such as NIST CSF are forthcoming.

IBAS is now running with participating cities and regions from Croatia, Ireland and Lithuania was completed on 20 February. This included basic navigation and data entry to arrive at first individual and comparative results against the benchmark data. See https://isac4cities.eu/public-administration-isac-baseline for more details on this opportunity.

The ISAC benchmark platform offers a unique opportunity for public administrations to benchmark themselves against not only regulative requirements but also other local governments around Europe. Benchmarking data from European municipalities are now available in the ISAC Baseline Program providing participants with insight into how similar organizations perform and comply with legislation. Assessing the organization’s security level gives insight data on compliance with both legislation as well as automated mappings to security frameworks such as ISO 27001-2, CIS 18 and NIST CSF. The enablor platform can be used within your own organization and is a shortcut to collaborating with similar European organizations. If you are a region, you can also “sponsor” membership for your cities to create regional bench-learning groups. If you are a nation, then you can sponsor membership for your regions and cities as well of course.

Key value proposition? In the many discussions leading up to the launch, we see that the key value of participating is (a) access to a massive amount of detailed “real stories” on successful implementations across the NIS2 spectrum, and (b) significantly reduced efforts for reporting. If needed, we can also provide administrative support for transferring existing data into the enablor platform.

 

Please remember you can reach the whole group via city-isac-i4c-tlpwhite@majorcities.eu. A dedicated group for those cities signing the NDAs is available separately.

Also note our LinkedIn organisational page at https://www.linkedin.com/company/eu-city-information-sharing-and-analysis-center-isac/ and our discussion group at https://www.linkedin.com/groups/12773643/.  Do follow us / join.

Join our weekly Friday morning coffee chats from 9am-10am CET – feel free to come in your pyjamas. Let me know if you are missing an invite and I will send.

Thank you for the support, your City ISAC I4C+ Team.

Cheers and ever onwards

Oliver

Innovating our Future… Together

Chair City ISAC I4C+ / Dr. Oliver Schwabe.

Email: oliver.schwabe@isac4cities.eu Mobile: +49 (0) 1709053671. Web: https://i4c.isacs.eu/ & https://www.majorcities.eu/isac-for-cities-plus/  

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert