Cyberattacks: When communities look for defences
Stormshield Cybersecurity, Governance, Cyberangriffe
Some cyber experts believe that the cyber attack on the city of Baltimore in the USA in May 2019 was a prominent event in the cyber threats against municipalities. The high ransom and recovery sums, the media coverage or even the number of computers the number of computers affected - the case had indeed left a impression. And it seems to have had a knock-on effect since then there have been more and more examples on a global scale.
Cyberattacks and communities: a threat on an international scale
According to einer Studie von 2020, 44% of ransomware attacks targeted municipalities. Ransomware attacks that are becoming even more complex for victims. In September 2020, cybercriminals exposed 20 gigabytes of stolen data from the French metropolis of Aix-Provence-Marseille online. In it were names of officials and their personnel numbers as well as two files with 23,000 email addresses linked to names. A leak of sensitive data that shed light on a new form of intimidation in which of intimidation, in which data is threatened to be leaked in order to to force the payment of a ransom.
And the threat is global. In July 2021, the administration of the Anhalt-Bitterfeld district in Germany had to be shut down after a Cyberangriff ihre Faxgeräte aus dem Schrank holen. In Italy, the entire Lazio region was affected in August when a Ransomware paralysed the regional data centre, causing, among other things, the the booking platform for the Covid vaccination was no longer available. was unavailable. In the US, there are countless examples. In September 2021, the headline the Washington Post headlined as follows Ransomware bringt Chaos über amerikanische Städte. From der Polizei in Washington to Fairfax County schools, the trend seems to have caught on has caught on and is even reaching correctional facilities. So in January 2022, ein Gefängnis in New Mexico was hit by a cyberattack that disabled cameras and automatic doors.
"There is an explosion of ransomware attacks," confirms Vincent Nicaise, who is responsible for partnerships and the industry ecosystem at Stormshield. This even more so as some government agencies are attacking both traditional IT infrastructures as well as the more sensitive OT infrastructure - as as the example of the cyber attack in New Mexico shows, where municipal associations and other city halls are not exactly known for their lavish cash flow. So why should they be targeted? be targeted? For Philippe Loudenot, member of the CESIN, cybersecurity officer of the Pays de la Loire regional council and former official for the security of information systems (FSSI) in the ministries of social affairs, these are mostly opportunistic attacks. However, as they pose a direct threat to the to the smooth functioning of public services, cyber attacks that affect local governments deserve attention.
Public services squeezed by cyberattacks
The cyber security of local governments is so important because a cyber-attack on a municipality can have various, each time devastating each time. Philippe Loudenot distinguishes five of them.
The threat to the continuity of public service, which is typical of administrations. Municipalities depend on their IT systems systems to manage a wide range of tasks, from the school canteen to the school canteen to the transport network and social services. Without access to the data, these tasks are interrupted or severely impaired.
Also, a data leak, theft or loss of personal data data must be considered, as municipalities have access to sensitive data of their citizens. citizens' sensitive data. For example, in May 2021, cybercriminals spread the data of 1,000 employees of Greater Annecy in France, including their Covid test results and personal contact details. contact details, five months after an attack on the computer system of the commune's computer system. In August 2021, it is the French website for Visa applications that was attacked in this way.
The loss of data assets is another risk that is typical for municipalities. In addition to the data concerning their citizens, "localauthorities have a large data asset", Philippe Loudenot knows, such as civil status, social, financial and tax data, etc. tax data, etc. If this data is destroyed or its integrity integrity, the local authority risks losing part of its history. of its history.
The impact on the image of the local authority is also an important consequence. A cyber-attack, when it becomes known to the citizens, can have can have a negative impact on citizens' trust in the municipality and its services. municipality and its services. This is even more true in times of local elections ...
Finally, the legal risk must also be to be taken into account. In the event of proven misconduct in the protection of personal data, the municipality is threatened with sanctions by state by state authorities, but also legal action by the citizens themselves. themselves.
The wallet or public life
At the level of threat distribution and laut einem Bericht von Clusif aus dem Jahr 2020, a French association that deals with IT security, 30 % of 30% of municipalities reported being victims of ransomware. A figure that must be must be viewed with distance, as cyberattacks often fly under the radar. fly under the radar: more than half of the municipalities surveyed said they did not report it. In 2021, the newspaper carried LeMagIt eine Zählung der französischen Städte durch, die von Ransomware betroffen waren.. There are around 60 in total, including Mitry-Mory, Chalon-sur-Saône, the Est Lyonnais, Douai, Villepinte, Erstein, Istres or Annecy. Annecy. The ANSSI mentions in einem speziellen Leitfaden zum Thema, all municipalities and inter-municipal organisations are affected.
The ransom demands can be very different but one must also take into account the indirect costs associated with an attack. costs associated with an attack.
Philippe Loudenot, delegate for cyber security at the Pays de la Loire Regional Council, former official for the information systems security (FSSI) at the Ministry of Health and in the in the services of the Prime Minister
As for the amount of the ransoms, according to ANSSI, they amount to the average ransom in the USA is 836,000 US dollars. 130,000 euros. "The ransoms demanded can vary greatly, but you also have to take into account theindirect costs," Philippe Loudenot points out. Because paying a ransom is not the only loss that can be attributed to a cyber attack. In France, the city of Chalon-sur-Saône and the greater Chalon area spent spent 550,000 euros to restore their computer systems following a cyber after a cyber attack in February 2021. The municipality does not provide details of ransom payments or the total total amount invested in the clean-up - i.e. the restoration of the data and putting the system back into operation. Specifically this meant introducing new procedures and hiring to strengthen the teams and recruitment to reinforce the teams responsible for network infrastructure, technical projects and security systems. Philippe Loudenot also mentions the costs of salaries paid to employees on short-time paid to employees on short time, as well as the costs of the communication that is necessary to keep citizens properly informed. Finally sanctions may be considered if errors are found in the protection of personal data are found, "even if the French data protection authority (CNIL) followsmore of an accompanying logic ".
Risk vectors and attack surface for communities
An accompanying logic, which is necessary at all levels, as the the attack surface of local authorities is so large due to several vulnerabilities. vulnerabilities is so large. The origins of this vulnerability include a certain lack of budgets allocated to cybersecurity issues. allocated: Die meisten französischen Gebietskörperschaften geben weniger als 10 % ihres Budgets für Cybersicherheit aus. This is in line with the ANSSI recommended rate.
A first direct consequence: the sources of infections are often linked to the human factor. This is not something revolutionary, as Government employees are regularly exposed to phishing. And the pedagogical efforts to distinguish between digital hygiene awareness hygiene and cybersecurity education, are still too little. low.
The budget crunch opens another potential gateway for cybercriminals through outdated workstations, running outdated operating systems that are often behind on updates. behind with updates. And the field that needs to be covered and protected, is constantly expanding: local governments have equipped their employees with smartphones, tablets and laptops. All of these are additional gateways with these fleets of networked devices, whose passwords are often insecure, sometimes posted in the offices and rarely changed by government employees.
Another vulnerability is the IT (and operational) networks, that are managed by the municipalities. The reason for this are systems that are often flat-structured, have no network segmentation and are are therefore vulnerable to lateral attacks. A cyber attack on a department of the municipality can therefore, "thanks" to its networking, infect the infect the other departments. And once the malware is implanted it can lie dormant for a while before being activated by cybercriminals at the most opportune cybercriminals at the most opportune moment, as was the case with the Gloucester site in the UK, which was affected in January 2022.
Another weak point is malicious attacks from within, according to Philippe Loudenot, who speaks of "unhealthy curiosity leading a civil servant to gain access to confidential information information", or even a disgruntled former civil servant whose access to the whose access to the IT systems was not revoked.
Cybersecurity in municipalities: long-term solutions
Soare authorities that are threatened from within and without doomed to suffer incessant waves of attacks? Even if a certain amount of administrative effort is required to adapt and flexibility needed to better protect against cyber risks, there are may prevent the adaptation and flexibility needed to better protect against cyber risks, there are solutions. In France, cyber-attacks on municipalities fall under the shared ANSSI and the cybercrime department of the Gendarmerie Nationale. of the Gendarmerie Nationale. In the case of ransomware, the recommendations of these institutions remain classic, says Philippe Loudenot: "do not paythe not pay the ransom, so as not to encourage future cybercriminals to encourage future cybercriminals, file a complaint and pass on the information".
But the adage "prevention is better than cure" also applies in this this case. Therefore, it is most important that municipalities change their change their overall approach to cyber security. The goal? Achieving a long-term protection, which is to be achieved through a series of measures. to be achieved.
This is most evident in awareness-raising. "We need to bring everyone up to speed on the basic gestures of digital hygiene," explains Philippe Loudenot. Set up robust passwords, change them regularly, don't leave them on post-it notes on your desk, beware of links received... Simple reflexes that but still need to be internalised, admits Philippe Loudenot. "We are still a long way from that," he regrets. The discourse is truncated, because it is mainly threats that are talked about and the communities do not feel affected. We need to talk about the We need to talk about the impact. It affects everyone when they know that they will not be able to to ensure the continuity of their public service. guarantee. "For the expert, it is a matter of changing the perspective: It is not a question of 'if' but 'when' a municipality will be attacked. What do we implement? What alternative ways of workingare there?" A delay in raising awareness that Vincent Nicaise also notes. He points out that under the France Relance programme, the French state can cover up to 100% of the cost of a diagnosis in a municipality, so that it can take stock of its level and its needs. needs. And to go even further, numerous praktische Leitfäden have been issued by the government around the issue of cybersecurity in public services.
The discourse is truncated because it is mainly about threats and the communities do not feel affected. feel. We need to talk about the impact. It affects everyone when that they will not be able to ensure the continuity of their public service. of your public service.
Philippe Loudenot, cyber security officer of the Pays de la Loire Regional Council, former official for information system security (FSSI) officer at the Ministry of Health and in the services of the Prime Minister
In parallel to raising awareness, municipalities must also implement appropriate protection solutions. Endpoint solutions to protect workstations, firewalls to secure networks, encryption solutions to secure data integrity - the tools are many and varied. But they inevitably with some cost. In France, the ANSSI has been aware of these challenges for several years and had already proposed a substantial budget to support municipalities, amounting to 60 million euros in 2021 and 2022. At At the beginning of 2022, the first beneficiaries of the programme "France Relance" programme will reach the end of the cybersecurity pathway (in the audit part) and should have access to the co-financing plan (up to 70 %, under the of the programme). So 2022 should (finally?) be the year of secure systems. of safe systems.
Another effective approach is to set up a backup system. The French municipality of Chalon-sur-Saône is setting a good example. Thanks to automatic data backups on day 1, the municipality was able to get its its systems back into operation without data loss after the attack suffered in February 2021 attack. An effective system that "should be systematically implemented", recommends Philippe Loudenot, "but this is far from the case".
On the French side, the focus is also on building a network of local speakers. This network will be based on cybersecurity speakers, to stay up to date on the latest vulnerabilities and warnings. vulnerabilities and alerts issued by the ANSSI and the CERT-FR (Centre gouvernemental de (Centre gouvernemental de veille, d'alerte et de réponse aux attaques informatiques). The establishment of a regional CSIRT (Computer Security Incident Response Team) is underway, parallel to the parallel to the announcement of the creation of a network of territorial of territorial CISRs announced at FIC 2021. Finally it is also important to mention that the public association cybermalveillance.gouv.fr has launched a label Cyber Responsible City label to recognise cities that are committed to an an action plan to combat cyber attacks.
All these initiatives mean that "today, elected representatives are becoming aware that the cyber security of their local authorities is not a non-issue", says Philippe Loudenot. That's a good thing, because there is a lot to do.
Original blog written by
Stéphane Prevost
Product Marketing Manager and Author at Stormshield
Related products