Principal OT/ICS Cybersecurity Engineer

Requisition Id15883

Overview:

We are seeking a Cybersecurity Operational Technology (OT) Engineer to support the protection, monitoring, and modernization of OT and Industrial Control System (ICS) environments within the Cybersecurity Division's Cyber Enhancements Group. This role is responsible for engineering, operating, and enhancing OT cybersecurity capabilities to improve visibility, detection, and response across industrial and research control systems while ensuring alignment with applicable regulatory and compliance requirements.

In this role, the engineer will focus on maintaining and advancing OT security monitoring platforms, supporting threat detection and response activities, collaborating with operations teams to modernize legacy ICS environments, and developing standardized processes for monitoring, investigating, and responding to OT related cyber events. The position works closely with Defensive Cyber Operations, Cyber Policy & Risk Management, Networking, Platform Services, and OT system owners to ensure secure architecture, effective monitoring, and continuous improvement of OT cybersecurity posture.

This position resides in the Cyber Enhancements Group within the Cybersecurity Division of the Information Technology Services Directorate at Oak Ridge National Laboratory (ORNL).

Major Duties/Responsibilities

• Serve as the primary technical authority and program owner for the OT/ICS cybersecurity strategy, roadmap, and maturity model aligned with laboratory mission and DOE requirements
• Own the architecture, implementation, and continuous improvement of OT security monitoring platforms (e.g., Nozomi, Dragos), including alert triage, tuning, use-case development, and integration with enterprise detection and response processes
• Establish and maintain laboratory-wide standards, processes, and playbooks for OT cybersecurity monitoring, incident response, threat hunting, and post-incident analysis
• Lead OT-specific threat detection, investigation, and response activities in coordination with Defensive Cyber Operations and relevant SMEs, ensuring safe containment strategies appropriate for control systems
• Collaborate with OT system owners and engineering teams to modernize legacy ICS environments, including network segmentation, secure architecture design, device inventory, registration, and patching programs
• Assist with risk assessments, root cause analysis, and long-term remediation planning for OT cybersecurity events, vulnerabilities, and architectural gaps
• Interpret and apply applicable standards and requirements for OT environments
• Serve as key interface between OT operations, cybersecurity governance, compliance, and audit activities, including preparation of documentation, risk artifacts, and technical briefings
• Guide integration of OT cybersecurity tooling and workflows with SIEM, SOAR, EDR, and endpoint protection platforms
• Utilize EDR tools to help develop detection rules, investigate threats, and resolve alerts
• Collaborate to create and test threat hunting hypotheses and perform proactive detection activities
• Review and provide guidance on secure design approaches for OT systems and interfaces with enterprise IT and research networks
• Participate in penetration testing activities and cybersecurity exercises where appropriate
• Mentor and provide technical guidance to engineers and analysts supporting OT cybersecurity capabilities
• Prepare technical reports, metrics, findings, and briefings for laboratory leadership and authorized stakeholders

Basic Qualifications

• BS in computer science, cybersecurity, or a related field with a minimum of eight years of relevant professional experience in OT/ICS cybersecurity, industrial control systems, or critical infrastructure environments
• Demonstrated experience owning or leading cybersecurity capabilities, architectures, or programs, not solely operating tools
• Strong knowledge of OT/ICS security principles, including secure architecture, segmentation, monitoring, and incident response
• Ability to interpret and apply regulatory standards such as NERC CIP, DOE cybersecurity directives, and other industry-specific compliance frameworks
• Proficiency in network protocols (TCP/IP, UDP) and industrial protocols such as Modbus, DNP3, OPC UA, IEC 61850, and others
• Knowledge of secure architecture principles for ICS/SCADA systems and segmented network design
• Experience with SIEM platforms (Elastic, Splunk) and Endpoint Detection and Response (EDR) tools for host security monitoring
• Demonstrated ability to analyze OT security events and articulate detection, response, and remediation approaches across operational scenarios

Preferred Qualifications:

• A master's degree in computer science, cybersecurity, or a related discipline
• Four (4) or more years of experience supporting OT, ICS, or cyber operations in industrial or critical infrastructure environments
• Industry certifications such as GRID (SANS) certifications in Control Systems
• Active DOE Q or Top-Secret clearance
• Experience with SOAR development to improve metrics, dashboards, and reduce incident response noise
• Knowledge of MITRE ATT&CK methodology
• Working knowledge of Active Directory, Linux, and Windows operating systems with a focus on cybersecurity
• Understanding of networking concepts including ports, protocols, packet analysis, and perimeter traversal
• Familiarity with scripting and configuration languages for operational security and monitoring tasks
• Experience integrating tools and platforms via APIs
• Experience working with ticketing systems such as Service Now and Atlassian products
• Experience with Azure or other cloud technologies
• Experience supporting DOE facilities or other government entities
• Familiarity with large-scale research environments (>6,000 employees)
• Excellent written and oral communication skills.
• Motivated self-starter with the ability to work independently and to participate creatively in collaborative teams across the laboratory.
• Ability to function well in a fast-paced research environment, set priorities to accomplish multiple tasks within deadlines, and adapt to ever changing needs.

Special Requirements:

• Visa sponsorship is not available for this position.
• This position requires the ability to obtain and maintain a clearance from the Department of Energy. As such, this position is a Workplace Substance Abuse (WSAP) testing designated position. WSAP positions require passing a pre-placement drug test and participation in an ongoing random drug testing program.

About ORNL:

As a U.S. Department of Energy (DOE) Office of Science national laboratory, ORNL has an impressive 80-year legacy of addressing the nation's most pressing challenges. Our team is made up of over 7,000 dedicated and innovative individuals! Our goal is to create an environment where a variety of perspectives and backgrounds are valued, ensuring ORNL is known as a top choice for employment. These principles are essential for supporting our broader mission to drive scientific breakthroughs and translate them into solutions for energy, environmental, and security challenges facing the nation.

ORNL offers competitive pay and benefits programs to attract and retain individuals who demonstrate exceptional work behaviors. The laboratory provides a range of employee benefits, including medical and retirement plans and flexible work hours, to support the well-being of you and your family. Employee amenities such as on-site fitness, banking, and cafeteria facilities are also available for added convenience.

Other benefits include the following: Prescription Drug Plan, Dental Plan, Vision Plan, 401(k) Retirement Plan, Contributory Pension Plan, Life Insurance, Disability Benefits, Generous Vacation and Holidays, Parental Leave, Legal Insurance with Identity Theft Protection, Employee Assistance Plan, Flexible Spending Accounts, Health Savings Accounts, Wellness Programs, Educational Assistance, Relocation Assistance, and Employee Discounts.

If you have difficulty using the online application system or need an accommodation to apply due to a disability, please email: ORNLRecruiting@ornl.gov.

This position will remain open for a minimum of 5 days after which it will close when a qualified candidate is identified and/or hired.

We accept Word (.doc, .docx), Adobe (unsecured .pdf), Rich Text Format (.rtf), and HTML (.htm, .html) up to 5MB in size. Resumes from third party vendors will not be accepted; these resumes will be deleted and the candidates submitted will not be considered for employment.

ORNL is an equal opportunity employer. All qualified applicants, including individuals with disabilities and protected veterans, are encouraged to apply. UT-Battelle is an E-Verify employer.