2023/48 Weekly Update from the “City ISAC I4C+” Highlights: [TLP:RED] Guidance – Hire Ex-Military / Cloud-Services are “Trojan Horses” to keep some control / EU Cybersecurity Certification won´t really help / Threats alone stop us…
[TLP:WHITE]
** For Back Issues see https://isac4cities.eu/blog **
| Weekly [TLP:RED] |
Please contact us directly for more information – these are summaries only and the “key” is in the actual stories shared privately. The stories are based on personal sensitive knowledge shared by peers in personal conversations under Chatham House Rules. This “stuff” may look obvious (?) – the magic lies between the lines and only becomes visible in a personal conversation.
- Weekly [TLP:RED] for Publicly Elected Officials: The best crisis centre coordinators are ex-military with combat experience; get one.
- Weekly [TLP:RED] for Essential Services Managers: Developing citizen solutions on nationally / regionally provided cloud services (i.e., PowerApps, Sharepoint, PowerBI) is often the most effective way to improve processes – let IT (security) guide you though.
- Weekly [TLP:RED] for IT Leaders: A “potential” compromise treated seriously is probably the fastest way to get all IT assets patched up to date…
| Summary |
Hi everyone and hope you are well – one new city and one “regular” joined on Friday morning with introductions leading to a longer conversation around internal IT departments and outsourcing to third-parties. The latter is obviously the growing tendency for cities as their regions and nations “assimilate” services while providing less and less resources / funds for local services. All cities (any many regions) facing this situation. While local authorities cannot change this direction of travel, they can take a look at their citizen development world where a large number of “legacy” systems will always exist – while we cannot maintain control of “core IT systems” (i.e., messaging solutions), we can maintain control of these in various ways – especially cloud based solutions actually also offer the opportunity for major citizen development (on the cloud platforms) – i.e., PowerApps, Sharepoint, PowerBI etc. Trojan horses to maintain control?
We then learned a little more about the Leipzig tabletop and the presentation held by one city about its cyber incident. Apparently being mentioned as a potential target on the dark web is often enough to trigger a call from the regional criminal investigation offices – leading to the tough decision of “act versus hope”. Interesting as well, was that the city had officially requested administrative support from other institutions, however received it only from the national cyber security institute and the military – unfortunately the two did not quite get along and both sort of withdrew from support. We agreed it needs a very strong directive crisis team to manage the resources that we can recruit – ex-military often have skills like this by the way (as we then saw in the tabletop).
With the holiday season coming up, we are of course all wondering whether the threat actors will also take a break (like it seemed to be last year), or whether we end up (like the above-mentioned German city) ending up preparing to have a Silverter party and then getting a call from the regional criminal investigation office on the day before…
Cheers
Oliver
| In the News |
- The German region Vorpommern-Rügen went offline „just in case” after receiving notification from the regional criminal police office (“LKA”) (see https://www.lk-vr.de/index.php?object=tx,3034.5&ModID=7&FID=3034.20848.1). Only reachable via the emergency phone number 112.
- Early October Estonia was flooded with bomb threat emails and hundreds of organisations ran into the question of whether or not to enact their emergency plans (see https://news.err.ee/1609129961/ppa-on-bomb-threat-emails-always-contact-112-for-advice). Threats suffice to cause chaos as we see.
| City ISAC Services (Member Funded) |
No specific updates – do make a point of following us on the LinkedIn page at https://www.linkedin.com/company/98519767/admin/feed/posts/ and joining our LinkedIn discussion group at https://www.linkedin.com/groups/12773643/.
| Project “DAVID” (Member Funded) |
Some good discussions this week on the evolving ENISA NIS2 orientated EU cybersecurity certification framework (see https://www.enisa.europa.eu/topics/certification). From our perspective this is a worthwhile effort, however it will not address the fundamental issue that solution suppliers in many cases do not actually meet the standards they claim to comply with. As always, we will need to avoid just asking whether a supplier has the appropriate certifications – we will need to audit them and do that regularly. We have previously shared “light” vendor cybersecurity assessments for example, In a way frustrating of course – “caveat emptor”!
| Project “MEET” (EU Funded / Beneficiary) |
We have finally been assigned a new project officer (remember our initial ones moved roles and our project seems to have fallen off the table for some reason. Coming week should give us some insights how to start to the motor – due to the upcoming Holiday Season I assume it will be January though.
| Project “VAUBAN” |
We held our Larissa format tabletop exercise at the regional IT conference https://www.it-fachtag-leipzig.de/ and, with about 150 city officials / IT leaders attending had a great time – lots of laughs and learning! It was also a good example of how we can begin learning to work together in (non-) crisis situations. The most interesting development perhaps was one the mayor decided to launch the crisis team and an ex-soldier “to take the reins” – the whole dynamics moved from unstructured democratic discussions to highly structured and hierarchical activities as befits the early “responsive” phase of dealing with a cyber incident. Off the back of the event, it looks as if we will be launching a regional VAUBAN effort next year led by a larger city and a publicly owned IT services provider serving several hundred public administrations – we will keep you posted. Regional solutions appear quite relevant due to shared language and geographical proximity.
| Project “Regions4Cyber” |
First pilot surveys are out with a response deadline of Friday. We´ll revise the survey then and begin reaching out to a larger audience of regions and cities providing regional services. The initiative was also introduced at the https://ecs-org.eu/events/ecsos-annual-ciso-meetup/ and warmly received. Our City ISAC approach is serving as an important orientation for the planned development.
Please remember you can reach the whole group via city-isac-i4c-tlpwhite@majorcities.eu. A dedicated group for those cities signing the NDAs is available separately.
Also note our LinkedIn organisational page at https://www.linkedin.com/company/eu-city-information-sharing-and-analysis-center-isac/ and our discussion group at https://www.linkedin.com/groups/12773643/. Do follow us / join.
Join our weekly Friday morning coffee chats from 9am-10am CET – feel free to come in your pyjamas. Let me know if you are missing an invite and I will send.
Thank you for the support, your City ISAC I4C+ Team.
Cheers and ever onwards
Oliver
Innovating our Future… Together
Chair City ISAC I4C+ / Dr. Oliver Schwabe.
Email: oliver.schwabe@isac4cities.eu Mobile: +49 (0) 1709053671. Web: https://i4c.isacs.eu/ & https://www.majorcities.eu/isac-for-cities-plus/