OT Network & Cybersecurity Engineer
Ziggurat Automation Inc. · Greater Sacramento · 3 wk ago
Information TechnologyFull-time
About the role
This role exists because PRP dual-star network design, IEC 62443 zone/conduit architecture, and OT-specific cybersecurity require an engineer who understands both network infrastructure and protection system communication requirements.
Responsibilities
- Design and harden the OT network that carries protection traffic — VLAN segmentation, QoS for GOOSE prioritization, PRP failover, ACL enforcement, and standards alignment across IEC 62443, NERC CIP, NIST 800-82, and IEEE 1686.
- OWN PRP dual-star network architecture: Cisco Catalyst 9500/IE-2000 topology, DANP endpoint assignments, QoS for GOOSE traffic.
- OWN IEC 62443 zone/conduit design: security zone architecture, VRF/VLAN segmentation, ACL-based zone boundary control.
- OWN OT network hardening: RBAC on RTACs/relays/switches/HMI, allow-listing policies, unused protocol disabling.
- OWN Cybersecurity standards alignment: IEC 62443, NERC CIP (concepts), NIST SP 800-82, IEEE 1686 — hardening baselines per device type.
- OWN Network monitoring integration: Nozomi or Claroty deployment for OT traffic visibility and anomaly detection.
- OWN Logging and forensics architecture: SOE audit trails, time-synchronized logging to SIEM or dual historian.
- Touch vendor platforms: Cisco SEL, software tools like Wireshark, Nozomi Networks, Claroty AcSELerator, RTAC, and standards like IEC 62443, IEC 62439-3 (PRP/HSR), NERC CIP, IEEE 1686, IEC 61850, and protocols like SNMP, IRIG-B.
Requirements
- 7+ years OT network engineering or cybersecurity for industrial control systems or critical infrastructure.
- Industrial Ethernet network design: VLAN/VRF segmentation, QoS, managed switch configuration (Cisco IE or equivalent).
- IEC 62443 zone/conduit model implementation — security zone architecture, boundary enforcement.
- OT network hardening: RBAC, allow-listing, unused protocol disabling, device hardening baselines.
- Network protocol analysis: Wireshark for GOOSE, DNP3, Modbus, SNMP traffic.
- Understanding of PRP or HSR per IEC 62439-3 for redundant industrial Ethernet.
Preferred Background
- IEC 61850 GOOSE communication architecture awareness — QoS requirements for protection traffic.
- Nozomi Networks or Claroty deployment for OT monitoring.
- NERC CIP compliance mapping for power systems or adapted federal facility context.
- NIST SP 800-82 (ICS security) and IEEE 1686 (substation IED cybersecurity).
- Cisco Catalyst 9500 and IE-2000 series switch configuration.
What Success Looks Like
- First 90 Days: Reviewed existing OT network architecture on an active project — topology, VLAN assignments, security posture; Produced a zone/conduit diagram or network hardening baseline for a protection network scope; Assessed PRP network configuration: dual-plane separation, GOOSE multicast delivery, failover readiness.
- First 180 Days: Owning OT network design scope on at least one project — PRP architecture, VLAN/VRF, QoS, ACLs; Cybersecurity alignment documentation delivered against IEC 62443 and at least one additional standard; Network hardening applied to RTACs, relays, and switches with RBAC and allow-listing verified.