Courtesy photo

In today's digital landscape, the convergence of Information Technology (IT) and Operational Technology (OT) presents both opportunities and challenges for critical infrastructure asset owners and operators.

UTSI, a leading systems integrator of OT technology, has assembled an OT Cybersecurity Advisory Board to address these challenges and highlight standard processes and best practices to evaluate and secure these environments.

“We are excited about the strength of our esteemed Advisory Board and are confident that these strategic alliances will enhance our competitiveness,” says Shaun Six, president of UTSI International.

A few of the drivers of OT and IT convergence include increased efficiency, enhanced data, and improved remote monitoring and control capabilities. It exists to promote the promise of connectivity, data visualization, and to enable AI and better decision-making.

Key challenges
However, there are challenges. Increased attack surface, legacy systems, and infrastructure, as well as differing security requirements and regulatory and compliance challenges are all present.

“As we witnessed our global infrastructure recover from the largest outage on July 19, this is a clear and present example of how the application of technology between IT/OT can have an impact on the underlying interdependencies in critical systems and infrastructure," says Cherise Esperaza, co-founder and president of Security Gate. "Therefore, there is an ever-increasing need for resources to be expended for this endeavor, and understanding the areas of risk alongside business outcomes as it relates to the convergence will be a critical to ensuring optimal availability of these systems.”

Increased monitoring

When it comes to security monitoring and incident response, it's vital to incorporate new tools to monitor, meeting the same standards as legacy assets and reporting vulnerabilities.

"Continuous monitoring is one of the most critical aspects of securing your IT/OT infrastructure," offers Eric Rippetoe, former CISO of Federal Energy Regulatory Commission and UTSI cybersecurity consultant. "Automated tools coupled with mature processes allow organizations to rapidly detect security threats and enable teams to quickly respond to address issues. Having a security incident and not knowing about it could result in huge remediation costs and major long-term reputational damage."

Emerging technology and trends
With the rise of AI, it makes sense now more than ever to follow the principle of "never trust, always verify." A Zero Trust architecture is a strategic approach to cybersecurity that secures an organization by eliminating implicit trust and continuously validating every stage of a digital interaction.

In line with this approach, UTSI International Corporation, as a Gold Partner of ThreatGEN, has been intensively utilizing ThreatGEN's AutoTableTop™ incident response tabletop exercise simulation tool. This advanced technology is helping UTSI provide meaningful tabletop exercises to their client base, particularly in high-risk SCADA and OT environments.

Clint Bodungen, president of ThreatGEN, emphasizes the tool's significance: "This tool is designed to sharpen incident response capabilities for teams operating in critical SCADA and OT environments. In these high-stakes settings, where system availability is paramount and the consequences of failure can be catastrophic, AutoTableTop™ provides an unparalleled platform for realistic, AI-driven tabletop exercises. It allows teams to practice and refine their responses to a wide range of scenarios, with practically zero planning time required, ensuring they're prepared for the unique challenges posed by industrial control systems where even a minor slip-up could have deadly consequences. This application of advanced simulation technology aligns with the industry's move towards more robust and realistic cybersecurity training, especially in sectors where the stakes are exceptionally high."

In conclusion
The convergence of IT and OT presents significant cybersecurity challenges for critical infrastructure. However, by understanding these challenges and implementing effective strategies, organizations can protect their essential systems from cyber threats.

“Maintaining an accurate inventory of assets poses a significant challenge for companies with control system networks," says Derek Harp, chairman, Control System Cyber Security Association International. "As outlined in our 2024 OT Cybersecurity Technology Report, not only is it difficult to identify these assets, but understanding their communication adds an additional layer of complexity. Typically, companies only gain a snapshot of their OT network status and assets' interactions during periodic assessments. Not surprisingly, our research also indicates that the frequency of these critical evaluations is increasing.”

The role of UTSI's OT Cybersecurity Advisory Board, along with the use of advanced tools like Security Gate and ThreatGEN, is pivotal in navigating this complex landscape. As the threat landscape continues to evolve, proactive measures and ongoing investment in cybersecurity will be crucial to safeguarding our most critical assets.

There are three topics in particular that business owners should refresh and/or make sure they include in their HR policies and employee handbook. Photo via Getty Images

3 things Houston companies need to freshen up when it comes to their HR practices

guest column

Just as we typically look to freshen up our homes this time of year, the same needs to be done for employee handbooks. Employee handbooks streamline HR operations, mitigate risks and set expectations to protect a business from negative workplace behavior by outlining employee policies and procedures.

There are three topics in particular that business owners should refresh and/or make sure they include in their HR policies and employee handbook: in-office attendance, social media and artificial intelligence (AI).

In-office attendance

When taking a closer look at hybrid workplace policies, the in-office attendance policies should align with your organizational goals. Whether you decide to implement hybrid work permanently or eventually return to being in the office completely, the return-to-office (RTO) policies should reflect those goals.

Clear expectations are especially important when defining office attendance rules. When attendance policies are set, employees respond best when they are fair, accessible and easily understood. Detailed policies outlining the nuances and consequences can help reduce noncompliance while supporting accountability.

Policies need consistent enforcement for them to be effective. Hybrid policies set prior to or during the pandemic may now be loosely enforced. The policies may state for employees to be in the office three days a week, but there may be no accountability for not meeting the mandate. Not enforcing attendance policies can give the impression that it is okay to violate other policies, too. Reviewing your policies allows you to course correct and write a policy reflecting your corporate culture and goals. You’ll then be able to reintroduce the attendance policy and enforce it across the board as intended.

Social media

You are hard pressed to find an employee without a social media account, whether it is TikTok or LinkedIn. If your business does not have a social media policy with guidelines surrounding employees’ online behaviors, now is the time to put one in place. If you do have a policy, social media changes quickly enough to warrant an annual review.

Social media policies should set boundaries between personal and professional use of social media. Employee activity on social media outside of work can influence business, as employees are often seen as reflecting the company. It is also important to note that social media policies should be based on input from senior management, HR, legal and IT, not just marketing.

The social media policy should delineate between an employee’s personal and professional use, establish a code of conduct and outline its use as part of crisis communications. Social media can just as easily elevate your brand, and you can potentially ask employees to share positive work experiences online.

Cybersecurity should also be addressed in social media policies. As it has become more common for hackers to infiltrate personal emails and social media accounts, policies can prohibit employees from storing company documents in their personal social media and email accounts for security purposes.

Artificial Intelligence (AI)

AI seems to be changing the way we do business daily. However, the policies surrounding company use of AI are lacking at many organizations. Research from McKinsey states only one in five employers have established policies governing their employees use of AI.

AI technology has already streamlined many business practices, but it can also present major risks. Inaccuracy can threaten your business if employees use generative AI for assistance in completing writing tasks, for instance, and the system may not generate accurate or original information.

As we learn the evolving and complex nuances of AI, creating a policy needs careful attention. You may consider developing an AI team to write a comprehensive, well-researched AI policy tailored to your organization. This working group should gather insights from leaders within the organization, including frontline managers, to fully understand how employees use, or might use, AI. This team should be charged with considering the ethical aspects of AI’s use and ensuring the policy aligns with company values.

One of the most critical elements of the policy is an accountability process or system. The policy should clearly outline any corrective action or disciplinary steps associated with using AI in a manner that harms the business and/or its clients. Just as important, the policy should outline how to use and how to avoid misusing AI. Since AI continues to evolve month to month, this is a policy that will require more attention and revisioning throughout the year.

Keeping a critical eye on HR policies is an important part of business success. Setting aside time to review, update and even create new policies now – before being faced with an issue – can potentially mitigate costly challenges down the road.

------

Karen Leal is performance specialist with Houston-based Insperity, a provider of human resources offering a suite of scalable HR solutions available in the marketplace.

Stay informed and regularly check your security procedures to protect yourself, your business, and your customers. Photo via Getty Images

Houston founders: How safe is your company's data?

guest column

As news comes out every week about new technologies, from new crypto wallets to generative AI to self-driving taxis, it can get overwhelming for most of us to keep up or to understand the new intricacies of technology, and it can get easy to say, “The IT department has it covered.” Well, do they have it covered?

Far too often, companies fail to protect its data with the same muster as its financial security until it is too late. Just as a healthy business will regularly conduct audits of its accounting processes to detect potential fraud, ensure regulatory compliance, and locate areas of improvement for the organization, the same should be done for a business’s data security practices. Key components of any organization are its people and its information, and the IT department is in charge of protecting that information.

We as business people need to ensure that the company’s technology personnel are indeed securing one of the company’s most valuable assets: information.

Big picture: Your business needs to follow an audit process

  1. Confirm the scope of your data
  2. Conduct an internal review of all security practices
  3. Conduct a review of all vendor practices that have access to your data
  4. Confirm compliance with regulations and contractual obligations
  5. Prepare a report with detailed findings and recommendations to improve on year-over-year

Data: What do you have and what duties does it require?

Personal information, particularly when it belongs to customers, is the most frequently compromised type of data. Under laws like the newly passed Texas Data Privacy and Security Act (TDPSA), businesses can have additional obligations to keep this information protected. Personal information can include any information “that is linked or reasonably linkable to an identified or identifiable individual.”

Sensitive data also requires extra precaution, which means protecting (1) personal data that reveals racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexuality, or citizenship or immigration status; (2) genetic or biometric data that is processed for the purpose of uniquely identifying an individual; (3) personal data collected from a known child; or (4) precise geolocation data.

Other types of data to watch out for include the business’s intellectual property, anonymized customer data, employee personal information, and any other type of proprietary business data. Depending on the industry, the cost of a breach of any of these types of data could be incredibly high, particularly for healthcare and finance.

Ultimately, Texas businesses are required to maintain reasonable procedures to protect personal information, and there may be other laws implicated such as HIPAA, GLBA, CCPA/CPRA, BIPA, GDPR, PIPEDA, and many more, depending on where business is done, the industry implicated, and, in some cases, where customers are located.

"But I think the vendor is responsible."

Check your contracts, and check if the law requires you to have a duty to protect the compromised information, as many do. Involve your IT department in the review of technical compliance whenever you are sharing data with a third party. Further, it is important to make sure that however the Data Processing Addendum says the vendor is processing data is how they are actually processing data. To that point, if you are processing someone else’s data, your business also needs to be doing what it says it is doing, in contracts with third parties and in your Privacy Policy.

Software as a service arrangements, end user license agreements, and other internet and software-based services may require you to hand over data and not give you the opportunity to customize and shift risk. This is why it is important to thoroughly evaluate what technical protections are in place because the risk and duty may still fall on your business regarding the data of your customers and employees. Ask yourself (or your IT professionals) if the vendor actually needs the data they receive to provide services to you.

Key takeaway: Stay informed

Your business needs checks and balances in place with the IT department to ensure you know what they are (or are not) doing and what they are supposed to do. You need policies and procedures, and they need to regularly be tested.

Do you know where your data is stored, both internally and with third parties? Who controls it? How is it being processed, and is anything being shared? Are encryption procedures in place? Firewalls, Intrusion Protection Systems, and End-Point Detection and Response? Do you and your vendors have Incident Response Plans? Stay informed and regularly check your security procedures to protect yourself, your business, and your customers.

------

Courtney Gahm-Oldham is partner at Frost Brown Todd. Lauren Cole is associate at Frost Brown Todd.

This tiny “smart car” is a lot more powerful than you might think. Photo by Jon Burke/UH

University of Houston gets $2M to launch innovative transportation-focused cybersecurity center

traffic safety

The University of Houston is now leading a national consortium focused on cybersecurity in the transportation sector.

Known as the Transportation Cybersecurity Center for Advanced Research and Education, or CYBER-CARE, it's backed by a $2 million grant from U.S. Department of Transportation for its first year, with anticipated total federal funding of $10 million over five years, as part of the department's University Transportation Centers program that aims to address a number of topics in the field.

UH's center aims to "establish a fundamental knowledge base and explore advanced theories of how to best mitigate impacts of potential large-scale cyberattacks on transportation infrastructure," according to a release from the university. This includes protecting vehicle control systems, developing industry-wide best practices, responding to potential cyber incidents and introducing ways to recover quickly from cyber incidents in traffic networks.

CYBER-CARE is led by Yunpeng “Jack” Zhang, associate professor in the Department of Information Science Technology at the UH and director of the center.

"Our goal to make our intelligent transportation system (ITS) safer for all road users. That aligns well with the USDOT’s strategic goal of improving safety,” Zhang explained in a statement. “We also will promote interdisciplinary research and education across the transportation and cybersecurity domains.”

The center opened earlier this year within UH's Cullen College of Engineering’s Division of Technology. Houston and Texas colleges Rice University and Texas A&M University-Corpus Christi have joined the consortium with UH, along with Embry-Riddle Aeronautical University, University of Cincinnati and University of Hawai‘i at Mānoa.

The DOT's University Transportation Centers first launched in 1988 to conduct research. Support has ebbed and flowed over the years, but has seen some uptick recently. The Biden Administration's 2021 Bipartisan Infrastructure Law authorized 35 UTCs to receive a total of $90 million in funding from 2022 to 2026 to address issues like traffic congestion, safety, infrastructure durability and cybersecurity risks.

According to the DOT's website there are other Texas UTCs at University of Texas at Austin, University of Texas Arlington, Texas A&M University College Station, Prairie View A&M University and Texas State University.

Last year, Texas A&M also launched a new institute for research and education regarding cybersecurity. The Global Cyber Research Institute was funded by $10 million in gifts from former Texas A&M student Ray Rothrock, a venture capitalist and cybersecurity expert, and other donors.

Tap into these tips to make your company safer from cyber attacks. Photo via Getty Images

Houston expert: 5 tips for improving your company's cybersecurity

guest column

Imagine waking up tomorrow to find out that all of your critical information (trade secrets, financial data, customer lists, etc.) is gone. While working to find out what happened, you order lunch online, only to find out your bank account has no balance.

That scenario happens every day to business leaders just like you. Here are 5 tips everyone should know, which will help reduce cyber security risks.

Tip 1: Know what you need to protect

If you don’t know where your data is kept, how can you protect it?

From hardware like laptops and cell phones, to critical software including accounting and HR, spreadsheets used to calculate financial reports, OneDrive accounts, Google Drive, and “C” drives, there are numerous places your critical data could be kept. Work with your managers to identify every piece of hardware, software, and where the critical data is kept.

Tip 2: Turn on multi-factor authentication for everything you possibly can.

Whenever possible, someone should need a username, password, and a code from an authentication app, text code, e-mailed code, something that’s a unique identifier that randomly changes in order to access critical company information. Alternatively, you can rely on biometrics (fingerprints, facial recognition, etc.) as your third line of protection.

Tip 3: Know who has access to the data and implement basic user access rules.

Everyone should have their own username and unique password. Generic admin accounts, shared user accounts, etc. should never be allowed. If you’re only paying for five licenses but have 10 people accessing the software, stop being cheap and pay for more licenses.

Log in to your bank’s website (or go to a local branch) and run a report which lists who has access to the online banking system and what they can do within it. While you’re at it, get a report of everyone with signature rights for checks and make sure it’s properly updated.

Run a report of all users for each software you listed above which includes what level of access they have. Does their access match their job requirements? Remove all access that isn’t required for their job. You can add access back later if they need it. This can also help you identify employees who might have too many responsibilities.

Now go through the rest of the software, network folders, and the other items you listed above and do the same exercise. Going forward, whoever “owns” the data in each system (banking, accounting, HR, etc.) should approve all access to that data.

Tip 4: Back up that data — often

You most likely have a folder on your computer that has important information in it like Financial spreadsheets, HR files, customer data, and marketing plans. If you selected that folder and hit the delete key, then you opened the recycle bin on your desktop and the folder wasn’t there, how bad would your day be?

Now that you know the location of files, folders, software, and other important data points, turn on an auto-backup process and test that process about once a quarter. If you use something like Google Drive, Microsoft’s OneDrive, or similar cloud services, most will provide free backup support. However, before you do that, require all employees to move important files off of their “C” drive and into network folders.

Tip 5: Implement antivirus software

I’ll be the first to say that I hate antivirus software. Why? Because it typically slows down your computer while it runs in the background and flags items like the spreadsheet you use every month as a “potential threat”.

Even so, the aggravation is worth it in the long run.

There are tons of antivirus software options. If you think about protecting your home, you don’t need armed guards, attack dogs, and a feral cat. You do need someone to glance out the window to see who is at the door. If it’s a group of zombies trying to eat you, then you need to have the ability and resources to protect your home. Pick an antivirus software that matches your budget and get it in place. Don’t overthink it, just get it going.

One last bonus tip I’ll leave you with — have random test “phishing” emails sent out to everyone (including yourself) in your company. The number one cause of cyber security issues in businesses is internal users clicking on fake emails.

------

Thomas Mullinnix is the founder of Houston-based Re-Vision Management Consulting LLC.

A Houston founder explains why you should shift the way you think about cybersecurity from a cost to an investment in your business. Photo via Getty Images

Houston expert: Top three ways to make cybersecurity a business decision

guest column

For companies big or small, scaling your revenue securely is about building people, processes, and technology to help you deliver your value to market in the most efficient way possible. But shifting cybersecurity as a cost to an investment takes a shift in thinking.

Here are three tips to make cyber a business decision for your company.

Don’t fail at digital transformation. Whether you’re considering a digital “initiative” to stay ahead of competitors, reduce operational expenditure when possible, or simply drive efficiency to customer value delivery, transforming how you’re doing business should rest upon a foundation of security across your existing people, process, or technology. An effective cybersecurity program should drive confidence to your team to expand your tooling, processes, or delivery mechanisms with confidence. The alternate reality is you shift a working process to incorporate new technology, and something fails or breaks, causing frustration of your team and fewer dollars in the door. Here are a few tips that will help you make sound business investments in technology:

  1. New technology or system can introduce new cyber risks to your company. As a result, it is good practice to balance the value gained with the risks absorbed. Establishing a “new product” risk vs reward process will reduce ad hoc purchases and introduce more sound thinking to your team’s decisions.
  2. New technology purchases will come with vendor onboarding but beware of the challenges you face when those implementation or training hours run out. Ask for additional support hours as part of your purchase so that you’re always able to call a help desk for real support.

Secure design reduces long-term costs. Regardless of your business type, if some type of cyber-attack could affect your business outcome(s) — be it your product, the loss of sensitive customer data, theft of intellectual property, or disruption to service delivery — consider investments in your cyber program an investment towards the cost of future business operations.

For instance, manufacturers across virtually every sector continually balance “secure design” with efficiency/cost as they compete in the market. Their challenge: estimating future recalls and product “updates” to be paid for by future operational expenditure. The same can be applied to unforeseen downtime of a critical inventory, payment capture, or website system. In both cases, here are two tips to shift cyber from a “security cost” to a “business” mindset:

  1. Work with your security vendors to develop a long-term strategy rather than quoting an “install and leave” project. Security vendors are businesses too. They will respond positively if you tell them you will offer longevity in return for payment over time. 
  2. Amortize your costs this year into next year's costs of goods. If you can negotiate monthly or quarterly payments with your security vendors, adding 30-60 days of net pay dates, you’re already starting to shift security improvements realized tomorrow to costs you pay next quarter.

Your customers want you to have a great cyber program. Especially in regulated spaces like healthcare, defense, and other critical infrastructure sectors, there is a high chance your company’s cyber program must meet minimal cyber guidelines. Investing in the training, processes, and technology required to achieve some element of “compliance” is a must-have investment for doing business with big companies.

A mistake small companies make is allocating the minimal resources “reach the bar” without thinking about the risks. Employee turnover, scaling your business in new regions, and increasing purchase order sizes all carry a potential “new bar” you must reach on your cyber maturity. Building a cyber program initiative may help you increase sales. Imagine you say this in your next prospect meeting as you aim to win that big contract, “Additionally, we reviewed your cybersecurity supplier requirements online and are pleased to say we have certified documentation showcasing an evolving, continually improving cyber program that exceeds your requirements. We feel that adds to our differentiation.”

------

Ted Gutierrez is the CEO and co-founder of SecurityGate, a SaaS platform for OT cyber improvement.

Ad Placement 300x100
Ad Placement 300x600

CultureMap Emails are Awesome

2 Houston space tech cos. celebrate major tech milestones

big wins

Two Houston aerospace companies — Intuitive Machines and Venus Aerospace — have reached testing milestones for equipment they’re developing.

Intuitive Machines recently completed the first round of “human in the loop” testing for its Moon RACER (Reusable Autonomous Crewed Exploration Rover) lunar terrain vehicle. The company conducted the test at NASA’s Johnson Space Center.

RACER is one of three lunar terrain vehicles being considered by NASA for the space agency’s Artemis initiative, which will send astronauts to the moon.

NASA says human-in-the-loop testing can reveal design flaws and technical problems, and can lead to cost-efficient improvements. In addition, it can elevate the design process from 2D to 3D modeling.

Intuitive Machines says the testing “proved invaluable.” NASA astronauts served as test subjects who provided feedback about the Moon RACER’s functionality.

The Moon RACER, featuring a rechargeable electric battery and a robotic arm, will be able to accommodate two astronauts and more than 880 pounds of cargo. It’s being designed to pull a trailer loaded with more than 1,760 pounds of cargo.

Another Houston company, Venus Aerospace, recently achieved ignition of its VDR2 rocket engine. The engine, being developed in tandem with Ohio-based Velontra — which aims to produce hypersonic planes — combines the functions of a rotating detonation rocket engine with those of a ramjet.

A rotating detonation rocket engine, which isn’t equipped with moving parts, rapidly burns fuel via a supersonic detonation wave, according to the Air Force Research Laboratory. In turn, the engine delivers high performance in a small volume, the lab says. This savings in volume can offer range, speed, and affordability benefits compared with ramjets, rockets, and gas turbines.

A ramjet is a type of “air breathing” jet engine that does not include a rotary engine, according to the SKYbrary electronic database. Instead, it uses the forward motion of the engine to compress incoming air.

A ramjet can’t function at zero airspeed, so it can’t power an aircraft during all phases of flight, according to SKYbrary. Therefore, it must be paired with another kind of propulsion, such as a rotating detonation rocket engine, to enable acceleration at a speed where the ramjet can produce thrust.

“With this successful test and ignition, Venus Aerospace has demonstrated the exceptional ability to start a [ramjet] at takeoff speed, which is revolutionary,” the company says.

Venus Aerospace plans further testing of its engine in 2025.

Venus Aerospace, recently achieved ignition of its VDR2 rocket engine. Photo courtesy of Venus Aerospace

METRO rolls out electric shuttles for downtown Houston commuters

on a roll

The innovative METRO microtransit program will be expanding to the downtown area, the Metropolitan Transit Authority of Harris County announced on Monday.

“Microtransit is a proven solution to get more people where they need to go safely and efficiently,” Houston Mayor John Whitmire said in a statement. “Connected communities are safer communities, and bringing microtransit to Houston builds on my promise for smart, fiscally-sound infrastructure growth.”

The program started in June 2023 when the city’s nonprofit Evolve Houston partnered with the for-profit Ryde company to offer free shuttle service to residents of Second and Third Ward. The shuttles are all-electric and take riders to bus stops, medical buildings, and grocery stores. Essentially, it works as a traditional ride-share service but focuses on multiple passengers in areas where bus access may involve hazards or other obstacles. Riders access the system through the Ride Circuit app.

So far, the microtransit system has made a positive impact in the wards according to METRO. This has led to the current expansion into the downtown area. The system is not designed to replace the standard bus service, but to help riders navigate to it through areas where bus service is more difficult.

“Integrating microtransit into METRO’s public transit system demonstrates a commitment to finding innovative solutions that meet our customers where they are,” said METRO Board Chair Elizabeth Gonzalez Brock. “This on-demand service provides a flexible, easier way to reach METRO buses and rail lines and will grow ridership by solving the first- and last-mile challenges that have hindered people’s ability to choose METRO.”

The City of Houston approved a renewal of the microtransit program in July, authorizing Evolve Houston to spend $1.3 million on it. Some, like council member Letitia Plummer, have questioned whether microtransit is really the future for METRO as the service cuts lines such as the University Corridor.

However, the microtransit system serves clear and longstanding needs in Houston. Getting to and from bus stops in the city with its long blocks, spread-out communities, and fickle pedestrian ways can be difficult, especially for poor or disabled riders. While the bus and rail work fine for longer distances, shorter ones can be underserved.

Even in places like downtown where stops are plentiful, movement between them can still involve walks of a mile or more, and may not serve for short trips.

“Our microtransit service is a game-changer for connecting people, and we are thrilled to launch it in downtown Houston,” said Evolve executive director Casey Brown. “The all-electric, on-demand service complements METRO’s existing fixed-route systems while offering a new solution for short trips. This launch marks an important milestone for our service, and we look forward to introducing additional zones in the new year — improving access to public transit and local destinations.”

———

This article originally ran on CultureMap.