At InfoSec World 2021, Acting Deputy Director Patrick J. Lechleitner (Right) of U.S. Immigration and Customs Enforcement detailed recent efforts by the Homeland Security Investigation's arm to engage with critical infrastructure on cyber-related vulnerabilities. (ICE))

When policymakers and the public think about the government interfacing with industry and critical infrastructure to tackle cyber threats, their mind usually jumps to agencies like the NSA, FBI and Cybersecurity and Infrastructure Security Agency.

But the truth is that many smaller and lesser-known agencies also play a role engaging with the broader public to investigate cyber enabled crimes and help close off damaging IT vulnerabilities.

One such agency, Homeland Security Investigations, is not widely known outside of DHS but acts as its principal investigative arm on a wide range of issues, including cyber enabled crime, money laundering, financial crime and financial fraud, child exploitation, narcotics smuggling, transnational gangs, human smuggling, human trafficking, counterproliferation, intellectual property rights, trade fraud and other areas.

At the InfoSec World security conference this week hosted by SC Media parent company CyberRisk Alliance, Patrick Lechleitner, acting deputy director for Immigration and Customs Enforcement, touted a number of threat intelligence initiatives that HSI has stood up over the last year to investigate cybercrime and proactively engage with industry and critical infrastructure.

One program, called Operation Cyber Centurion, was originally started as a local initiative in the San Diego HSI field office. It was designed to scan the internet-facing assets of critical infrastructure entities for known vulnerabilities and engage with them on remediation efforts, hopefully before it’s been actively exploited.

According to Lechleitner, the program was so successful that HSI decided to expand it to other offices and components.

“We recognize the great work by HSI San Diego, and have now used that great work, brought it into our headquarters element and are now expanding the scope of that to be a global program,” he said. “Once vulnerabilities are detected, HSI San Diego and our Cyber Crimes Center develop lead packages that are then shared with HSI field offices to implement threat mitigation measures and perform incident response activities to prevent, mitigate and disrupt cyber attacks.”

Lechleitner said these kinds of programs allow agencies like HSI to engage with critical infrastructure entities proactively and minimize the impact of what could otherwise turn into a bad breach. As an example, he cited an engagement by the Detroit HSI field office with Tenet Healthcare over a potential compromise that HIS detected in the provider’s public -facing IT network. The unnamed vulnerability had been the subject of public reporting and was highlighted in an alert from the Cybersecurity and Infrastructure Security Agency, but the Tenet had installed only temporary patches and “light” intrusion detection systems.

“After HSI Detroit’s additional alert, Tenet Healthcare agreed that their efforts to secure their network was not enough, given the identification by HSI of continued vulnerabilities in their network,” said Lechleitner.

Experts in healthcare IT and security say the use of partial or temporary by organizations is commonplace. As SC Media’s Jessica Davis reported earlier this year, some IT security teams can remain at their workstations and apply the patch to all devices on the network with the click of a button, but in healthcare nearly all patches require the security team to physically touch every device in need of mitigation.

For example, Samantha Jacques, vice president of clinical engineering at McLaren Health Care, said her IT security team has a list of 15 separate processes they must follow when a vulnerability is disclosed, and many hospitals and healthcare providers must balance the need to quickly patch with the need to keep life-saving devices and technology running.

“The simplicity in that idea, that patching is a panacea solution from a security perspective, is just off. We can’t patch everything. We don't have any ability to monitor and say, ‘all of this stuff needs to be patched’ to reduce the risk we have,” said Jacques. “We just end up balancing the risk the best we can.”