Sr. Cybersecurity Engineer (OT & Cloud Infrastructure)

We are looking for a Sr. Cybersecurity Engineer to architect and implement technical security controls for our grid-connected energy portfolio. As we scale our operations, we need a hands-on engineer to secure the entire data lifecycle - from the industrial control systems (OT) at the edge, through the cloud telemetry pipeline, to the corporate dashboards.
This is a builder role. You will be responsible for deploying and managing our core security infrastructure - specifically Wazuh and Authentik - to secure our AWS environments and operational field assets. You will work directly with control systems engineers and DevOps teams to build security into our backbone.

Responsibilities
Cloud & Infrastructure Security
Cloud Architecture: Secure the AWS infrastructure that hosts our energy management platforms. Implement hardening baselines and manage security groups for cloud resources.
SIEM & Observability (Wazuh): Architect a centralized and on-prem SIEM deployment to ingest logs from CloudTrail, VPC Flow Logs, and Linux servers. Configure custom decoders to detect threats across both cloud and on-prem environments.
Infrastructure as Code (IaC): Review and secure Terraform/CloudFormation scripts. Manage security configurations (including Wazuh agents and Authentik outposts) via Ansible or similar automation tools.
IoT/Edge Security: Secure the telemetry pipeline from the edge device (site controller) to the cloud, ensuring encryption (TLS 1.2/1.3) and proper certificate management (PKI) for edge.
Identity & Access Management (IAM)
Unified IAM (Authentik): Architect Authentik as the central Identity Provider (IdP), enforcing MFA and SSO across cloud consoles, internal engineering tools, and Grafana dashboards.
Least Privilege: Engineer granular IAM roles for cloud resources and service accounts, ensuring that automated services have only the permissions necessary to function.
Operational Technology (OT) Security
Network Segmentation: Design and implement IEC 62443-aligned network architectures (Purdue Model), strictly controlling traffic between the IT, Cloud, and OT zones.
Vulnerability & Integrity Monitoring: Deploy Wazuh agents on industrial PCs and HMIs to perform File Integrity Monitoring (FIM) and vulnerability scanning without disrupting critical real-time processes.
Industrial Protocols: Analyze and secure communications (Modbus, DNP3) to ensure integrity between field assets and control centers.

Requirements
5–8 years of technical cybersecurity experience, with a specific blend of Cloud/Linux Engineering and OT/Industrial exposure.
Technical Stack Proficiency:
Wazuh: Deep experience deploying managers/agents, writing custom rules/decoders, and tuning FIM/SCA modules for low-noise environments.
Authentik: Experience configuring Providers (OIDC, SAML), Outposts, and proxying legacy applications.
Cloud Platforms: Proficiency with AWS (GuardDuty, IoT Core, IAM) or Azure (Defender for IoT, Entra ID).
Required Background:
OT Security Experience: Proven experience working with industrial control systems (ICS), SCADA, or utility/energy infrastructure.
AND/OR
Cloud/DevSecOps Experience: Deep expertise in securing Linux-based cloud environments and managing infrastructure via code.
Core Traits:
Hands-on: You are comfortable debugging a failed Wazuh agent on a Linux server or tracing a dropped packet in a cloud VPC.
Open-Source Advocate: You prefer tailoring flexible open-source tools to fit specific architectural needs rather than relying solely on "black box" commercial vendors.
Preferred:
Experience with Docker/Kubernetes security in an edge computing context.
Knowledge of industrial protocols (Modbus TCP, DNP3, IEC 61850).
Certifications: GICSP, GRID, AWS Certified Security – Specialty.