Rafia Noor is an information security engineer in the operation technology division at Colgate-Palmolive. We had an opportunity to sit down with Rafia to discuss her career path, intelligence sharing at RH-ISAC, and the trajectory of cybersecurity.
Tell us a little about what you do at Colgate-Palmolive and what fills your day.
Rafia: I am the OT security team lead at Colgate. To elaborate, operation technology (OT) is hardware, software to control our industrial equipment, all the machineries running the plants. Centrifuges to conveyor belts to robotics, are all part of OT. Now at Colgate, my team and I are responsible for ensuring that our manufacturing plants and facilities are protected. Our team is fairly new, a lot of our focus is on establishing the fundamentals, acquiring the basics, getting asset visibility, etc. Now that we are getting a good handle on that, my personal focus is on improving our vulnerability management program for the plants. That means managing vulnerabilities not only for traditional ID servers and applications, but also taking a risk-based approach in managing our PLCs, HMI, thin clients, line equipment that still have some Windows XP, Windows 7 machines, vision systems, IOT devices, and other connected devices that are on the plan force. It is not an easy task as the breath is quite deep. In addition to vulnerability management, we oversee our entire manufacturing facility security. We are also working on improving our detection capabilities, incident response preparedness, specifically for the manufacturing environment. As a team, we are running our first IR tabletop for OT. That is a big deal which we are excited about.
Are your manufacturing facilities all around the globe?
Rafia: Our team is global as we have some members in Mumbai and then here in the U.S. Currently, we are all remote in the U.S. We work across different regions, time zones, and technologies that have been acquired over several decades. It is a challenging role for sure but exciting, nonetheless.
Can you expand upon how you entered this area specifically? Did you have a specialty in OT, or was it something you transitioned into from another cybersecurity area?
Rafia: Yes, the other way around. I started off as an automation systems engineer working in the field programming PLCs, HMIs, DCS systems. Also, improving process control systems, commissioning in the field. Then, about four or five years ago, I was chatting with one of my former directors in a different role. He mentioned that he is putting together an ICS security team in oil and gas. He was putting together an ICS security team which sounded fascinating. One thing led to another, and here I am.
What is the most interesting aspect of your job and what do you enjoy most?
Rafia: What I enjoy most is the uniqueness. For example, no two days are alike; the challenges are hard, but they are also just as rewarding when you make progress in them. Our team is new, which means I am contributing to how the OT security program shapes Colgate. I can see our vision coming to life as we are implementing new technologies or building new procedures, and processes. There is a lot of room for growth in this space and within Colgate, as there is no shortage of security measures we need to take. It is very cross functional as I get to touch a multitude of disciplines daily. I can collaborate with other teams, not just within cybersecurity. We have our individual IM group, and the RH-ISAC program here at Piscataway. It is a good size security team. We have multiple functions, so I get to work cross-functional with them, but also with IT supply chain and operations. You get to touch a lot of different things which is enjoyable.
How did you discover where you could benefit from RH-ISAC membership? Where are you most active in our community? How do you use the membership most often within your role?
Rafia: I was part of a different ISAC prior to joining Colgate, so I was familiar with the concept, and it has always been a great community. When I first joined, our CISO, Alex Schuchman, mentioned that Colgate is part of RH-ISAC, so I was excited to be a part. Last year or it was late 2021, Suzie Squier, the president of RH-ISAC put out a call to participate in the OT working group. I jumped at the opportunity and since then, I have been a part of that committee participating in working sessions, roundtables, and special interest groups. It has been a great learning opportunity for me as well.
As an active member of the OT working group, how do you find the intelligence shared between that group and the usual collaboration outside of that group? How do those both work together?
Rafia: From the IT section, the traditional security sections, is very robust and mature. I see that information always coming in. For OT, it is a process as there is a lot more room to grow and collaborate. A lot of the cases at OT, we are still grappling with the basics of security. Threat intelligence is great to layer on top, but at times it is still not mature enough to deal with.
What advice would you give to others who are either starting off and have a desire to enter cybersecurity, or for those who may be coming in from a non-traditional path like you?
Rafia: To be honest, I never feel like I can dole advice to people. From my experience, do not be afraid to learn new things or take risks. I will see a lot of people move to cybersecurity from other tangential disciplines, like network or help desk. Always try to learn, be curious. There is no shortage of free resources online nowadays. We have webinars, conferences, but also vendors publish free white papers and annual reviews. The other thing is do not underestimate the power of soft skills. For example, build genuine relationships. I always try to build relationships; keep in touch with folks that I have worked with before and create friendships. That changed my life. If I was not chatting with my director that I worked with three years back and did not know he had this opportunity, I would not be where I am now.
Tell us a little bit about your hobbies and interests outside of work. What keeps you busy when you are not working for Colgate?
Rafia: Right now, I do not have a lot of time for hobbies. My husband and I recently had our first child. He is eight months old, so we have been busy with that. Between navigating parenthood, the pandemic, it has been a crazy couple of years. Before the pandemic though, my husband and I loved exploring national, state parks, hiking, camping. I do miss those adventures, but I look forward to getting back to them when the little one is a little older.
Tell us what you think the trajectory of cybersecurity is going to look like for the next five, ten years. Can you prognosticate for us?
Rafia: I may be a little biased here. One of the areas I think is going to become more critical over the next decade is ICSOT security. We must address the ITOT convergence. It is not something that is far away. It is already here. As more critical systems like infrastructure and manufacturing processes become automated, interconnected, and whether bad actors specifically target those ICS systems or not, the consequence of the cyber-attack can easily spill into the physical operational like we see with colonial pipeline. We need robust security measures to protect this infrastructure in our physical manufacturing world. Given the importance, I think we will see a lot of focus on developing specialized cybersecurity solutions, and we will need expertise in that area. How I moved from the field to cybersecurity, we need to do those steps of cross-functional training a lot and build our expertise before it becomes even more critical. Also, you cannot forget AI. Right now, that is all the rage. I am sure we will see a lot more use for that. I am excited to see how the use of AI trends in cybersecurity. We are already hearing now we are being coded, but also, there is so much potential. We can also automate our response.