L3 OT SME (m/f/d)

Overview

Key Responsibilities

• Act as the final escalation point for unresolved L1/L2 incidents, conducting advanced diagnostics, forensic analysis, and root-cause investigations on OT systems, protocols, and anomalies.
• Lead complex troubleshooting and resolution of critical OT issues, including rare failures, intermittent problems, protocol-level defects, or multi-system interactions that impact safety or production.
• Design and architect OT network topologies, segmentation (per Purdue Model), security controls, and resilience strategies aligned with ISA/IEC 62443, NIST SP 800-82, NERC CIP, and other standards.
• Perform advanced threat hunting, vulnerability research, and risk assessments tailored to OT/ICS environments; develop custom mitigation strategies for zero-days or high-severity threats.
• Collaborate with vendors (e.g., Rockwell, Siemens, Schneider, Honeywell) on deep technical escalations, patches, firmware updates, and custom configurations.
• Lead incident response for major OT events, including post-incident reviews, forensic preservation, and improvement recommendations.
• Develop advanced playbooks, standards, reference architectures, and automation/scripts for OT monitoring, patching, and recovery.
• Mentor L1/L2 teams, provide cross-training, and contribute to knowledge transfer and continuous improvement programs.
• Participate in strategic initiatives such as IT/OT convergence projects, zero-trust implementations, and regulatory audits/compliance efforts.
• Serve as the primary OT technical liaison for audits, executive briefings, and cross-functional projects involving engineering, operations, and cybersecurity.

Required Qualifications

• Bachelor's or Master's degree in Electrical/Industrial Engineering, Computer Science, Cybersecurity, or related field (or equivalent extensive experience).
• 8–12+ years of hands-on experience in OT/ICS environments, industrial automation, SCADA/DCS engineering, or critical infrastructure protection.
• 4+ years in advanced/support/escalation roles (L2 or higher), with proven track record resolving the most complex OT issues.
• Deep expertise in industrial protocols (Modbus TCP/RTU, DNP3, OPC UA/DA, Profinet, EtherNet/IP, IEC 61850, etc.) and their security implications.
• Extensive knowledge of Purdue Enterprise Reference Architecture (PERA), DMZ design, network segmentation, and IT/OT convergence challenges.
• Proficiency with OT-specific tools (e.g., Nozomi, Claroty, Dragos, Tenable OT, industrial IDS/IPS) and general forensics/log analysis tools.
• Strong understanding of OT cybersecurity frameworks (ISA/IEC 62443, NIST CSF 2.0, NIST SP 800-82r3) and regulatory requirements (NERC CIP, CFATS, etc.).
• Experience with PLC/HMI programming, configuration management, change control, and vendor-specific ecosystems (Rockwell Automation, Siemens, Schneider, etc.).
• Must-Have Certifications, not all but 1 or 2:
• ISA/IEC 62443 Cybersecurity Expert (or multiple certifications in the 62443 series, including Fundamentals + Specialist levels) – required
• GIAC Global Industrial Cyber Security Professional (GICSP) – required
• GIAC Response and Industrial Defense (GRID) or equivalent advanced OT incident response cert – required
• One or more of the following advanced certifications:
• + Certified Information Systems Security Professional (CISSP) with OT/ICS focus or experience

+ GIAC Critical Infrastructure Protection (GCIP)