Cyber Security Engineer - Compliance

About The Position

Requirements

• A Bachelor’s degree in Computer Science, Cyber Security or related technical discipline. Equivalent work experience considered.
• Having relevant security certifications or the ability to obtain GIAC GCIP and/or GIAC GCCC is expected.
• A Master’s degree may be substituted for some experience.
• Direct experience with NERC CIP standards and NIST frameworks is highly preferred.
• Familiarity with OT systems (e.g., SCADA, PLCs) and utility operations.
• Familiarity with networking technologies, operating systems, regular expressions, and API/Script based data acquisition methods.
• Experience with Tripwire Enterprise, Sigma Flow Beacon, or governance risk and compliance (GRC) tools with workflow and ability to dynamically retrieve data is highly preferred.
• Strong understanding of Information Security frameworks.
• A functional understanding of API and scripted data retrieval across various technologies.
• Proficiency with SQL Query languages
• Demonstrated ability to securely create and manage scripts for data acquisition
• Proficiency in risk assessment methodologies and cybersecurity tools.
• Excellent analytical, problem-solving, and documentation skills.
• Ability to communicate complex technical concepts to technical and semi-technical stakeholders.
• A desire to pursue training and certifications in information security & operational technologies as they evolve.
• Strong analytical, problem-solving skills, and project management skills.
• Superior verbal and written communication skills.
• Ability to interact effectively and professionally with a diverse group of employees throughout the organization.
• Ability to plan and complete multiple, diverse tasks and meet challenging deadlines.
• Able to clearly present complex technical information to committees, management, external regulators and industry associations.
• Candidates may be asked to complete a skills evaluation/assessment or objective based activity for demonstration remotely or in-person.

Nice To Haves

• Knowledge of OT networks, and traditional on-premises/utility infrastructure is a plus.

Responsibilities

• Regulatory & Business Compliance : Track compliance with NERC CIP standards (e.g., CIP-002 through CIP-014) and NIST frameworks (e.g., NIST 800-53, NIST CSF) for the protection of infrastructure & data.
• Risk Assessments : Catalog and document risk assessment findings for substations, control centers, and OT systems that will automate remediation and/or creation of compliance artifacts.
• Policy Lifecycle and Management : Integrate compliance policy requirements, procedures, and controls into digital workflows supporting subject matter experts with business processes and compliance artifacts.
• Audits and Reporting : Prepare for and support NERC CIP audit subject matter experts, including evidence collection, documentation, and response to audit findings.
• Awareness : Collaborate with NERC Compliance and Information Security to ensure adherence to current and future NERC CIP and NIST regulation/requirements, fostering a culture resilient to regulatory change.
• Incident Response : Collaborate with Information Security to scribe, document, and track the lifecycle of cybersecurity incidents, ensuring compliance with incident reporting obligations.
• System Monitoring : Monitor & correct the operational health of compliance data acquisition systems to ensure data quality and time bound accuracy.
• Continuous Improvement : Stay updated on evolving NERC CIP and NIST standards, recommending improvements to enhance compliance and security posture.
• Other duties as assigned.