Product Security Engineer

About The Position

Requirements

• Bachelor’s Degree in Information Technology, Information/Security Assurance, Computer Science, Engineering or related field of study preferred, or any combination of relevant equivalent experience, education, and training
• 2 – 4 years experienced required in one or more of the following: Embedded system testing, Product Security testing, Industrial control systems, Network protocol analysis, and Firmware or device communications debugging
• Fundamental knowledge of networking (TCP/IP, UDP) required
• Ability to perform vulnerability analysis beyond automated scanning tools required
• Familiarity with risk-based security evaluation methodologies required. NIST RMA concepts preferred
• Ability to produce structured technical documentation suitable for audit and compliance review required
• Willingness to pursue security certifications (such as GSEC, GCIA or similar) required

Nice To Haves

• Experience with scripting (Python, JavaScript or other similar) preferred
• Experience using Wireshark for packet capture and TCP/UDP packet analysis preferred
• Familiarity of TLS implementations used with HTTPS, MQTTS, STARTTLS and related certificate management (helpful for product enhancement and future development) preferred
• Experience with security tools (Nmap, ncat, OWASP ZAP, etc…) and protocol fuzzing frameworks preferred
• Experience with Industrial Communication protocols, USB and serial device communication, Debug interfaces (UART/JTAG), firmware extraction and basic reverse engineering concepts preferred
• Experience in Operational Technology (OT) or industrial automation environments desired
• Experience in manufacturing, energy, utilities, or process-control systems desired
• Familiarity with ISA/IEC 62443 product certification concepts desired
• Knowledge of NIST SP 800-82 Industrial Control Systems guidance desired
• Experience applying CVSS scoring within safety-relevant or availability-sensitive environments desired
• Participation in secure product lifecycle audits or compliance assessments desired

Responsibilities

• Perform structured penetration testing and security evaluations of industrial automation products including: PLCs, Embedded controllers, Field communication modules, Engineering/configuration software, and Industrial protocol implementations (e.g., EtherNet/IP, Modbus/TCP, EtherCAT)
• Conduct vulnerability validation and root-cause analysis for internally discovered or externally disclosed issues in accordance with: ISA/IEC 62443-4-1 secure development practices, NIST SP 800-30 Risk Assessment methodology, and MITRE CWE classification guidance
• Utilize common industrial cybersecurity testing and evaluation tools, including but not limited to: Network and protocol analysis tools (Wireshark, tcpdump), Network discovery and enumeration tools (Nmap), Application and API testing tools (OWASP ZAP, Burp Suite), Industrial protocol testing frameworks, Fuzzing tools (network and protocol-level), USB and serial traffic analysis tools, and Static and dynamic analysis tools where applicable
• Evaluate product vulnerabilities for impact to: System Integrity, Resource Availability, Enforcement of Access Control, and Safety-relevant operational behaviors
• Coordinate with development teams to: Communicate technical risk in an industrial-system context, Support remediation strategy development, and Verify mitigation effectiveness through regression testing
• Assist in secure design reviews of: Authentication mechanisms, Industrial protocol implementations, Firmware update processes, and Device communications stacks
• Document findings clearly and thoroughly as part of Secure Development Lifecycle Assurance (SDLA) activities, including: Root cause analysis, Risk classification, Remediation validation evidence, Security test case development, and Traceability to product security requirements
• Contribute to the development and refinement of internal product-security testing methodologies aligned with: ISA/IEC 62443, NIST Secure Software Development Framework (SSDF), and NIST SP 800-82 (Industrial Control Systems Security)