2024/15 Weekly Update from the MCE SIG “City ISAC I4C+” Highlights: Risk Matrix Emerging – IS DOS/DDOS/RDOS Protection for E-Services Highest Priority? / Check Out Microsoft Copilot for Cyber Security / Upcoming webinar of “Accelerating NIS2 Compliance with Benchmarking and AI Support” Monday, 27th May 2024
** For Back Issues see https://isac4cities.eu/blog **
The City ISAC (I4C+) is an Information and Analysis Centre whose members are IT and cyber security decision makers exchanging knowledge to improve their cities and collective cyber resilience. I4C+ is a Special Interest Group (SIG) hosted by Major Cities Europe (MCE). Dr. Oliver Schwabe is a member of MCE and in his function Chair of the ISAC for Cities Plus (I4C+). He is the person in charge of this effort on behalf of MCE and the responsible contact person. I4C+ is recognized by the European Agency for Cybersecurity ENISA. See https://isac4cities.eu/.
| Weekly [TLP:RED] |
Please contact us directly for more information – these are summaries only and the “key” is in the actual stories shared privately. The stories are based on personal sensitive knowledge shared by peers in personal conversations under Chatham House Rules. This “stuff” may look obvious (?) – the magic lies between the lines and only becomes visible in a personal conversation.
This week´s thoughts are based on the scope of essential services your public administration subscribes to, operates, and manages, including what IT systems support their delivery.
- Weekly [TLP:RED] for Publicly Elected Officials: Public polls are key to budgetary allocation.
- Weekly [TLP:RED] for Essential Services Managers: We will always run on Excel with many data connections – regularly backup those Excels on a separate laptop and make sure they work there.
- Weekly [TLP:RED] for IT Leaders: Our environments are chaotic – focus on security controls versus treatments.
| Summary |
Hi everyone and hope you are well – two cities and two regions joining on Friday morning and lots of discussions around a small piece of emergent research based on the weekly OSINT reports – only a few weeks data currently examined. By identifying relevant incidents and mapping these into a 3×3 probability impact diagram we can easily see that the top priority of regional and local administration risk threat treatments MUST be protecting online services against DOS/DDOS/RDOS attacks. Interesting reading in this respect is https://www.cisa.gov/resources-tools/resources/understanding-and-responding-distributed-denial-service-attacks and the ENISA recommendations from November 2023 for prevention and remediation available at https://www.enisa.europa.eu/publications/enisa-threat-landscape-for-dos-attacks/@@download/fullReport.
While the general opinion was that the story is too high level and after the fact, it did lead us into a discussion on the quality of increasingly third party hosted e-services that we can only manage via supplier management processes (versus ourselves putting technical capabilities in place to mitigate). A nice example perhaps is https://www.corkcity.ie/en/council-services/public-info/customer-service-requests/ where you will notice the third-party service provisioning. It is these providers we need to hold accountable for being secure against front facing DDOS etc attacks, however we all know how challenging this is for many reasons. Starting points are (a) knowing which services are being provided by the third parties, (b) continuously testing those services for security, and (c) ensuring any vulnerabilities are resolved as quickly as possible. Remember we still own the data they are processing and are liable for any breaches. Additionally, the outage of a service leads to time delays for citizens (i.e., when requesting a permit) and legally we are usually in the situation that if an approval does not occur within a specific time period, then the approval is automatically considered as being given. Suppliers usually cannot afford the security we need and tend to duck the issue as much as they can – they will promise capabilities which, upon further investigation, are non-existent; just signing a confirmation is easily done – we must hold them to account and resource appropriately.
No doubt there are many dimensions and flavours to any sort of data used for reporting / analysis, and constructive debate is critical. And yes, phishing / malware remain key threats to our back office facing solutions. The exam question is perhaps what story is most important AND effective in helping us provide secure services to the citizens?
Ah yes, and remember that while Smart City projects usually have the largest public profile, they are usually also the ones hosted on insecure third party platform and most susceptible to incidents.
Cheers
Oliver
Insights from Chatbots
I was curious about the opinion of Bing Chat about why is it important to have a list of essential services your public administration subscribes to, operates and manages, including what IT systems support their delivery? The AI responded as per below:
“Having a comprehensive list of essential services in public administration is crucial for several reasons:
1. **Clarity and Organization**: It provides a clear understanding of the services that are critical to the functioning of society and ensures that they are organized and managed effectively.
2. **Resource Allocation**: It helps in prioritizing resource allocation, ensuring that essential services receive the necessary funding and support.
3. **Risk Management**: In times of crisis or uncertainty, knowing which services are essential allows for quick action to maintain their operation, thus mitigating risks to public welfare.
4. **IT System Support**: Identifying the IT systems that support the delivery of these services ensures that they are maintained, updated, and protected against cyber threats, which is vital for service continuity.
5. **Accountability**: It establishes accountability by clearly defining which public administration department is responsible for each service.
6. **Efficiency**: Understanding the IT infrastructure behind service delivery can lead to improvements in efficiency and the streamlining of processes.
7. **Public Trust**: Transparency in essential services fosters public trust in the government’s ability to meet the community’s needs.
8. **Equitable Access**: Ensuring that IT systems are in place and functioning properly helps provide equitable access to essential services for all citizens.
9. **Continuous Improvement**: Monitoring and managing these services allow for ongoing evaluation and improvement, which is key to adapting to changing public needs.
10. **Legal Compliance**: It ensures compliance with laws and regulations that mandate the provision of certain essential services.
In essence, having a well-defined list of essential services and the IT systems that support them is fundamental to the resilience and effectiveness of public administration¹[1]²[2]³[3].
Source: Conversation with Bing, 02/05/2024
(1) CDC – 10 Essential Public Health Services – Public Health …. https://www.cdc.gov/publichealthgateway/publichealthservices/essentialhealthservices.html.
(2) 1. The future of the public service: Preparing the workforce for change …. https://www.oecd-ilibrary.org/sites/1a9499ff-en/index.html?itemId=/content/component/1a9499ff-en.
(3) 10 Essential Public Health Services – American Public Health Association. https://www.apha.org/what-is-public-health/10-essential-public-health-services.
(4) 10 Importance Of Public Administration – Explicit Success. https://explicitsuccess.com/importance-of-public-administration/.”
| In the News |
- Microsoft Copilot for Security launched. See https://www.microsoft.com/en-us/security/business/ai-machine-learning/microsoft-copilot-security.
| City ISAC Services (Member Funded) |
We have published our services at https://isac4cities.eu/services-offered and are now proceeding to establish collaboration agreements with third parties we have been working with for a while. These will include joint marketing and enablement plans. Please do review and consider reaching out to include such in your activities and budgets.
One key service is about “Creating Intelligence” and related to “(Joint) Risk Register / Management: We assume responsibility for professionally managing and governing all aspects of the cyber risk register / process of your organisation aligned with the requirements of the NIS2 Directive. This includes joint-reviews with peers.” – the unique piece is that we can help implement robust financial valuation of risk threats and opportunities.
We continue planning our next webinar in collaboration with I-Trust with a draft title of “Accelerating NIS2 Compliance with Benchmarking and AI Support” and this is potentially scheduled 15:00-16:30 CET – Monday, 27th May 2024 – once confirmed we will let you know. The webinar focuses on helping local and regional public administrations to accelerate their journey to NIS2 compliance with the help of generally available AI solutions such as Microsoft Co-Pilot in combination with expert assessment questions that also allow for benchmarking across local and regional public administrations across the European Union. The webinar will be an open debate building on a presentation of the Enablor benchmarking platform from I-Trust and how it is used in practice by a public administration on its path to NIS2 compliance, a demonstration of how Microsoft Co-Pilot can be used to effectively explore the assessment questions and an open panel discussion with the presenters and the audience. The webinar will help public administrations master the growing challenge of achieving NIS2 compliance through benchmarking, simple AI and peer-to-peer knowledge sharing.
| Project “VAUBAN” – 2024 Multi-ISAC Tabletop |
You might remember that our City ISAC is a founding member of the EU Council of ISACs where we have many EU ISAC members from sectors like health, energy, finance, water, energy etc. As part of the work with the EU Council of ISACs we are also building out our relationship with ENISA. ENISA is planning a face-to-face Multi-ISAC event in October and we, the City ISAC, may have an opportunity to run a 90 minute tabletop with many ISACs in the room plus a wide range of ENISA representatives. Stay tuned for updates as we perhaps move towards a wide-ranging hybrid face-to-face / virtual tabletop with a similar setup (but different scenario) to the recent purely virtual one.
| Project “Regions4Cyber” |
[Save the date] 22nd of May, 10am-11:30am – “From Security to Resilience: A look at digital resilience of local and regional authorities (LRAs) across Europe” with guest speaker MEP Pehr Granfalk, rapporteur of the Committee of Region’s (CDR 2191/2023) – EU Cyber Solidarity Act and Digital Resilience Paper. More information following shortly.
The CRR community aims to build a European community of Local and Regional Authority’s (LRAs) that have a desire to increase their digital resilience. It will engage LRA’s Chief Information Security Officers (CISOs) and related roles, and IT or security specialists that have cybersecurity responsibilities into a community that aims to increase LRAs cybersecurity resilience. Surveys, events, webinars, and a Signal chat with experts and peers are among the activities promoted within the CRR initiative. Contact us for further information.
Please remember you can reach the whole group via city-isac-i4c-tlpwhite@majorcities.eu. A dedicated group for those cities signing the NDAs is available separately.
Also note our LinkedIn organisational page at https://www.linkedin.com/company/eu-city-information-sharing-and-analysis-center-isac/ and our discussion group at https://www.linkedin.com/groups/12773643/. Do follow us / join.
Join our weekly Friday morning coffee chats from 9am-10am CET – feel free to come in your pyjamas. Let me know if you are missing an invite and I will send.
Thank you for the support, your City ISAC I4C+ Team.
Cheers and ever onwards
Oliver
Innovating our Future… Together
Chair City ISAC I4C+ / Dr. Oliver Schwabe.
Email: oliver.schwabe@isac4cities.eu Mobile: +49 (0) 1709053671. Web: https://i4c.isacs.eu/ & https://www.majorcities.eu/isac-for-cities-plus/