Heather Vermillion

#62: Heather Vermillion: PACCAR, Security & Personal Growth

In this episode of „Left to Our Own Devices,“ we dive into the world of automotive cybersecurity with Heather Vermillion, a security engineer at PACCAR, who shares her journey from the Department of Defense to safeguarding advanced automotive technologies, while also championing the next generation of cybersecurity professionals.

About Heather Vermillion

Heather Vermillion is a Security Engineer at Paccar with 16 years of experience securing systems, assessing their vulnerabilities, and educating others on cybersecurity best practices. Her diverse career spans defense, intelligence, e-commerce, insurance, and embedded systems. Heather began her journey as an IT Specialist at the Department of Defense. She holds a Master’s degree in Cyber/Electronic Operations and Warfare from the US Air Force Institute of Technology. She has been privileged to speak at several conferences, including Women in Cybersecurity and GrimmCon. Her expertise includes building solid security foundations, user awareness, and technical training, and learning what makes machines tick.

At Paccar, Heather leverages her extensive knowledge to safeguard advanced automotive technologies against emerging cyber threats. Beyond her professional accomplishments, she is an active community volunteer, serving as a referee for the First Lego League and the First Robotics Competition.

A Summary of Our Conversation with Heather

In this episode of „Left to Our Own Devices, the Product Security Podcast,“ we welcome Heather Vermillion, a security engineer at PACCAR with over 16 years of experience in cybersecurity, spanning various industries such as defense, intelligence, e-commerce, insurance, and embedded systems. Heather’s journey into cybersecurity is not just a story of professional development but also one of personal growth, community engagement, and a deep commitment to fostering the next generation of cybersecurity professionals.

Career Journey: From Defense to Automotive Cybersecurity

Heather’s career began in the defense sector, where she served as an IT specialist at the Department of Defense (DoD). Her passion for computers and cybersecurity was ignited during her early years when she was captivated by the emergence of personal computers in schools. This early fascination led her to pursue a degree in computer science, where she took every computer class available. However, it wasn’t until her senior year, when she encountered her first security class, that she found her true calling.

Heather realized that a bachelor’s degree alone might not suffice to stand out in the competitive environment of the DoD. Motivated to distinguish herself, she decided to pursue a master’s degree in Cyber Electronic Operations and Warfare from the U.S. Air Force Institute of Technology. This decision was pivotal in shaping her career, as it provided her with a robust foundation in cybersecurity principles and operations.

At the DoD, Heather was exposed to various challenges, including the bureaucratic complexities of working within a large government organization. She shared how this experience helped her develop a unique skill set that is still relevant in her current role at PACCAR. Heather described the transition from traditional IT roles to a focus on cybersecurity as a significant turning point in her career, driven by the evolving threat landscape and the need for more robust security measures.

Cybersecurity Challenges in the Automotive Industry

Heather’s role at PACCAR involves safeguarding advanced automotive technologies against emerging cyber threats. The automotive industry presents unique cybersecurity challenges, particularly in ensuring the safety and reliability of vehicles. Heather emphasized that in the automotive sector, safety is paramount, and cybersecurity plays a critical role in maintaining that safety. She explained that the complexity of modern vehicles, which are increasingly connected and reliant on embedded systems, introduces new vulnerabilities that must be addressed.

One of the key insights Heather shared was the importance of integrating cybersecurity with functional safety processes. She highlighted how ISO 21434, a standard for automotive cybersecurity, and ISO 26262, a standard for functional safety, often intersect in their objectives. By working closely with functional safety teams, Heather and her colleagues at PACCAR can leverage existing safety mechanisms to mitigate cybersecurity risks, such as side-channel attacks and voltage fluctuations.

Heather also discussed the broader implications of cybersecurity in the automotive industry, including the impact of supply chain vulnerabilities and the challenges posed by aftermarket parts. She noted that while original equipment manufacturers (OEMs) like PACCAR set stringent security standards, the strong car culture and the prevalence of aftermarket modifications introduce additional risks. Heather expressed a nuanced perspective on this issue, acknowledging the need to balance security with the freedom that car enthusiasts and mechanics cherish.

Navigating Bureaucracy and Organizational Challenges

Reflecting on her time at the DoD, Heather shared valuable lessons about navigating bureaucracy and organizational challenges. She described how working within a large, established organization like the DoD required agility and the ability to pivot when things didn’t go as planned. This experience has been particularly beneficial in her current role at PACCAR, a company with over a century of history and deeply rooted traditions.

Heather recounted a story from her time at the DoD when she was involved in the transition from the information assurance mindset to a more modern cybersecurity approach. This shift was marked by the adoption of the NIST 800-53 security controls, which required a cultural change within the organization. Heather’s role involved not only implementing these new controls but also educating her colleagues on their importance. One memorable incident involved a vulnerability scanner accidentally triggering a printer to print out gibberish, which led to a humorous yet challenging situation where Heather had to explain the issue to a high-ranking officer.

This story underscores the importance of communication and education in cybersecurity, particularly when dealing with non-technical stakeholders. Heather’s ability to translate complex technical issues into understandable terms has been a key asset throughout her career, enabling her to build strong relationships with colleagues and leadership alike.

Community Engagement and Mentorship: Inspiring the Next Generation

Beyond her professional achievements, Heather is deeply committed to community engagement and mentorship. She volunteers as a referee for the FIRST Lego League and FIRST Robotics Competition, programs designed to inspire young students to pursue careers in STEM fields. Heather shared a particularly touching story about how her visibility as a female engineer in these programs inspired a young girl to continue her involvement in robotics.

Heather emphasized the importance of being a visible role model for the next generation, particularly for young girls who may not see many women in technical fields. She noted that while there are many all-girl teams at the middle school level, there is often a sharp drop-off in female participation by the time students reach high school. However, Heather is optimistic about the future, observing that more girls are sticking with the program, thanks in part to the efforts of mentors and role models like herself.

Heather’s involvement in these programs has also provided her with valuable insights and inspiration. She marveled at the creativity and innovation displayed by the students, some of whom have even secured patents for their projects. This experience has reinforced her belief in the importance of fostering a strong talent pipeline in cybersecurity and engineering, starting at a young age.

Collaboration and Knowledge Sharing: The CyberTruck Challenge

Heather’s commitment to collaboration and knowledge sharing extends beyond her community engagement efforts. She spoke passionately about her involvement in the CyberTruck Challenge, an event that brings together industry professionals, academics, and students to tackle cybersecurity challenges in the automotive sector. The event is a week-long collaboration where participants receive intensive training and then apply their skills to real-world truck hacking scenarios.

Heather described the CyberTruck Challenge as an exhausting but incredibly rewarding experience. It provides a unique opportunity for cross-disciplinary collaboration, with participants from various fields working together to solve complex cybersecurity problems. Heather highlighted the importance of events like these in pushing the boundaries of what is possible in automotive cybersecurity and fostering a culture of continuous learning and innovation.

Conclusion: A Multifaceted Approach to Cybersecurity

Heather Vermillion’s story is a testament to the power of a multifaceted approach to cybersecurity, combining technical expertise with a deep understanding of organizational dynamics, a commitment to mentorship, and a passion for continuous learning. Her journey from the Department of Defense to PACCAR illustrates the evolving nature of cybersecurity, where the stakes are higher than ever, and collaboration across disciplines is crucial.

As Heather continues to safeguard advanced automotive technologies and inspire the next generation of cybersecurity professionals, her insights offer valuable lessons for anyone interested in the field. Whether navigating the complexities of a large organization, integrating cybersecurity with functional safety, or mentoring young students, Heather’s experiences underscore the importance of resilience, adaptability, and a willingness to embrace new challenges. This episode is a must-listen for anyone looking to gain a deeper understanding of the intersection of cybersecurity, automotive technology, and community engagement.