2024/33 Weekly Update from the MCE SIG “City ISAC I4C+” Highlights: Check permitted NIS2 exceptions! / Connecting insecure assets to your networks? / No need to be the best – not being the worst is “good enough” / Always include a little budget for our ISAC to find true “best practice” / Hidden object picture can really engage users / Remember Cyber Awareness Month
** For Back Issues see https://isac4cities.eu/blog **
The City ISAC (I4C+) is an Information and Analysis Centre whose members are IT and cyber security decision makers exchanging knowledge to improve their cities and collective cyber resilience. I4C+ is a Special Interest Group (SIG) hosted by Major Cities Europe (MCE). Dr. Oliver Schwabe is a member of MCE and in his function Chair of the ISAC for Cities Plus (I4C+). He is the person in charge of this effort on behalf of MCE and the responsible contact person. I4C+ is recognized by the European Agency for Cybersecurity ENISA. See https://isac4cities.eu/.
| Weekly [TLP:RED] |
Please contact us directly for more information – these are summaries only and the “key” is in the actual stories shared privately. The stories are based on personal sensitive knowledge shared by peers in personal conversations under Chatham House Rules. This “stuff” may look obvious (?) – the magic lies between the lines and only becomes visible in a personal conversation.
This week´s thoughts are based on the scope of essential services your public administration subscribes to, operates, and manages, including what IT systems support their delivery.
- Weekly [TLP:RED] for Publicly Elected Officials (Repeat – 2): When a cyber incident occurs, immediately have a “scribe” shadowing you to capture all communications and other evidence that will be needed in the future. Ex-police officers are good at this for example.
- Weekly [TLP:RED] for Essential Services Managers (Repeat – 2): Funding projects is often best achieved by helping sector level organisations fund larger projects that yours is part of. A project covering multiple administrations (including yours) is probably easier to fund than a project just supporting yours.
- Weekly [TLP:RED] for IT Leaders (Repeat – 2): Public tenders can be designed for ensuring preferred suppliers are at least short-listed. Value for money / best price must of course always be achieved and the key is taking the time to understand the specific activities being purchased by “look and see” / talking to the actual operators.
| Summary |
Hi everyone, I hope you are doing well. Five cities / regions joining from Belgium, Bulgaria, Estonia, Ireland, and Italy, on Friday morning and seems national implementations of the NIS2 Directive are picking up pace. Several colleagues busy deeply reviewing these plus translating into local language as necessary – if you remember this is one of our key learning points over time that we must have local language materials to work with (and leverage local language resources as needed). Interesting as well that at least in one member nation only 1% exceptions to required maturity levels will be permitted.
The above then prompted one colleague to share that they will be required to report on “near misses” in future as well. What a headache to say the least, and it will be interesting to see the sort of policies and procedures that will be developed to assure this. Another colleague suggested that the risk register could also be used perhaps, i.e., any risk above 75% being considered an “incident” or “near miss” by default? Let us know if you have any ideas on this.
One colleague then shared how they have recently won some significant national funding to make their city for cyber proof. The primary focus initially is mapping their IT assets / landscape in a sustainable manner, including getting a better understanding of which organisational processes are support by what IT capability. Without understanding this, the business criticality of IT capability really cannot be assessed and therefore appropriate investment priorisation not performed. I am sure we will be kept up to date on this progress here and are also discussing augmenting the project with an ISAC wide research effort on best practice regarding approaches, tooling, policies and procedures etc.
Very interesting then when one colleague shared how they are using https://www.rapid7.com/ to enhance exposure management in their ecosystem – not only gaining some excellent insights but also finding some really “sore thumbs” in the sense of scoring 1m? (Normal high alert scores seem to be around 5k? This is also a nice example of how having an approach for leveraging (low/no-cost) demos is a worthwhile investment – so many tools out there and so many vendors needing to test their solutions – a very powerful strategy for low budget cyber enhancements that we see quite often. Ah yes, also helps with hat perennial challenge of not having the bandwidth to check the security situation behind network connections are we are being asked to make – allowing too many vulnerabilities into our networks since we cannot vet them properly in advance (or even refuse connectivity if that vetting turns out bad).
All of the above them reminded us that (a) it is impossible to remediate all weaknesses, (b) threat actors use automatic tooling to scan for vulnerabilities, and that (c) we are probably acceptably safe if we are not the weakest – and that we can find out via benchmarking with other peers (i.e., using the I-Trust/Enablor benchmarking approach we have discussed previously). Not being the weakest reminded me of that when you go on a safari, make sure you take someone along who runs slower than you – image generated by CoPilot to exemplify 😊
We finally looked at some hidden objects pictures one member had created to raise cyber awareness in their organisation as part of cyber awareness month – will be posters put in elevators and common waiting areas – do google the concept and some links in the news section below.
Remember also it is Cybersecurity Awareness Month and CISA has yet again launched some very helpful activities / tools see https://www.cisa.gov/resources-tools/resources/secure-our-world-resources-cybersecurity-awareness-month-2024-toolkit with the aim of reinforcing the four key behaviours:
- Use strong passwords and a password manager
- Turn on multi-factor authentication
- Recognize and report phishing
- Update software
Cheers,
Oliver
Insights from AI
I was curious about the opinion of Microsoft CoPilot about the benefit of hidden objects pictures for raising cyber awareness. The AI responded as per below:
“Hidden object pictures can be a fun and effective tool for raising cyber awareness. Here are some key benefits:
1. **Engagement**: Hidden object pictures are interactive and engaging, which can help capture and maintain the attention of participants. This is crucial for learning and retaining information about cybersecurity threats.
2. **Visual Learning**: Many people are visual learners. Hidden object pictures can help them understand and remember cybersecurity concepts better than text-based materials alone.
3. **Critical Thinking**: Searching for hidden objects requires attention to detail and critical thinking, skills that are also important for identifying and responding to cyber threats.
4. **Scenario-Based Learning**: These pictures can be designed to include common cybersecurity scenarios, such as phishing attempts or suspicious links, helping users recognize these threats in real life.
5. **Gamification**: Incorporating game-like elements into training can make learning about cybersecurity more enjoyable and less daunting, encouraging more consistent participation¹.
Source: Conversation with Copilot, 05/10/2024
(1) The 16 best security awareness games for employees in 2024 – Guardey. https://www.guardey.com/best-security-awareness-games/ .
(2) Top 11 security awareness posters with messages that STICK. https://www.infosecinstitute.com/resources/security-awareness/top-20-security-awareness-posters-messages-stick/.
(3) 7 Benefits Of Security Awareness Training – CyberPilot. https://www.cyberpilot.io/cyberpilot-blog/7-benefits-of-security-awareness-training.”
| In the News |
- ASD’s ACSC, CISA, FBI, NSA, and International Partners Release Guidance on Principles of OT Cybersecurity for Critical Infrastructure Organizations https://www.cisa.gov/news-events/alerts/2024/10/01/asds-acsc-cisa-fbi-nsa-and-international-partners-release-guidance-principles-ot-cybersecurity.
- Tallinn’s e-services ranked best in world by UN https://www.baltictimes.com/tallinn_s_e-services_ranked_best_in_world_by_un/.
- Hidden objects picture on cyber security by Kaspersky https://www.kaspersky.de/blog/wimmelbild-gewinnspiel/16100/.
- Hidden objects picture on cyber security by DK Bank https://www.pinterest.de/pin/142496775700473913/.
| City ISAC Services (Member Funded) |
We have published our services at Services Offered – EU ISAC for Cities (isac4cities.eu). Please do review and consider reaching out to include such in your activities and budgets.
Remember that whenever possible your IT projects should include a small work package to identify “best practice” of other public administrations for the subject matter in question. THIS is a special competency of our ISAC and is completed using investigative interviews with experienced colleagues in comparable administrations. “Best practice” typically involves looking not only at solutions, but also the best way to configure / manage them, the best way to organise yourself, needed policies and procedures etc. The results of interviews can then be discussed, and your peers will be happy to provide their thoughts of course. Give it a try!
| Project “PHALANX” – 2024 Multi-ISAC Tabletop |
No specific updates: You might remember that our City ISAC is a founding member of the EU Council of ISACs where we have many EU ISAC members from sectors like health, energy, finance, water, energy etc. As part of the work with the EU Council of ISACs we are also building out our relationship with ENISA. ENISA is planning a face-to-face Multi-ISAC event in October and we, the City ISAC, have an opportunity to run a 120 minute tabletop with many ISACs in the room plus a wide range of ENISA representatives in the morning of the second day. The tabletop will address all ISACs in the room and be based on a public administration being breached and asking for the support of the community to help tackle the challenge. The exercise will address all NIS2 domains and offer the ISACs a chance to jointly help. The context will be “The City of Fantasia operates, subscribes to and manages services for its 600k citizens in the sectors of: Public Administration (Operate), Energy (Manage), Transport (Manage), Healthcare (Manage), Drinking Water (Manage), Wastewater (Manage), Emergency Services (Manage), Digital Infrastructure (Subscribe), and ICT Service Management (Subscribe). The City has a regional airport, an industrial harbour and three major industrial production sites (chemicals, automotive, and battery).” -> then a professional actor appears with a thunder run strategy to make citizen life very uncomfortable!
Please remember you can reach the whole group via city-isac-i4c-tlpwhite@majorcities.eu. A dedicated group for those cities signing the NDAs is available separately.
Also note our LinkedIn organisational page at https://www.linkedin.com/company/eu-city-information-sharing-and-analysis-center-isac/ and our discussion group at https://www.linkedin.com/groups/12773643/. Do follow us / join.
Join our weekly Friday morning coffee chats from 9am-10am CET – feel free to come in your pyjamas. Let me know if you are missing an invite and I will send.
Thank you for the support, your City ISAC I4C+ Team.
Cheers and ever onwards
Oliver
Innovating our Future… Together
Chair City ISAC I4C+ / Dr. Oliver Schwabe.
Email: oliver.schwabe@isac4cities.eu Mobile: +49 (0) 1709053671. Web: https://i4c.isacs.eu/ & https://www.majorcities.eu/isac-for-cities-plus/