2025/7 Weekly Update from the EU ISAC for Cities & Regions: Collaboration growing to include EU Top Level Domain (TLD) ISAC / Types of self-developed software to keep under control / IBAS Baseline launched in three countries / PostgreSQL CVE-2025-1094 needs attention / Don´t re-invent the wheel – copy!
** For Back Issues see https://isac4cities.eu/blog **
The City ISAC (I4C+) is an Information and Analysis Centre whose members are IT and cyber security decision makers exchanging knowledge to improve their cities and collective cyber resilience. I4C+ is a Special Interest Group (SIG) hosted by Major Cities Europe (MCE). Dr. Oliver Schwabe is a member of MCE and in his function Chair of the ISAC for Cities Plus (I4C+). He is the person in charge of this effort on behalf of MCE and the responsible contact person. I4C+ is recognized by the European Agency for Cybersecurity ENISA. See https://isac4cities.eu/.
| Weekly [TLP:RED] |
Please contact us directly for more information – these are summaries only and the “key” is in the actual stories shared privately. The stories are based on personal sensitive knowledge shared by peers in personal conversations under Chatham House Rules. This “stuff” may look obvious (?) – the magic lies between the lines and only becomes visible in a personal conversation.
This week´s thoughts are based on the scope of essential services your public administration subscribes to, operates, and manages, including what IT systems support their delivery.
- Weekly [TLP:RED] for Publicly Elected Officials (Repeat # 19): Publicly share stories on the cyber security successes of your administration.
- Weekly [TLP:RED] for Essential Services Managers (Repeat # 19): Encourage the use of secure online services for file transfers with external organisations.
- Weekly [TLP:RED] for IT Leaders (Repeat # 19): Place non-standard IT assets (i.e., iPads for senior leaders) in their own network segments.
| Summary |
Hi everyone, colleagues from Belgium, Bulgaria, Croatia, Ireland, and Italy joining this Friday morning plus two colleagues from ENISA.
As we started off a colleague shared how he had been busy helping to clean out a house of a relative that was now in a care home. We agreed that it is always amazing how much “stuff” piles up over time and how it seems to become heavily compressed – even a small apartment can result in several lorry loads of “stuff” being moved. It is the same for our data on networks or open CVEs – over the years they just simply pile up and a controlled resolution is often not feasible – a huge amount of work that may not really be worth it?
The “worth it” question then triggered a discussion on whether the NIS2 frenzy at the moment maybe distracting somewhat from protecting our critical infrastructure itself – a lot of energy is flowing into public administration processes that if they failed, would create an annoyance or problem, but certainly no “disaster” for our citizens. We agree it is important to stay critical of the development and make sure that the protection of core services for citizens should always take priority (i.e., GDPR, waster, electricity etc.) Out of this comes the thought that digitisation is not really always the right emphasis for funding?
The discussion then meandered on to reflecting on how decommissioned IT kit can sometimes be worth keeping – finding old kit for repairs is often a real challenge (one colleague mentioned their organisation having staff dedicated to searching EBay and similar sites for old kit that was needed).
Ah yes, we also shared some thoughts on the IBAS Baseline project that launched this week for Croatia, Italy and Lithuania – further localisations are also underway and now the challenge for all is to get their data into the enablor system so that comparative sensemaking can start – if you have a compliance challenge against any standard, we are sure some colleague somewhere has already solved it in a pragmatic and repeatable manner! No need to reinvent the wheel and better to just copy and focus resources on more important things.
ENISA had previously asked us to comment on a NIS360 report and several colleagues were kind enough to review and provide feedback. The key elements of the response from ENISA were “As you know, we are dependent on Member States and their approach. Since 2025 is the first year that public administrations fall under the scope of the NIS Directive, Member States are still in the process of defining and identifying them. It is already clear that not all Member States will include local and regional authorities, as the directive primarily focuses on central government authorities. We expect Member States to gain more clarity this year or next on what they will include under public administrations and how deeply we can assess their maturity. <snip> we were initially optimistic about exploring multiple dimensions, but we faced the reality of limited reliable and comparable statistical data. In the end, Eurostat remains our primary source.” Important therefore is that we might be able to assist with “providing reliable statistical information to further refine” the future reports.
Not discussed but maybe interesting – a list of the sort of solutions that should be controlled carefully from a software development and release / ongoing management: High level compiled language software (e.g. C, C++, Ada), Interpreted software (e.g. Python, Java, JavaScript), Operating software (e.g. operating systems, drivers), Use of pre-existing software libraries, Applications using VBA code, Software interacting with a database, Database design, MATLAB based software/scripts, Mathcad based software/scripts, Simulink based software/scripts, Auto generated software (e.g. from MATLAB, Simulink, SCADE, or bespoke), Bespoke Programmable Logic Controller (PLC) blocks, GPGPU code (e.g. CUDA), Assembly level code, Applications using proprietary tool specific languages (e.g. Power Query), Scripting to customise tool functionality, Numerical Controller Codes for CNC machine programming, Power Query scripts, JMP Scripts.
Cheers,
Oliver
Insights from AI
Following up on the above thoughts about re-inventing the wheel I asked CoPilot “what are the benefits of not re-inventing the wheel?” The AI responded:
“Not reinventing the wheel has numerous benefits:
Efficiency: Using established solutions saves time and effort. Instead of starting from scratch, you can build on existing knowledge.
Reliability: Tried-and-tested solutions have likely been refined and debugged, making them more reliable.
Focus on Innovation: By leveraging existing solutions, you can focus on innovating and adding unique value instead of solving problems that have already been solved.
Cost-Effective: It reduces development costs since you avoid duplicating efforts and can benefit from economies of scale.
Standardization: Using standard solutions ensures compatibility and interoperability with other systems and technologies.
Learning: Studying existing solutions provides valuable insights and learning opportunities.
Overall, not reinventing the wheel allows you to work smarter, not harder, and achieve better results more efficiently.”
| In the News |
- We are now extending the ISAC collaboration to include the EU Top Level Domain (TLD) ISAC (https://www.tld-isac.eu/).
- If you are using PostgreSQL make sure to review CVE-2025-1094 https://www.postgresql.org/support/security/CVE-2025-1094/
| City ISAC Services (Member Funded) |
We have published our services at Services Offered – EU ISAC for Cities (isac4cities.eu). Please do review and consider reaching out to include such in your activities and budgets.
| ISAC Baseline (IBAS) Project |
Note that the launch event for participating cities and regions from Croatia, Ireland and Lithuania was completed on 20 February. This included basic navigation and data entry to arrive at first individual and comparative results against the benchmark data. See https://isac4cities.eu/public-administration-isac-baseline for more details on this opportunity.
The ISAC benchmark platform offers a unique opportunity for public administrations to benchmark themselves against not only regulative requirements but also other local governments around Europe. Benchmarking data from European municipalities are now available in the ISAC Baseline Program providing participants with insight into how similar organizations perform and comply with legislation. Assessing the organization’s security level gives insight data on compliance with both legislation as well as automated mappings to security frameworks such as ISO 27001-2, CIS 18 and NIST CSF. The enablor platform can be used within your own organization and is a shortcut to collaborating with similar European organizations. If you are a region, you can also “sponsor” membership for your cities to create regional bench-learning groups. If you are a nation, then you can sponsor membership for your regions and cities as well of course.
Key value proposition? In the many discussions leading up to the launch, we see that the key value of participating is (a) access to a massive amount of detailed “real stories” on successful implementations across the NIS2 spectrum, and (b) significantly reduced efforts for reporting. If needed, we can also provide administrative support for transferring existing data into the enablor platform.
Please remember you can reach the whole group via city-isac-i4c-tlpwhite@majorcities.eu. A dedicated group for those cities signing the NDAs is available separately.
Also note our LinkedIn organisational page at https://www.linkedin.com/company/eu-city-information-sharing-and-analysis-center-isac/ and our discussion group at https://www.linkedin.com/groups/12773643/. Do follow us / join.
Join our weekly Friday morning coffee chats from 9am-10am CET – feel free to come in your pyjamas. Let me know if you are missing an invite and I will send.
Thank you for the support, your City ISAC I4C+ Team.
Cheers and ever onwards
Oliver
Innovating our Future… Together
Chair City ISAC I4C+ / Dr. Oliver Schwabe.
Email: oliver.schwabe@isac4cities.eu Mobile: +49 (0) 1709053671. Web: https://i4c.isacs.eu/ & https://www.majorcities.eu/isac-for-cities-plus/