Principal SWE - OT Security Engineering

AppGate Cybersecurity, Inc.•New York, NY

About The Position

AppGate is seeking an OT Security Engineer (Senior / Staff / Principal) to design, build, and evolve the secure remote access capabilities at the core of AppGate's OT platform. This role involves working directly with the CTO and OT Technical Product Manager to bring secure remote access for OT from concept to production in real industrial environments, such as electric utilities, manufacturers, and defense programs. The company is open to candidates at the Senior level with deep OT remote-access experience, and at the Staff / Principal level who can lead architecture and mentor a growing team.

Requirements

Hands-on background building or operating secure remote access systems (VPN, ZTNA, jump servers, privileged access, session brokers, or equivalent).
Direct experience in or with OT / ICS environments (manufacturing, energy, utilities, oil and gas, water, transportation, or defense).
Strong systems programming in Go, Rust, or a comparable language.
Solid networking (TCP/IP, TLS, firewalls) and identity (SAML, OIDC, PKI) fundamentals.
Familiarity with the Purdue Model and IT/OT DMZ design patterns.
Working knowledge of OT protocols: Modbus, DNP3, OPC-UA, EtherNet/IP.
High ownership mindset.
End-to-end accountability.
Comfortable in a small team where you solve problems before they become fires.

Nice To Haves

Experience with OT/SRA/PAM platforms: Claroty, Dragos, Nozomi, Xona, Cyolo, Dispel, SSH PrivX OT, CyberArk, or BeyondTrust.
Exposure to IEC 62443, NIST SP 800-82, NERC CIP-005/007, or CMMC.
Background in safety-critical, regulated, or compliance-driven environments.
(Staff / Principal) Track record owning platform architecture and mentoring engineering teams.

Responsibilities

Design, build, and evolve secure remote access capabilities for AppGate's OT platform.
Develop a Secure Remote Access Platform featuring identity-bound, MFA-protected access anchored at the OT DMZ / Purdue Level 3, with session brokering, just-in-time privilege, and policy enforcement for industrial environments.
Create Protocol-Aware Policy Authoring using a Protocol Registry that maps OT protocol names to port and transport defaults.
Establish an Evidence and Audit Baseline with structured access logs for NERC CIP, IEC 62443, NIST SP 800-82, and CMMC audit requirements.
Implement Session Governance including enforced session recording, keystroke logging, step-up authentication, and dual-authorization approval workflows.
Integrate with OT visibility platforms via API for Asset Context Ingestion (Phase 2+).
Design and implement backend services across AppGate's distributed architecture (Controller, Gateway, Connector) with a focus on OT-safe deployment patterns.
Build and maintain REST and gRPC APIs for policy evaluation, access control, protocol registry management, and OT-specific system integrations.
Apply Zero Trust principles to remote access for industrial assets, considering safety, uptime, and determinism constraints of OT environments.
Integrate with industrial protocols and OT asset types (PLCs, RTUs, HMIs, historians) running Modbus, DNP3, OPC-UA, Profinet, and EtherNet/IP.
Own features end-to-end, from architecture through production deployment in customer environments.
(Staff / Principal) Define technical direction, lead architecture reviews, and support hiring as the OT engineering function scales.