By Nelson Baker 02/19/2025
Sultan Omurzakov is making the future safer. In his current role as a senior software engineer at a leading autonomous mobility company, he is responsible for developing cryptographic systems that secure autonomous vehicles, including robotaxis. Cybersecurity for such devices is a critical issue — they must remain impervious to hacking throughout their entire lifecycle. This means engineers are tasked with building systems that can withstand threats not only today, but for decades to come. Previously, Sultan Omurzakov led large-scale projects at Roblox, Palo Alto Networks, Truist, and Deloitte. His inventions help detect threats in IoT devices, classify router traffic, and automate vulnerability management.
– Sultan, what kind of solutions are you developing for autonomous vehicles? What makes them unique?
– Securing robotaxis is a highly complex challenge. In general, the work around data protection in this space falls into two main areas: securing the vehicle and its subsystems, and securing the cloud infrastructure that supports them.
On the vehicle side, we start at the hardware level. Every microchip — from the ECU to the perception modules — goes through a secure boot process using keys stored in the Trusted Platform Module. This ensures the integrity and security of all robotaxi components. Communication between systems is always encrypted, so data exchanged inside the vehicle is protected end to end.
In the cloud, I focus on strengthening microservice security, particularly in the areas of authentication and authorization. A single request can pass through multiple microservices, so it’s critical that authorization checks are enforced at every step. We also log and monitor every request, so if something goes wrong — whether it’s a bug, a misconfiguration, or an attempted breach — we can quickly trace what happened, who made the request, and whether it was legitimate or part of a potential attack.
– As a recognized cybersecurity expert, can you share your approach to building protection systems against unauthorized access?
– In cybersecurity, much like in military strategy, a multi-layered defense approach is essential. The idea is to ensure systems stay protected even if the outermost layers are breached by attackers.
For large companies, that means using network firewalls to protect the network perimeter, application firewalls to secure web apps, dedicated API security solutions for microservices, and antivirus software to protect the servers and endpoints. On top of that, logging and monitoring systems are critical — they help detect and respond to suspicious activity throughout every layer of the infrastructure.
This refers to hardware security. But it’s just as important to defend against threats that exploit human behavior — what’s known as social engineering. This includes phishing (fake emails and social media messages), but attackers are also now using voice spoofing over the phone (vishing), and fake SMS messages (smishing). To protect against these tactics, companies need to invest in regular training programs that teach employees digital hygiene best practices. These trainings should be followed by simulated attacks to test awareness in real scenarios. It’s also important to implement biometric authentication, multi-factor authorization, and of course, to install antivirus software on all mobile devices and tablets.
– You worked at Palo Alto Networks, where you developed systems at the intersection of AI and cybersecurity. How can artificial intelligence support cybersecurity projects?
– At Palo Alto Networks, I built AI-driven systems for detecting threats in IoT devices. The challenge with IoT is that these devices often become outdated quickly, rarely receive updates, and are frequently connected to the internet with vulnerable configurations.
Given that network traffic can reach terabytes per day, only AI algorithms have the capacity to process such massive volumes of data in real time and detect or block attacks as they happen.
– You recently received a patent for a unique solution that identifies software components of IoT devices through network analysis, improving the accuracy and automation of vulnerability management. What are the potential applications of this technology?
– Together with my colleagues, I patented a solution for classifying traffic behind a router using Network Address Translation (NAT). In logs, this kind of traffic typically appears as if it’s coming from a single router, making it difficult to determine what devices are actually behind it — unless you’re using expensive hardware sensors.
Our solution is especially valuable for large enterprises, manufacturing plants, and companies with a wide branch network. With our approach, we can gain visibility into the internal network of each branch and identify up to 92% of the devices operating behind NAT.
– Some of your projects focus on IoT security. What are the main cybersecurity challenges facing the Internet of Things today?
– The biggest threats stem from default firmware configurations — especially devices shipped with standard passwords — a lack of update mechanisms, and opaque supply chains where vulnerable chips or firmware can be introduced.
Many IoT devices also lack network segmentation, and limited microcontroller resources make it difficult to implement modern cryptographic algorithms. To address this, IoT devices should be isolated into their own dedicated network segment, with strict control over both inbound and outbound traffic. It’s also critical to implement security monitoring and regularly analyze logs for anomalies using machine learning algorithms.
– What projects are you currently working on? What problems are they solving?
– Right now, I’m focused on projects that strengthen the security of cloud infrastructure. The solutions I’m developing are designed to validate both the protection and the stability of cloud systems, especially under high load. I’m also conducting research aimed at enhancing system security. One of the areas I’m exploring is the automatic identification of role-based access. By analyzing logs, we can determine which user roles should exist — for example, roles for engineers or support teams — and create appropriate access policies for each.
I’m also researching attribute-based access control, where permissions are defined using a special policy language and specific attributes. For instance, this approach can grant employees access to sensitive data only when they’re actively on shift. These efforts go beyond solving isolated issues — they contribute to building more flexible, fine-grained access policies that protect a company’s digital infrastructure from attackers without interfering with employees’ day-to-day workflows.