2025/3 Weekly Update from the EU ISAC for Cities & Regions: We are competing internally for resources / Connect with your National Cybersecurity Coordination Centres / Personal performance objectives are not cyber friendly / Draining the swamp of cyber leads to surprising results / MCE survey results “Technologies Application Domains and Challenges for the Cities of the Future” / Why Smart City Projects struggle with Cyber
** For Back Issues see https://isac4cities.eu/blog **
The City ISAC (I4C+) is an Information and Analysis Centre whose members are IT and cyber security decision makers exchanging knowledge to improve their cities and collective cyber resilience. I4C+ is a Special Interest Group (SIG) hosted by Major Cities Europe (MCE). Dr. Oliver Schwabe is a member of MCE and in his function Chair of the ISAC for Cities Plus (I4C+). He is the person in charge of this effort on behalf of MCE and the responsible contact person. I4C+ is recognized by the European Agency for Cybersecurity ENISA. See https://isac4cities.eu/.
| Weekly [TLP:RED] |
Please contact us directly for more information – these are summaries only and the “key” is in the actual stories shared privately. The stories are based on personal sensitive knowledge shared by peers in personal conversations under Chatham House Rules. This “stuff” may look obvious (?) – the magic lies between the lines and only becomes visible in a personal conversation.
This week´s thoughts are based on the scope of essential services your public administration subscribes to, operates, and manages, including what IT systems support their delivery.
- Weekly [TLP:RED] for Publicly Elected Officials (Repeat # 15): Innovation is “bleeding edge” – if you don´t want to bleed in public, don´t innovate – JOIN projects of others.
- Weekly [TLP:RED] for Essential Services Managers (Repeat # 15): Copy the processes of your peers to ease transferring your processes to them in the event of a breach.
- Weekly [TLP:RED] for IT Leaders (Repeat # 15): Buy the same software and hardware as your peers to ease supporting each other in the event of a breach.
| Summary |
Hi everyone, colleagues from Belgium, Bulgaria, Croatia and Italy joining this Friday morning. Seems January is taking its toll as personal batteries struggle to recharge, so just remember you are not alone if this month appears to be a rather strenuous – we couldn´t really pinpoint the reason – just lots happening as our organisations pivot back to normal business after the Holiday Season I guess.
Interesting initial discussion about the challenges of offering competitive pay, especially when it gets to jobs hosted by the central governments versus regions versus cities and towns etc. Very different situations in various countries, however a common denominator appears to be that not only do we struggle to match any commercial offers (which we are all aware of course), but there is also competition between the various levels of government whereby the more national the better pay seems to be available – seems we are competing among ourselves for resources as well in this respect.
We then reminded ourselves of the critical role the National Cybersecurity Coordination Centres are beginning to play in supporting our national cyber efforts and connecting us to the European Cybersecurity Competence Centre and Network. Please make sure you are building relationships to yours, while we are working to ensure they are also seeing the ISACs as key stakeholders – the awareness of the renewed ENISA efforts to accelerate ISAC maturity are not on everyone´s radar it seems. Our role as an ISAC could be to coordinate parallel inputs to the national NCCs to increase awareness of the needs of cities and regions.
One colleague then shared how his city is trying to tackle the increased cyber challenge of a growing remit for water services as the national levels push the responsibility for these down to regional and local levels. They are becoming responsible for a ever wider “group” of water authorities – “group” instead of “network” since these are largely not connected in an IT sense. Primary challenge is the introduction of network monitoring capabilities at reasonable cost, although we agreed that in the end it is about being able to remediate any issues found. THIS is where the challenge is – the issue is not finding problems; it is being able to remediate them and investing to just get longer notification lists really does not cut it. We did not come to a resolution here, however whatever solutions we put in place, we do know what is going to happen and where those efforts will struggle. Learning point perhaps more a reminder that notifications are important, but they only make sense when they can also be remediated – and we need the appropriate staff for that – many approaches available to perhaps achieving this and we need to be creative – learning from peers what works or not can be very helpful here.
Also, one colleague shared how they were working to finalise all planning and budgetary requirements for 2025. A key theme is of course aligning to the strategic roadmap of the administration and designing SMART objectives – especially relevant for them since achieving objectives amounts to about 30% of their pay! So, tongue in cheek question for us all, how might our pay structure affect how we design our objectives, and do we (sub-) consciously avoid any needed objectives that are simply unattainable? This would be understandable of course and is a challenge anyone faces who designs objectives that relate to their personal compensation.
Finally perhaps, as we know cyber has no geographical boundaries and to improve our own protection we consciously need to help raise the protection of everyone – ISACs of any shape and form can help with this and supporting each other is critical to “drain the swamp” of cyber threats – supporting each other can be done well by pro-actively driving joint projects locally, regionally, nationally and inter-nationally. While the first efforts are usually rapid and effective (i.e., basic CIS18 controls), what then comes to light is the difficult stuff and needs a collaborative approach to tackle. Who knows, maybe we can find treasure as we clean up the technical debt? The image shows what they found at the bottom of a drained channel in Paris:
<snip 20250406>
Cheers,
Oliver
Insights from AI
Smart city cyber security is usually an issue. I asked CoPilot “why do smart city projects usually lack appropriate IT security?” The AI responded:
“Smart city projects often face IT security challenges due to several reasons:
Complexity and Interconnectivity: Smart cities involve a vast network of interconnected devices and systems, making it difficult to secure every component. The more complex the system, the more potential entry points for cyberattacks1.
Data Privacy Concerns: These projects collect and process large amounts of sensitive data, raising concerns about data breaches, unauthorized access, and misuse of information. Ensuring data privacy and security is a significant challenge2.
Resource Constraints: Implementing robust IT security measures can be costly and resource-intensive. Many smart city projects operate with limited budgets and may not prioritize security investments.
Rapid Technological Advancements: The fast pace of technological innovation means that security measures can quickly become outdated. Keeping up with the latest threats and vulnerabilities is a constant challenge.
Lack of Standardization: There is often a lack of standardized security protocols and practices across different smart city projects, leading to inconsistencies and vulnerabilities.
Stakeholder Coordination: Effective IT security requires collaboration among various stakeholders, including government agencies, private companies, and citizens. Coordinating these efforts can be challenging.
Addressing these issues requires a comprehensive approach, including adopting privacy-by-design principles, conducting regular security assessments, and fostering collaboration among all stakeholders.”
| In the News |
- Results of Survey on Technologies application domains in cities (summer 2024) and Workshop: Designing accessible and sustainable services by leveraging data and AI applications – Rome 29-30 November 2024. In 2024, Major Cities of Europe (MCE) has launched on a forward-looking initiative to examine how technologies are reshaping urban landscapes. The survey titled “Technologies Application Domains and Challenges for the Cities of the Future” provided valuable insights into key priorities and challenges faced by cities today. Building on these insights, MCE organized a workshop titled “Designing Accessible and Sustainable Services by Leveraging Data and AI Applications” in Rome, supported by Huawei. This event created a unique platform for dialogue and collaboration among MCE members and experts, aiming to unlock the potential of data and AI in designing innovative public services. The reports and handouts of the Survey and of the Workshop are publicly available at https://majorcities.eu/misc/workshops/designing-accessible-and-sustainable-services-by-leveraging-data-and-ai-applications/.
| City ISAC Services (Member Funded) |
We have published our services at Services Offered – EU ISAC for Cities (isac4cities.eu). Please do review and consider reaching out to include such in your activities and budgets.
| ISAC Baseline (IBAS) Project |
Note that the launch event for participating cities and regions is being planned for late January / early February. This will include basic navigation and data entry to arrive at first individual and comparative results against the benchmark data. See https://isac4cities.eu/public-administration-isac-baseline for more details on this opportunity.
The ISAC benchmark platform offers a unique opportunity for public administrations to benchmark themselves against not only regulative requirements but also other local governments around Europe. Benchmarking data from European municipalities are now available in the ISAC Baseline Program providing participants with insight into how similar organizations perform and comply with legislation. Assessing the organization’s security level gives insight data on compliance with both legislation as well as automated mappings to security frameworks such as ISO 27001-2, CIS 18 and NIST CSF. The enablor platform can be used within your own organization and is a shortcut to collaborating with similar European organizations. If you are a region, you can also “sponsor” membership for your cities to create regional benchlearning groups. If you are a nation, then you can sponsor membership for your regions and cities as well of course.
Key value proposition? In the many discussions leading up to the launch, we see that the key value of participating is (a) access to a massive amount of detailed “real stories” on successful implementations across the NIS2 spectrum, and (b) significantly reduced efforts for reporting. If needed, we can also provide administrative support for transferring existing data into the enablor platform.
Please remember you can reach the whole group via city-isac-i4c-tlpwhite@majorcities.eu. A dedicated group for those cities signing the NDAs is available separately.
Also note our LinkedIn organisational page at https://www.linkedin.com/company/eu-city-information-sharing-and-analysis-center-isac/ and our discussion group at https://www.linkedin.com/groups/12773643/. Do follow us / join.
Join our weekly Friday morning coffee chats from 9am-10am CET – feel free to come in your pyjamas. Let me know if you are missing an invite and I will send.
Thank you for the support, your City ISAC I4C+ Team.
Cheers and ever onwards
Oliver
Innovating our Future… Together
Chair City ISAC I4C+ / Dr. Oliver Schwabe.
Email: oliver.schwabe@isac4cities.eu Mobile: +49 (0) 1709053671. Web: https://i4c.isacs.eu/ & https://www.majorcities.eu/isac-for-cities-plus/