2025/19 Weekly Update from the EU ISAC for Cities & Regions: Our (Almost) Daily Cyber Forecast on LinkedIn – Follow us / Invitation to Participate (and circulate) in ENISA’s NIS360 Sector Survey / Weekly [TLP:RED] / Join our “Barista”, “I4C+ MISP” and “ISAC Baseline (IBAS)” projects / Member Security Incident story – Exploited WordPress / MCE Annual Conference Oct 9&10, 2025
** For Back Issues see https://isac4cities.eu/blog **
The City ISAC (I4C+) is an Information and Analysis Centre whose members are IT and cyber security decision makers exchanging knowledge to improve their cities and collective cyber resilience. I4C+ is a Special Interest Group (SIG) hosted by Major Cities Europe (MCE). Dr. Oliver Schwabe is a member of MCE and in his function Chair of the ISAC for Cities Plus (I4C+). He is the person in charge of this effort on behalf of MCE and the responsible contact person. I4C+ is recognized by the European Agency for Cybersecurity ENISA. See https://isac4cities.eu/.
Daily Cyber Forecast
Our GPT Barista is publishing an (almost) daily cyber forecast to our LinkedIn page at https://www.linkedin.com/company/eu-city-information-sharing-and-analysis-center-isac/.
Invitation to Participate (and circulate) in ENISA’s NIS360 Sector Survey
Over the past few months, our ENISA friends have been working on developing the NIS360 surveys — and they are happy to share that they are now ready to launch!
We would appreciate it if you could share the survey dedicated to public administrations with the members of ISAC4Cities.
The goal of the survey is to assess the cybersecurity maturity and criticality of sectors classified as essential or important under NIS2.
The input collected will directly inform the upcoming ENISA NIS360 Report, which will provide a comprehensive overview and comparison of sectors, highlighting where each sector stands. Through NIS360 surveys, ENISA aims to collect data on an annual basis to support companies and competent authorities in prioritising resources and strengthening cybersecurity practices over time.
You can access the survey via the following link: https://enablor.dk/auth/register/survey/8419079683a240e88266e257bf391b00?lang=en&enisa=true
We kindly invite you to complete the survey by September 15.
You can also find last year’s NIS360 report here: https://www.enisa.europa.eu/publications/enisa-nis360-2024. However, this year, we aim to gather input from a broader range of entities in order to develop the most accurate and comprehensive picture of the sector possible.
If you have any questions, need further information, or are interested in continuing the dialogue and contributing your expertise to support our work, please do not hesitate to contact the ENISA team at NIS360@enisa.europa.eu <mailto:NIS360@enisa.europa.eu> .
Weekly [TLP:RED]
Please contact us directly for more information – these are summaries only and the “key” is in the actual stories shared privately. The stories are based on personal sensitive knowledge shared by peers in personal conversations under Chatham House Rules. This “stuff” may look obvious (?) – the magic lies between the lines and only becomes visible in a personal conversation. Full list at https://isac4cities.eu/tlpred.
This week´s thoughts are based on the scope of essential services your public administration subscribes to, operates, and manages, including what IT systems support their delivery.
- Weekly [TLP:RED] for Publicly Elected Officials (Repeat # 31): You could run many services on temporary pilots based on free pilot licenses.
- Weekly [TLP:RED] for Essential Services Managers (Repeat # 31): Get GDPR compliance confirmation BEFORE you pilot.
- Weekly [TLP:RED] for IT Leaders (Repeat # 31): An isolated test environment with up-to-date security monitoring that allows third party pilot installs can be quite helpful.
Ask Barista (GPT)
We have now launched a Barista pilot where colleagues get access to a custom designed ChatGPT app called “Barista” – I asked Barista who it is and it replied: “I’m Barista, your cybersecurity analyst assistant. I’m here to help security operations centre (SOC) teams, blue team defenders, and incident responders with things like: Log analysis (from Splunk, Sentinel, ELK, etc.), Writing detection rules (Sigma, KQL, SPL), Mapping alerts to MITRE ATT&CK, Remediation guidance (NIST, CIS, OWASP best practices), Threat hunting, system hardening, and incident response support, Automating security processes in hybrid and cloud environments”.
Several administrations have already joined. Please contact me if you are also interested in a pilot account and joining the conversation. MCE is funding the ChatGPT single user account for the moment and the next step will be to find a sponsor for the Zapier integration and GoogleDrive account so that we can begin with creating a library of data to feed Barista and kick-off some test workflow integration. Below a high-level conceptual draft of the process we are looking to explore.
If you would like access to the pilot individual version, please let me know.
If you would like us to operate a query process for you (i.e., with internal data from your side) please do reach out.
Note that we are also investigating moving from Open AI to https://mistral.ai/ in the interest of maturing an EU based solution platform.
Member Security Incident
One of our members shared a short report on an incident recently experienced:
Initial compromise: We detected unauthorized activity on the web server, traced to an exploited WordPress vulnerability. The affected code was patched and isolated immediately.
Kerberos ticket surge: Shortly after, we observed an abnormal volume of Kerberos tickets.
Lateral attempts: The attackers also probed our Exchange environment and the FortiGate cluster. Multiple times the active FortiGate node locked up, so we performed a manual fail-over to the standby node to restore stability.
Additional sensor alerts – For a short period our sensors flagged the creation of new accounts on several other web servers. Mitigation had to be performed manually on each affected host.
Spam flood: ~1.2 million messages were dropped in 48 hours.
Mitigation steps taken:
Geo-blocking: all inbound web traffic originating outside the country is temporarily blocked.
XDR response: our XDR platform automatically contained any payloads that bypassed the spam filter.
Alert-storm challenge – All our alerting systems started firing at once, producing so many notifications that it became difficult to decide where to focus first.
Sensor posture: we switched detection to Aggressive mode, which has increased false-positive alerts but gives us better coverage across multiple attack vectors.
Additional sensor alerts – For a short period our sensors flagged the creation of new accounts on several other web servers. Mitigation had to be performed manually on each affected host.
To be candid, it has not been a pleasant experience: over these three days I have managed barely eight hours of sleep, and the prospect of the upcoming weekend is anything but relaxing. Nevertheless, the situation is stable and all critical services are operating normally. We will continue monitoring and fine-tune the sensors once traffic patterns normalize. Now we are blocking a lot of regular traffic but until we are certain that everything is under control we will continue.
To make matters even more “interesting,” the attacks began precisely during the inaugural session of the City Council and the formation of the new city administration—an event that ultimately failed. As a result, we were accused of deliberately blocking the vote and interrupting the live stream of the session. Whether this timing was intentional or just Murphy’s Law at work, we simply don’t know.
I4C+ MISP
One public administration colleague now has our MISP running in their own network and we are working on pulling together the many:many NDA needed to begin using it – more once that NDA is finalised. Each administration can get its own confidential area and there is then the opportunity to share with other administrations and publish to the ENISA MISP. Let us know if you would like to join.
Summary
Hi everyone, friends from Croatia and Estonia joining this morning with a long discussion on the experiences of a colleague with a major DDOS and data exfiltration attack – very interesting to hear the “inside story” and again a confirmation that there is often only one person in the organisation that can truly handle all the activities.
We then reflected on the degree that attacks impact administration services (usually not very high) and that these are often part of a larger effort of nation state actors to destabilise social structures. The damage is therefore broader and more persistent / subtle which makes it more difficult to gain individual budget support.
Additionally, to the above we discussed how administration councils often simply do not understand what is “under the bonnet” of operating IT infrastructures and the rising impression that “AI will fix it” #sigh….
Otherwise we share vacation notes 😊
Cheers,
Oliver
| In the News |
- Major Cities of Europe, in collaboration with the City of Issy-les-Moulineaux, is pleased to announce the joint 2025 conference under the theme of “Piloting Disruptive Innovation in Cities and Regions”, which will be hosted at the UGC Congress Centre from October 9 to 10. Integrated into the Greater Paris Metropolis, Issy-les-Moulineaux is one of the most innovative cities in France and has long been recognized as a leader in digital innovation, circular economy, and environmental footprint reduction. The event is co-organized with Issy Media, the public company responsible for communication and innovation in Issy-les-Moulineaux. The conference will be conducted in English and French, with simultaneous translation available. See www.majorcities.eu for more details.
| ISAC Services (Member Funded) |
We have published our services at Services Offered – EU ISAC for Cities (isac4cities.eu). Please do review and consider reaching out to include such in your activities and budgets.
Note that emerging new services are related to managing the MISP platform (and onboarding) plus Barista.
| ISAC Baseline (IBAS) Project |
The IBAS project continues and remember this sits on the Enablor platform serving a wider community. Enablor is currently supporting 3931 organisations with 4158 users and 10978 logins last year – a thriving community!
The ISAC benchmark platform offers a unique opportunity for public administrations to benchmark themselves against not only regulative requirements but also other local governments around Europe. Benchmarking data from European municipalities are now available in the ISAC Baseline Program providing participants with insight into how similar organizations perform and comply with legislation. Assessing the organization’s security level gives insight data on compliance with both legislation as well as automated mappings to security frameworks such as ISO 27001-2, CIS 18 and NIST CSF. The enablor platform can be used within your own organization and is a shortcut to collaborating with similar European organizations. If you are a region, you can also “sponsor” membership for your cities to create regional bench-learning groups. If you are a nation, then you can sponsor membership for your regions and cities as well of course.
Key value proposition? In the many discussions leading up to the launch, we see that the key value of participating is (a) access to a massive amount of detailed “real stories” on successful implementations across the NIS2 spectrum, and (b) significantly reduced efforts for reporting. If needed, we can also provide administrative support for transferring existing data into the enablor platform.
Please remember you can reach the whole group via city-isac-i4c-tlpwhite@majorcities.eu. A dedicated group for those cities signing the NDAs is available separately.
Also note our LinkedIn organisational page at https://www.linkedin.com/company/eu-city-information-sharing-and-analysis-center-isac/ and our discussion group at https://www.linkedin.com/groups/12773643/. Do follow us / join.
Join our weekly Friday morning coffee chats from 9am-10am CET – feel free to come in your pyjamas. Let me know if you are missing an invite and I will send.
Thank you for the support, your City ISAC I4C+ Team.
Cheers and ever onwards
Oliver
Innovating our Future… Together
Chair City ISAC I4C+ / Dr. Oliver Schwabe.
Email: oliver.schwabe@isac4cities.eu Mobile: +49 (0) 1709053671. Web: https://i4c.isacs.eu/ & https://www.majorcities.eu/isac-for-cities-plus/