Weekly Update from the “City ISAC I4C+” Highlights: [TLP:RED] Guidance – Fund others to fund yourself / Bolt-On Solutions are weaknesses by default / We knowingly buy what doesn´t work / (NEW) Project “Regions4Cyber”
[TLP:WHITE]
Weekly [TLP:RED] – Please contact us directly for more information – these are summaries only and the “key” is in the actual stories. They are based on honest comments by peers in private conversations and they would probably never acknowledge the statement officially:
· Weekly [TLP:RED] for Publicly Elected Officials: Ensure you have a communication professional trained in handling the media during a cyber incident available and delegate ALL communications to them immediately.
· Weekly [TLP:RED] for Essential Services Managers: Funding projects is often best achieved by helping sector level organisations fund larger projects that yours is part of. A project covering multiple administrations (including yours) is probably easier to fund than a project just supporting yours.
· Weekly [TLP:RED] for IT Leaders: Public tenders can be designed for ensuring preferred suppliers are at least short-listed. Value for money / best price must of course always be achieved and the key is taking the time to understand the specific activities being purchased by “look and see” / talking to the actual operators.
Summary
Hi everyone and hope you are well – two cities stopped by on Friday morning and seems it was a good week for one city in that they have made significant progress in getting multi-year budgets supported by moving a level higher – see [TLP:RED] comment for Essential Services Managers – yes, this is a team sport with important stakeholders outside the organisation as well. Specifically projects around social housing and voter registration moved forward solidly.
We then reflected on how difficult it is to “show” what IT does for us – sort of works in the background and colleagues only notice when it doesn’t work. Good examples of how to do this are monitors demonstrating network traffic or making sure those lights on cabinets are more visible – sort of like old “muscle cars” being very audible on the streets compared to electric vehicles that are very quiet – people do not worry about things they do not see. And without “worrying” it is even more difficult to get the essential work funded. Being “perfect” means being invisible – letting some services degenerate can be beneficial in the longer run.
The (low) quality of IT/security code remains a perennial topic and agreement continues that most solution providers have a solid core product, however that has been expanded continuously with wrapper after wrapper of additional functionality being bolted on and it is typically these “bolt-ons” that are the weak points from a cyber perspective. The reason for these strategies is that vendors need to continuously grow to satisfy investor demands – it is usually easier to add functionality versus focusing on the core and raising prices. For defence in depth this means we should buy for core product capability only and then integrate a suite of these in a wrapper structure ourselves. Multi-layers of parallel solutions then also help.
We last reminded ourselves that we are probably one of the few industries where the customer buys solutions where the contracts basically say “This product will not work as expected”….we have little choice but accept this…. Personally, after one project with a major telecom provider years ago, I am seriously considering IT services to be “magic” and controlled by beings of another dimension (“Loki” comes to mind).
UPDATES
In the News:
- Staff member at Turkish Airlines downloads pirated software leading to breach (see https://www.infosecurity-magazine.com/news/pirated-software-cause-airbus/?utm_campaign=DAM&utm_medium=email&_hsmi=274732906&_hsenc=p2ANqtz-_Ym-OEyVlLm7zGk8HJYo0NqWFsnKQZ0k5q1od1OVAw_kQYe6dAR_M9_1tHboWDYw03yXZLKbjA2Wb7ZTqTfa8sCfEBXr_aoK_Y0VKtxGxGADhXSaA&utm_content=274732906&utm_source=hs_email). Note – if you are allowing staff to download software directly from the Internet you are making a mistake. There is no way around an approved products list with downloads only available from your own servers.
- City of Morlaix (France) hit by typical ransomware attack and electronic services offline for the next weeks. See https://www.francebleu.fr/infos/faits-divers-justice/la-ville-de-morlaix-victime-d-une-cyberattaque-5912720#xtor=RSS-113. Note – just another example that this WILL happen and being prepared for business continuity management with pen and paper being critical.
- Hackers discover vulnerability in Netherland’s election counting software” – early signs of the challenges we can expect in the 2024 EU election year as well. Remember the US has an Election ISAC (https://www.cisecurity.org/ei-isac) which might also provide helpful guidance as you prepare.
City ISAC Services (Member Funded): As we try to help some members engage commercially with some of our partner / suppliers we continue to encounter the known tension between public procurement and the faster speed of commercial providers. One commercial provider even mentioned not wanting to pursue public administration contracts for this reason which then again leads to even less choice for administrations in choosing suitable solutions. The best approach remains piloting small projects with companies focused on core products – but make sure they are local to ensure appropriate support.
Project “DAVID” (Member Funded): The initial distribution list for the role-based survey (drafts available at https://isac4cities.eu/survey) have been completed. Now awaiting the kick-off of project “MEET”.
Project “MEET” (EU Funded / Beneficiary): No updates.
EU Council of ISACs: Discussions this week looking at the need to create a formal legal organisation to support collaboration with funding programs. Nice to see how the more mature ISACs (i.e., Hospitality) are taking the lead to create a space that will support ALL ISACs – about 16 exist across various sectors in the EU.
Project “VAUBAN”: Besides preparing the Prato tabletop, we have recruited a “mayor” for a German city association tabletop in Leipzip end of November. A wonderful assistant-mayor willing to help us kick-off the event looking at incident response to a major ransomware attack at a city in the Larissa format.
(NEW) Project “Regions4Cyber”: In collaboration with a major region and https://ecs-org.eu/ we are now preparing the new round of workshops based on a survey looking at security performance across essential services in EU regions. Direction of travel is an “ISAC of Regions” as partner for our “ISAC of Cities”.
Please remember you can reach the whole group via city-isac-i4c-tlpwhite@majorcities.eu. A dedicated group for those cities signing the NDAs is available separately.
Also note our LinkedIn organisational page at https://www.linkedin.com/company/eu-city-information-sharing-and-analysis-center-isac/ and our discussion group at https://www.linkedin.com/groups/12773643/. Do follow us / join.
Join our weekly Friday morning coffee chats from 9am-10am CET – feel free to come in your pyjamas. Let me know if you are missing an invite and I will send.
Thank you for the support, your City ISAC I4C+ Team.
Cheers and ever onwards
Oliver
Innovating our Future… Together
Chair City ISAC I4C+ / Dr. Oliver Schwabe.
Email: oliver.schwabe@isac4cities.eu Mobile: +49 (0) 1709053671. Web: https://i4c.isacs.eu/ & https://www.majorcities.eu/isac-for-cities-plus/