Sr. Cybersecurity Engineer (OT & Cloud Infrastructure)

About The Position

Requirements

• 5–8 years of technical cybersecurity experience, with a specific blend of Cloud/Linux Engineering and OT/Industrial exposure.
• Wazuh: Deep experience deploying managers/agents, writing custom rules/decoders, and tuning FIM/SCA modules for low-noise environments.
• Authentik: Experience configuring Providers (OIDC, SAML), Outposts, and proxying legacy applications.
• Cloud Platforms: Proficiency with AWS (GuardDuty, IoT Core, IAM) or Azure (Defender for IoT, Entra ID).
• OT Security Experience: Proven experience working with industrial control systems (ICS), SCADA, or utility/energy infrastructure.
• AND/OR
• Cloud/DevSecOps Experience: Deep expertise in securing Linux-based cloud environments and managing infrastructure via code.
• Hands-on: You are comfortable debugging a failed Wazuh agent on a Linux server or tracing a dropped packet in a cloud VPC.
• Open-Source Advocate: You prefer tailoring flexible open-source tools to fit specific architectural needs rather than relying solely on "black box" commercial vendors.

Nice To Haves

• Experience with Docker/Kubernetes security in an edge computing context.
• Knowledge of industrial protocols (Modbus TCP, DNP3, IEC 61850).
• Certifications: GICSP, GRID, AWS Certified Security – Specialty.

Responsibilities

• Cloud Architecture: Secure the AWS infrastructure that hosts our energy management platforms. Implement hardening baselines and manage security groups for cloud resources.
• SIEM & Observability (Wazuh): Architect a centralized and on-prem SIEM deployment to ingest logs from CloudTrail, VPC Flow Logs, and Linux servers. Configure custom decoders to detect threats across both cloud and on-prem environments.
• Infrastructure as Code (IaC): Review and secure Terraform/CloudFormation scripts. Manage security configurations (including Wazuh agents and Authentik outposts) via Ansible or similar automation tools.
• IoT/Edge Security: Secure the telemetry pipeline from the edge device (site controller) to the cloud, ensuring encryption (TLS 1.2/1.3) and proper certificate management (PKI) for edge.
• Unified IAM (Authentik): Architect Authentik as the central Identity Provider (IdP), enforcing MFA and SSO across cloud consoles, internal engineering tools, and Grafana dashboards.
• Least Privilege: Engineer granular IAM roles for cloud resources and service accounts, ensuring that automated services have only the permissions necessary to function.
• Network Segmentation: Design and implement IEC 62443-aligned network architectures (Purdue Model), strictly controlling traffic between the IT, Cloud, and OT zones.
• Vulnerability & Integrity Monitoring: Deploy Wazuh agents on industrial PCs and HMIs to perform File Integrity Monitoring (FIM) and vulnerability scanning without disrupting critical real-time processes.
• Industrial Protocols: Analyze and secure communications (Modbus, DNP3) to ensure integrity between field assets and control centers.

Benefits

• Competitive salary + annual performance-based bonus eligibility
• Medical, dental, and vision insurance
• 401(k) with company match
• Paid time off and company holidays
• Competitive salary + annual performance bonus eligibility
• Christmas Bonus (Aguinaldo): 30 days
• Major medical expenses and life insurance
• Paid time off and holidays (per local policy)
• Professional development and growth opportunities
• Opportunity to grow with a mission-driven team shaping the future of clean energy