We were thrilled to have Roya Gordon as our guest on The PrOTect OT cybersecurity podcast. Roya is a true trailblazer in the field of cybersecurity and an inspiration to young women and people of color who are interested in pursuing careers in technology. Her background is truly impressive, having served as an intelligence specialist in the U.S. Navy, as well as working at Idaho National Laboratory and Accenture. Currently, Roya is the OT/IoT Security Research Evangelist at Nozomi Networks. She is also the founder of Steps2STEM, a company dedicated to helping young women and people of color enter the cybersecurity industry.
Roya and Aaron connected over their shared passion for solving cybersecurity challenges and their belief that they are part of something greater than themselves. They emphasized the importance of collaboration and the idea that everyone has a role to play in creating a safer digital world. To express this, Roya recited that she had written herself:
No one knows security.
No one knows it well.
No one knows security.
Seriously. Can't you tell?
Vendors out there vending,
they just want to make a deal.
The consultants are consulting,
but their prices are surreal.
The advisors are advising
as they gripe about it all.
And the customers, poor customers
have no clue what to do at all.
No one knows security.
And you may be right.
But together we are all the strength to win the cyber fight.
Everyone has an important role strengthening cybersecurity, and Roya has made incredible contributions throughout her career. Currently, as Security Research Evangelist at Nozomi Networks, Roya plays a key role in communicating the value of the technical security research that her team is conducting -- not only sharing the important findings but also connecting the dots and tying that research into the business needs of an organization. She emphasized that her role is just a small part of the larger ecosystem of cybersecurity, and that effective communication is essential to ensuring that the technical work is understood and valued. Roya balances the technical aspects of her work with the art of storytelling, as she communicates technical concepts in a way that is accessible and engaging to a broader audience, including business leaders and the general public.
Roya's journey into cybersecurity, like many, wasn’t a direct path. Since middle school, she had plans to become a lawyer, but that changed when she joined the U.S. Navy as an intelligence specialist. Looking back, Roya realizes that this is where her technical journey truly began. During her time in the Navy, Roya had to conduct extensive research on weapon systems, airplanes, and foreign vessels and present her findings to the captain and high-ranking officers. With little experience in this subject matter, Roya quickly grasped the technical aspects of these systems and effectively communicated their significance in military strategy.
After her time in the Navy, Roya delved into cyber warfare and was recruited by the NSA. Unfortunately, the opportunity didn't come to fruition, but she found herself at the Idaho National Laboratory instead. Although she didn’t consider herself the most technical at the time, Roya was chosen for her ability to learn quickly and communicate complex matters in compelling ways. Soon she found herself building killchains for electric utilities and demonstrating how hackers could disrupt the grid.
Now proudly working at Nozomi Networks, Roya excitedly highlighted her team's recent work in identifying cyber threats at the endpoints. Roya recounted how she and her team were inspired by a set of malicious charging cables during their time at DEFCON, prompting them to purchase their own devices to see if they could detect malicious activity when plugged into a legitimate system. This led to the development of a sensor that can detect malicious activity at the endpoint, including distinguishing good versus bad activity and even detecting potential threats hidden within keyboards.
Roya emphasized the importance of understanding how threat actors can manipulate the technology within keyboards and compromise the hardware supply chain, highlighting the need for people to be aware of the potential threats hiding within their devices. She’s inspired seeing the curiosity of her team's researchers translate into tangible results, ultimately leading to the creation of a product that adds to their layered defense strategy.
IT vs. OT
Roya and Aaron explored the differences between IT and OT, and why it’s not as simple as taking tools and methodologies from IT and applying them to OT. In OT networks, different protocols are used, and anomalies are detected differently due to physical processes and real-time operations that cannot afford any downtime or patching. Roya emphasized that disrupting devices that control and monitor these processes could have significant consequences, making it necessary to schedule any necessary updates in advance. Identity and access management is also not as straightforward in OT.
There’s still education needed around OT within the cybersecurity industry. Roya shared an experience where she interviewed a candidate who had a strong background and certifications, but was not familiar with OT when she mentioned it. This lack of understanding is not uncommon even among IT professionals, highlighting the need for more education and awareness of OT security.
Merging Business, Cyber & Politics
Roya shared a story about a consulting project with a utility company, where they had extra budget to spend on security and sought Roya’s guidance on how to invest it. Roya assessed all the cybersecurity products they had and found that many were redundant. Despite having a large budget to spend on cybersecurity, the company had bought technologies that did the same thing and had little direction in their cybersecurity strategy. Roya shared this to emphasize the need for consultants to provide guidance and see the bigger picture. It's no longer enough to just sell a product without justifying its effectiveness. With so many new companies now, cybersecurity vendors are having to be semi-consultants, not just sell products. In addition, vendors need to work together to integrate their solutions and provide a seamless experience for the end-user. Vendors need to be more consultative and validate how their solutions meet not just the business objectives but government requirements. This is an important intersection of business, politics and cybersecurity.
Hope for the Future
Roya expressed her hopefulness about OT getting more exposure and becoming more mainstream in the next 5-10 years. She noted that companies and the government are pushing for it, and after incidents like the Colonial Pipeline ransomware attack, more people are becoming aware of what OT is. Roya sees a future where the average person will soon understand that there is an IT and OT network.
For the future, she also expressed concerns about the impact of AI on the industry. As organizations increasingly rely on AI to fill gaps, Roya worries about the impact to jobs. She encourages all to stay up to date on emerging technologies like AI, quantum computing, and blockchain to understand how threat actors are using them and how vulnerabilities can be addressed. By doing so, individuals can remain valuable and adapt to changes in the industry.
As always, we highly recommend listening to the full podcast episode as these were just a few highlights and snippets of an engaging and insightful conversation with Roya. We want to express our gratitude to Roya for joining us on the Protect OT podcast and sharing her valuable experiences and insights with our listeners. Thank you Roya!