2024/30 Weekly Update from the MCE SIG “City ISAC I4C+” Highlights: It is Cybersecurity Awareness Month – EU & CISA Invites / Key Controls are sometimes very straight-forward / Comply-Secure-Contain / We can attract cyber professionals to low paid jobs / Hack the Hague on Monday 30 Sep 2024 – Worth emulating?
** For Back Issues see https://isac4cities.eu/blog **
The City ISAC (I4C+) is an Information and Analysis Centre whose members are IT and cyber security decision makers exchanging knowledge to improve their cities and collective cyber resilience. I4C+ is a Special Interest Group (SIG) hosted by Major Cities Europe (MCE). Dr. Oliver Schwabe is a member of MCE and in his function Chair of the ISAC for Cities Plus (I4C+). He is the person in charge of this effort on behalf of MCE and the responsible contact person. I4C+ is recognized by the European Agency for Cybersecurity ENISA. See https://isac4cities.eu/.
| Weekly [TLP:RED] |
Please contact us directly for more information – these are summaries only and the “key” is in the actual stories shared privately. The stories are based on personal sensitive knowledge shared by peers in personal conversations under Chatham House Rules. This “stuff” may look obvious (?) – the magic lies between the lines and only becomes visible in a personal conversation.
This week´s thoughts are based on the scope of essential services your public administration subscribes to, operates, and manages, including what IT systems support their delivery.
- Weekly [TLP:RED] for Publicly Elected Officials: Ensure all reports are also written in English to ease getting visibility.
- Weekly [TLP:RED] for Essential Services Managers: Personally collect laptops and phones from leavers.
- Weekly [TLP:RED] for IT Leaders: Modernising cyber monitoring solutions will always increase the number of breaches you detect.
| Summary |
Hi everyone, I hope you are doing well. Four cities / regions joining from Belgium, Estonia, Ireland, and Spain, on Friday morning (plus colleagues from ENISA) and enjoyed a demonstration of a really nice supplier self-registration system with AD enablement, password / MFA security and segmentation solutions that cleverly implements some very effective controls in this space. In-house dot.net development so that costs are low and requirements very well achieved. I found especially interesting how each login is basically managed through a new highly secure password. For me the key learning point is that is addresses a critical control for supplier management and hence may make room for closer for pragmatic cyber collaboration.
The supplier management solution we saw was then also a good reminder of how, while we cannot fully address all formal (NIS/CRA) requirements, we can find effective and cheap controls for key elements and thus drive the “Comply-Secure-Contain” dimension; “Comply” with key policies, “Secure” entry points to our networks, and “Contain” the damage when breached through segmentation.
Just for awareness it is Cybersecurity Awareness Month and CISA has yet again launched some very helpful activities / tools see https://www.cisa.gov/resources-tools/resources/secure-our-world-resources-cybersecurity-awareness-month-2024-toolkit with the aim of reinforcing the four key behaviours:
- Use strong passwords and a password manager
- Turn on multi-factor authentication
- Recognize and report phishing
- Update software
Remember also our big sister “Multi-State Information Sharing and Analysis Center” https://www.cisecurity.org/ms-isac is also supporting this effort.
A good conversation as well this week who are again running their very comprehensive annual cyber maturity program across many of their local and regional administrations. One interesting confirmation is that cyber really is not at the top of their administration risks, especially because more breaches only disrupt and don´t disable services. Maybe something to be honest about as well – from an overall perspective cyber is important, however administrations do have bigger concerns.
Before I forget, the Hague is running its regular “Hack the Hague” event on Monday 30 September (see https://www.hackthehague.com/) – maybe something you could also do in your administration – let me know if you want to connect to the colleagues running this.
I am enjoying the images that CoPilot is coming up with so I asked it to create a cave art image of cyber security 😊 AI came up with a another pretty cool idea:
Cheers,
Oliver
Insights from Chatbots
I was curious about the opinion of Bing Chat about how public administrations can attract cyber professionals to low paid jobs. The AI responded as per below:
“Attracting cybersecurity professionals to public administration roles, especially when the pay might be lower than in the private sector, can be challenging. However, there are several strategies that can make these roles more appealing:
1. **Mission and Impact**: Emphasize the importance and impact of the work. Public sector roles often involve protecting critical infrastructure and public services, which can be highly motivating for individuals who want to make a difference¹.
2. **Professional Development**: Offer robust training and development opportunities. This can include certifications, workshops, and access to the latest cybersecurity tools and technologies².
3. **Work-Life Balance**: Highlight the benefits of a better work-life balance, which is often more achievable in public sector roles compared to the private sector¹.
4. **Job Security**: Public sector jobs often come with greater job security and benefits, such as pensions and healthcare, which can be attractive to many professionals².
5. **Flexible Working Arrangements**: Provide options for remote work, flexible hours, and other arrangements that can improve job satisfaction¹.
6. **Recognition and Career Progression**: Create clear pathways for career advancement and recognize achievements. This can help retain talent by showing that there are opportunities for growth within the organization².
7. **Collaborative Environment**: Foster a collaborative and supportive work environment. Working in teams and having a strong sense of community can be very appealing¹.
8. **Public-Private Partnerships**: Engage in partnerships with private sector companies for joint projects or secondments. This can provide public sector employees with exposure to different environments and experiences².
By focusing on these aspects, public administrations can make their cybersecurity roles more attractive despite the lower pay.
¹: [KPMG](https://kpmg.com/xx/en/home/insights/2024/06/cybersecurity-considerations-2024-government-and-public-sector.html)
²: [GOV.UK](https://www.gov.uk/government/publications/government-cyber-security-strategy-2022-to-2030)
Source: Conversation with Copilot, 12/09/2024
(1) Cybersecurity considerations 2024: Government and public sector – KPMG. https://kpmg.com/xx/en/home/insights/2024/06/cybersecurity-considerations-2024-government-and-public-sector.html.
(2) Government Cyber Security Strategy: 2022 to 2030 – GOV.UK. https://www.gov.uk/government/publications/government-cyber-security-strategy-2022-to-2030.
(3) Embedding standards and pathways across the cyber profession by 2025. https://www.gov.uk/government/consultations/embedding-standards-and-pathways-across-the-cyber-profession-by-2025/embedding-standards-and-pathways-across-the-cyber-profession-by-2025.”
| In the News |
- Val-de-Reuil (France) impacted by cyber-attack. https://actu.fr/normandie/val-de-reuil_27701/cyberattaque-a-val-de-reuil-un-retour-a-la-normale-attendu-lundi_61576094.html.
- French ministries and public services suffer a massive DDoS attack. https://www.lebigdata.fr/la-france-en-alerte-les-ministeres-et-services-publics-subissent-une-attaque-ddos-massive?utm_campaign=DAM&utm_medium=email&_hsenc=p2ANqtz-_Tc0Rgdzp4TXeRuZBST-7KWvjmq5pJ9vyuJOhmBDVjZ-c_j-qzUl6cp9MAj6ybGQCl-SP2J9v_bHANF6_DWsCe0KuQNRtIinRT2E22hFvcOCLe2Pc&_hsmi=323812248&utm_content=323812248&utm_source=hs_email.
- “Hack The Hague” on Monday 30 September 2024. https://www.hackthehague.com/.
| City ISAC Services (Member Funded) |
We have published our services at https://isac4cities.eu/services-offered.Please do review and consider reaching out to include such in your activities and budgets.
One of the services we also offer is finding young companies with innovative cyber products that are interested in low / no cost piloting of their solutions with public administrations. Maybe something to reflect on as you try to innovate on a shoestring budget?
Finally, please note the EU Cyberscurity Days event in Brussels on October 2-4 (see https://cybersecuritydays2024.eesc-cor.europa.eu/Pages/Home.aspx#msdynttrid=NpynN7fKLa3LoySbuBKWKqqaqHsj3Xf4-f657LXfZXA)
| Project |
You might remember that our City ISAC is a founding member of the EU Council of ISACs where we have many EU ISAC members from sectors like health, energy, finance, water, energy etc. As part of the work with the EU Council of ISACs we are also building out our relationship with ENISA. ENISA is planning a face-to-face Multi-ISAC event in October and we, the City ISAC, have an opportunity to run a 120 minute tabletop with many ISACs in the room plus a wide range of ENISA representatives in the morning of the second day. The tabletop will address all ISACs in the room and be based on a public administration being breached and asking for the support of the community to help tackle the challenge. The exercise will address all NIS2 domains and offer the ISACs a chance to jointly help. The context will be “The City of Fantasia operates, subscribes to and manages services for its 600k citizens in the sectors of: Public Administration (Operate), Energy (Manage), Transport (Manage), Healthcare (Manage), Drinking Water (Manage), Wastewater (Manage), Emergency Services (Manage), Digital Infrastructure (Subscribe), and ICT Service Management (Subscribe). The City has a regional airport, an industrial harbour and three major industrial production sites (chemicals, automotive, and battery).” -> then a professional actor appears with a thunder run strategy to make citizen life very uncomfortable! We´ve decided to change our exercise name for this as well 😊
We have now debriefed ENISA on our planned storyboard (see template below) and received some very positive response. We are also discussing how to perhaps fund a “roadshow” of this simulation across multiple public administrations in the EU. Below the current storyboard template that will be populated during the simulation.
Please remember you can reach the whole group via city-isac-i4c-tlpwhite@majorcities.eu. A dedicated group for those cities signing the NDAs is available separately.
Also note our LinkedIn organisational page at https://www.linkedin.com/company/eu-city-information-sharing-and-analysis-center-isac/ and our discussion group at https://www.linkedin.com/groups/12773643/. Do follow us / join.
Join our weekly Friday morning coffee chats from 9am-10am CET – feel free to come in your pyjamas. Let me know if you are missing an invite and I will send.
Thank you for the support, your City ISAC I4C+ Team.
Cheers and ever onwards
Oliver
Innovating our Future… Together
Chair City ISAC I4C+ / Dr. Oliver Schwabe.
Email: oliver.schwabe@isac4cities.eu Mobile: +49 (0) 1709053671. Web: https://i4c.isacs.eu/ & https://www.majorcities.eu/isac-for-cities-plus/