2024/28 Weekly Update from the MCE SIG “City ISAC I4C+” Highlights: Ban bots from joining online conferences to prevent GDPR breaches / Resource augmentation for supplier NIS2 cyber audits? / Prioritizing legal responsibility versus citizen welfare?
** For Back Issues see https://isac4cities.eu/blog **
The City ISAC (I4C+) is an Information and Analysis Centre whose members are IT and cyber security decision makers exchanging knowledge to improve their cities and collective cyber resilience. I4C+ is a Special Interest Group (SIG) hosted by Major Cities Europe (MCE). Dr. Oliver Schwabe is a member of MCE and in his function Chair of the ISAC for Cities Plus (I4C+). He is the person in charge of this effort on behalf of MCE and the responsible contact person. I4C+ is recognized by the European Agency for Cybersecurity ENISA. See https://isac4cities.eu/.
| Weekly [TLP:RED] |
Please contact us directly for more information – these are summaries only and the “key” is in the actual stories shared privately. The stories are based on personal sensitive knowledge shared by peers in personal conversations under Chatham House Rules. This “stuff” may look obvious (?) – the magic lies between the lines and only becomes visible in a personal conversation.
This week´s thoughts are based on the scope of essential services your public administration subscribes to, operates, and manages, including what IT systems support their delivery.
- Weekly [TLP:RED] for Publicly Elected Officials: Compliance can usually achieved by having a plan for a plan.
- Weekly [TLP:RED] for Essential Services Managers: All tenders and purchase orders should include an information security addendum.
- Weekly [TLP:RED] for IT Leaders: Have auditors use an organisational email address and work in an organisational role – spoofing like this helps get needed user collaboration.
| Summary |
Hi everyone, I hope you are doing well. Four cities and two regions joining from Bulgaria, Estonia, Germany, Italy, and Spain, on Friday morning to first reflect on our betting round from two weeks ago since the city of Timișoara was victim of a cyber attack on 26 August (https://hotnews.ro/atac-cibernetic-asupra-serverelor-primariei-timisoara-si-a-mai-multor-institutii-subordonate-unele-servicii-online-suspendate-1778550) – just outside the time window we were betting on! Bets for the coming week again reflect a spread of highs and low probability (with one medium).
As colleagues joined, we again had a join request from https://www.read.ai/ and declined that of course. Keep an eye out for such requests, since it may well be that the servers storing the captured information are outside the EU and content shared can lead to GDPR breaches etc.
We then discussed a current effort to support a regional colleague in running cyber security assessments of suppliers. Suppliers are of course a massive weak point and getting them to reveal and remediate their weaknesses a challenge. The solution we are exploring is that the City ISAC provides suitable auditors that spoof an organisational role with email address etc, and then seek a local language conversation with the supplier based on a small CIS18 oriented questionnaire. Through multiple conversations the relationship for revealing and helping to remediate weaknesses can be built. This is especially important considering that NIS2 now makes organisational CIOs / IT Leaders responsible for NIS2 compliance of suppliers (including critical infrastructure of course). Let us know if you are also interested in piloting this.
Based on the above we also reflected on the trend to include information security agreements as an integral part of tendering and purchasing processes. While they do give us a legal boundary to the supplier, they of course to not prevent the supplier (inadvertently) giving incorrect information and hence compromising the security of our networks and of citizens. The key question must be whether we prioritise legal boundaries or citizen safety?
With two new regional colleagues joining, we then also discussed the ENISA OSINT reports we share weekly and the reporting thresholds we are all subject to. Thresholds appear to different between countries and sometimes the sheer volume of incidents makes the reporting regulations impossible to comply with – maybe another space for resource augmentation?
For this week´s image I was a bit at a loss and ended up asking CoPilot to create an Australian Aboriginal dot art image of cyber security. AI came up with the following, pretty cool, idea…
Continuing to wish everyone a safe summer! Almost over ☹
Cheers,
Oliver
Insights from Chatbots
I was curious about the opinion of Bing Chat about what NIS2 will make local / regional administrations liable for. The AI responded as per below:
“The NIS2 Directive significantly broadens the scope of cybersecurity requirements and introduces new liabilities for local and regional administrations. Here are the key points:
1. **Broader Scope**: NIS2 applies to a wider range of sectors and entities, including public administrations at central and regional levels².
2. **Management Liability**: Management bodies within these administrations are required to approve and oversee the implementation of cybersecurity risk-management measures. They must also participate in specialized cybersecurity training¹².
3. **Personal Liability**: Managers can be held personally liable for non-compliance, facing potential administrative fines or even a temporary ban from managerial functions³⁴.
4. **Incident Reporting**: There are stricter incident reporting obligations, requiring timely and detailed reporting of significant cybersecurity incidents².
These measures aim to enhance the overall cybersecurity resilience within the EU by ensuring that even local and regional administrations are held to high standards of cybersecurity practices.
Source: Conversation with Copilot, 30/08/2024
(1) The NIS 2 Directive and its business implications – PwC. https://www.pwc.be/en/services/cyber-privacy/NIS-2-directive.html .
(2) Key implications of the NIS 2 Directive: increased liability risk for …. https://www.schoenherr.eu/content/key-implications-of-the-nis-2-directive-increased-liability-risk-for-management-and-broader-scope.
(3) EU Publishes New NIS2 Cyber Directive Imposing Liability and …. https://datamatters.sidley.com/2023/01/19/eu-publishes-new-nis2-cyber-directive-imposing-liability-and-obligations-on-senior-management/.
(4) What is the NIS2 Directive? – BSI. https://www.bsigroup.com/globalassets/localfiles/nl-nl/nis2-document/bsi-ce-nis2-brochure-en-nl-v3s.pdf.”
| In the News |
- Cyber attack on the servers of the Timisoara City Hall and several subordinate institutions. Some online services, suspended https://hotnews.ro/atac-cibernetic-asupra-serverelor-primariei-timisoara-si-a-mai-multor-institutii-subordonate-unele-servicii-online-suspendate-1778550
| City ISAC Services (Member Funded) |
We have published our services at https://isac4cities.eu/services-offered.Please do review and consider reaching out to include such in your activities and budgets.
Currently shaping a way to augment city / region resources to perform supplier NIS2 cyber security evaluations and remediations. The aim to identify liabilities triggered by NIS2 and robustly mitigate such.
| Project “VAUBAN” – 2024 Multi-ISAC Tabletop |
You might remember that our City ISAC is a founding member of the EU Council of ISACs where we have many EU ISAC members from sectors like health, energy, finance, water, energy etc. As part of the work with the EU Council of ISACs we are also building out our relationship with ENISA. ENISA is planning a face-to-face Multi-ISAC event in October and we, the City ISAC, have an opportunity to run a 120 minute tabletop with many ISACs in the room plus a wide range of ENISA representatives in the morning of the second day. The tabletop will address all ISACs in the room and be based on a public administration being breached and asking for the support of the community to help tackle the challenge. The exercise will address all NIS2 domains and offer the ISACs a chance to jointly help.
No specific updates – the Red Team continues to develop a playbook, and this week began exploring how to create a “plan” for steering the reactive behaviour of a victim. We need to assume that the Red Team knows the process that will be enacted by the administration crisis team, which begins begging the question whether following “standard” process (i.e., disconnecting from the Internet, recovering backups etc is the *right* strategy for the Blue Team?
Please remember you can reach the whole group via city-isac-i4c-tlpwhite@majorcities.eu. A dedicated group for those cities signing the NDAs is available separately.
Also note our LinkedIn organisational page at https://www.linkedin.com/company/eu-city-information-sharing-and-analysis-center-isac/ and our discussion group at https://www.linkedin.com/groups/12773643/. Do follow us / join.
Join our weekly Friday morning coffee chats from 9am-10am CET – feel free to come in your pyjamas. Let me know if you are missing an invite and I will send.
Thank you for the support, your City ISAC I4C+ Team.
Cheers and ever onwards
Oliver
Innovating our Future… Together
Chair City ISAC I4C+ / Dr. Oliver Schwabe.
Email: oliver.schwabe@isac4cities.eu Mobile: +49 (0) 1709053671. Web: https://i4c.isacs.eu/ & https://www.majorcities.eu/isac-for-cities-plus/