2025/2 Weekly Update from the MCE SIG NEW: ISAC Baseline Project continues / Trustful relationships are key, but never defined as requirements / NIS2 compliance might be impossible – so in-source? / MFA – non-negotiable? / All suppliers need infrastructure experts
** For Back Issues see https://isac4cities.eu/blog **
The City ISAC (I4C+) is an Information and Analysis Centre whose members are IT and cyber security decision makers exchanging knowledge to improve their cities and collective cyber resilience. I4C+ is a Special Interest Group (SIG) hosted by Major Cities Europe (MCE). Dr. Oliver Schwabe is a member of MCE and in his function Chair of the ISAC for Cities Plus (I4C+). He is the person in charge of this effort on behalf of MCE and the responsible contact person. I4C+ is recognized by the European Agency for Cybersecurity ENISA. See https://isac4cities.eu/.
| Weekly [TLP:RED] |
Please contact us directly for more information – these are summaries only and the “key” is in the actual stories shared privately. The stories are based on personal sensitive knowledge shared by peers in personal conversations under Chatham House Rules. This “stuff” may look obvious (?) – the magic lies between the lines and only becomes visible in a personal conversation.
This week´s thoughts are based on the scope of essential services your public administration subscribes to, operates, and manages, including what IT systems support their delivery.
- Weekly [TLP:RED] for Publicly Elected Officials (Repeat # 14): Make sure you have a back-up mobile phone with an up-to-date contact list.
- Weekly [TLP:RED] for Essential Services Managers (Repeat # 14): Test disaster recovery of IT services yourself regularly by switching operations to the back-up solution (and back) and working off that – six months here, six months there.
- Weekly [TLP:RED] for IT Leaders (Repeat # 14): Put 24×7 remote monitoring capability of all servers / firewalls supporting essential services in place, regardless of whether operated / subscribed / outsources.
| Summary |
Hi everyone, colleagues from Belgium, Bulgaria and Italy joining this Friday morning. Discussions mainly revolved around how IT security providers can build / destroy trust with the public administrations they are serving, and how public administrations might be able to deal with “impossible” NIS2 compliance / control (performance requirements).
On the question of trust between public administrations and IT security providers, one colleague shared how a provider had contact them about unencrypted API keys being used from a different part of the globe to access solutions being provided. This appeared suspicious and a joint investigation revealed that the encrypted API keys were being decrypted at firewall level for passing to a US based security provider who was then using those to test / assess the websites being connected to. The behaviour of the supplier was exemplary and deeply appreciated by the public administration. There are too many IT (security) providers out there who do not communicate as openly and / or dedicate the resources needed for joint investigations and thus do not contribute to a trustful relationship. The less trust in that relation the more likely a public administration will consider changing suppliers, although this is becoming more and more difficult as there are typically few, if any, alternatives available – especially in an age of national IT (security) strategies with dedicated single supplier (infrastructures). This then reminds us that any supplier should not only meet the “technical” security requirements (i.e., MFA on all services), but also exhibit the desired trust building behaviours – but write that into contract requirements! Finally, of course, when we are locked into such relationships, the only way forward is in fact investing our own time to build and maintain such trustful relationships! I reviewed the NIS2 Directive from this perspective and must admit that it says nothing about the sort of security ecosystem relationships that are needed to achieve the intended benefit.
NIS2 compliance continues to occupy us and the specific requirements at national / regional / local level are now becoming clearer across the member states. What is also becoming clear is that complying to these is a “mission impossible” and one colleague suggested that a solution path might be changing the legal structure of how relevant services are provided, i.e., the NIS2 requirements for a third-party provider may be stricter than if those services are provided by an internal department… get the point? “In-Source” to lower compliance requirements might be the trend of the future – not the point of NIS2, but a side-effect of policies that might have been thought about. Maybe changing the ownership structure of a public-private partnership by a few percent can also drive in this direction. Point is – compliance can be achieved in many ways.
Another story that came up was around a project requesting IT hosting and then being challenged with the question of whether MFA was enabled. The project asked “Why?” and the colleague was able to point them to a specific (documented) city council decision that mandated it for all IT solution – no exceptions permitted. Learning point? If you do not have a document like this, work to get it to improve security and reduce the noise.
We also had a quick banter about infrastructure teams usually being the only proponents of security mechanisms and we should check that suppliers have such installed. In an age of “cloud” and “apps” many providers no longer have such infrastructure expects resulting in solutions that ignored security from the start of their design. Maybe something to check in IT supplier cyber security audits as well? Or list as requirements in tenders? This thought then reminded me of the famous image:
Days are not only becoming longer, but also busier as departments start operating more and more after the Holiday Season – strange, feels like November already!
Cheers,
Oliver
Insights from AI
The in-sourcing discussion above had me ask CoPilot “how can in-sourcing reduce compliance requirements?” The AI responded:
“In-sourcing, or bringing tasks and operations back in-house, can reduce compliance requirements in several ways:
Improved Control: By managing operations internally, companies have greater control over processes and can ensure compliance with regulations more effectively.
Enhanced Oversight: In-sourcing allows for better oversight of compliance practices, as internal teams are more familiar with company policies and regulatory requirements.
Reduced Dependency: Companies reduce their reliance on external vendors, which can sometimes have varying compliance standards and practices.
Streamlined Communication: Internal teams can communicate more efficiently, ensuring that compliance requirements are understood and implemented consistently.
Customized Training: Companies can provide tailored training programs for employees to ensure they understand and adhere to compliance requirements.”
| In the News |
- No specific updates
| City ISAC Services (Member Funded) |
We have published our services at Services Offered – EU ISAC for Cities (isac4cities.eu). Please do review and consider reaching out to include such in your activities and budgets.
| ISAC Baseline (IBAS) Project |
Note that the launch event for participating cities and regions is being planned for late January / early February. This will include basic navigation and data entry to arrive at first individual and comparative results against the benchmark data. See https://isac4cities.eu/public-administration-isac-baseline for more details on this opportunity.
The ISAC benchmark platform offers a unique opportunity for public administrations to benchmark themselves against not only regulative requirements but also other local governments around Europe. Benchmarking data from European municipalities are now available in the ISAC Baseline Program providing participants with insight into how similar organizations perform and comply with legislation. Assessing the organization’s security level gives insight data on compliance with both legislation as well as automated mappings to security frameworks such as ISO 27001-2, CIS 18 and NIST CSF. The enablor platform can be used within your own organization and is a shortcut to collaborating with similar European organizations. If you are a region, you can also “sponsor” membership for your cities to create regional benchlearning groups. If you are a nation, then you can sponsor membership for your regions and cities as well of course.
Key value proposition? In the many discussions leading up to the launch, we see that the key value of participating is (a) access to a massive amount of detailed “real stories” on successful implementations across the NIS2 spectrum, and (b) significantly reduced efforts for reporting. If needed, we can also provide administrative support for transferring existing data into the enablor platform.
Please remember you can reach the whole group via city-isac-i4c-tlpwhite@majorcities.eu. A dedicated group for those cities signing the NDAs is available separately.
Also note our LinkedIn organisational page at https://www.linkedin.com/company/eu-city-information-sharing-and-analysis-center-isac/ and our discussion group at https://www.linkedin.com/groups/12773643/. Do follow us / join.
Join our weekly Friday morning coffee chats from 9am-10am CET – feel free to come in your pyjamas. Let me know if you are missing an invite and I will send.
Thank you for the support, your City ISAC I4C+ Team.
Cheers and ever onwards
Oliver
Innovating our Future… Together
Chair City ISAC I4C+ / Dr. Oliver Schwabe.
Email: oliver.schwabe@isac4cities.eu Mobile: +49 (0) 1709053671. Web: https://i4c.isacs.eu/ & https://www.majorcities.eu/isac-for-cities-plus/