Senior Cybersecurity Engineer

We are looking for a Senior Cybersecurity Engineer to architect and implement technical security controls for our grid-connected energy portfolio. As we scale our operations, we need a hands-on engineer to secure the entire data lifecycle - from the industrial control systems (OT) at the edge, through the cloud telemetry pipeline, to the corporate dashboards.

This is a builder role. You will be responsible for deploying and managing our core security infrastructure - specifically Wazuh and Authentik - to secure our AWS environments and operational field assets. You will work directly with control systems engineers and DevOps teams to build security into our backbone.

Responsibilities will include: 

Cloud & Infrastructure Security

• Cloud Architecture: Secure the AWS infrastructure that hosts our energy management platforms. Implement hardening baselines and manage security groups for cloud resources
• SIEM & Observability (Wazuh): Architect a centralized and on-prem SIEM deployment to ingest logs from CloudTrail, VPC Flow Logs, and Linux servers. Configure custom decoders to detect threats across both cloud and on-prem environments
• Infrastructure as Code (IaC): Review and secure Terraform/CloudFormation scripts. Manage security configurations (including Wazuh agents and Authentik outposts) via Ansible or similar automation tools
• IoT/Edge Security: Secure the telemetry pipeline from the edge device (site controller) to the cloud, ensuring encryption (TLS 1.2/1.3) and proper certificate management (PKI) for edge

Identity & Access Management (IAM)

• Unified IAM (Authentik): Architect Authentik as the central Identity Provider (IdP), enforcing MFA and SSO across cloud consoles, internal engineering tools, and Grafana dashboards
• Least Privilege: Engineer granular IAM roles for cloud resources and service accounts, ensuring that automated services have only the permissions necessary to function

Operational Technology (OT) Security

• Network Segmentation: Design and implement IEC 62443-aligned network architectures (Purdue Model), strictly controlling traffic between the IT, Cloud, and OT zones
• Vulnerability & Integrity Monitoring: Deploy Wazuh agents on industrial PCs and HMIs to perform File Integrity Monitoring (FIM) and vulnerability scanning without disrupting critical real-time processes
• Industrial Protocols: Analyze and secure communications (Modbus, DNP3) to ensure integrity between field assets and control centers

Requirements:

• 5–8 years of technical cybersecurity experience, with a specific blend of Cloud/Linux Engineering and OT/Industrial exposure
• Proven experience working with industrial control systems (ICS), SCADA, or utility/energy infrastructure
• Deep expertise in securing Linux-based cloud environments and managing infrastructure via code
• Comfortable debugging a failed Wazuh agent on a Linux server or tracing a dropped packet in a cloud VPC
• Tailoring flexible open-source tools to fit specific architectural needs rather than relying solely on "black box" commercial vendors

Technical stack proficiency: 

• Wazuh: Deep experience deploying managers/agents, writing custom rules/decoders, and tuning FIM/SCA modules for low-noise environments
• Authentik: Experience configuring Providers (OIDC, SAML), Outposts, and proxying legacy applications
• Cloud Platforms: Proficiency with AWS (GuardDuty, IoT Core, IAM) or Azure (Defender for IoT, Entra ID)

Preferred experience:

• Experience with Docker/Kubernetes security in an edge computing context
• Knowledge of industrial protocols (Modbus TCP, DNP3, IEC 61850)
• Certifications: GICSP, GRID, AWS Certified Security – Specialty