Senior/Staff/Principal SWE – OT Security Engineering

This is a fully remote position, open to applicants in New York.

📋 Description

• **Secure Remote Access Platform:** Identity-bound, MFA-protected access established at the OT DMZ / Purdue Level 3, featuring session brokering, just-in-time privilege, and policy enforcement tailored for industrial settings.

• **Protocol-Aware Policy Authoring:** A Protocol Registry that correlates OT protocol names (Modbus TCP, DNP3, IEC 61850, OPC-UA, EtherNet/IP) with port and transport defaults, enabling policy authoring that is aware of OT without altering the underlying enforcement model.

• **Evidence and Audit Baseline:** Structured access logs that document user identity, target, session start/end, and outcome—capable of being forwarded to Splunk, Kinesis, Datadog, etc., thereby supporting NERC CIP, IEC 62443, NIST SP 800-82, and CMMC audit requirements.

• **Session Governance:** Implementation of enforced session recording, keystroke logging, step-up authentication, and dual-authorization approval workflows for regulated and defense environments.

• **Asset Context Ingestion (Phase 2+):** API-based integration with OT visibility platforms (Dragos, Nozomi, Claroty), normalized into policy-ready attributes, while ensuring access remains unblocked in critical pathways.

• **Design and implement** backend services across AppGate's distributed architecture—Controller, Gateway, and Connector components—with an emphasis on OT-safe deployment patterns.

• **Build and maintain** REST and gRPC APIs that facilitate policy evaluation, access control, protocol registry management, and OT-specific system integrations.

• **Apply Zero Trust principles** to remote access for industrial assets, taking into account the safety, uptime, and determinism constraints inherent in OT environments.

• **Integrate** with industrial protocols and OT asset types—PLCs, RTUs, HMIs, historians—operating Modbus, DNP3, OPC-UA, Profinet, and EtherNet/IP.

• **Own features end-to-end,** from architecture through production deployment in real-world customer settings.

• **(Staff / Principal)** Define the technical direction, spearhead architecture reviews, and assist in hiring as the OT engineering function expands.

⛳️ Requirements

• **Experience:** Practical experience in building or managing secure remote access systems—VPN, ZTNA, jump servers, privileged access, session brokers, or similar technologies.

• **OT Domain Knowledge:** Direct experience in or with OT / ICS environments—manufacturing, energy, utilities, oil and gas, water, transportation, or defense.

• **Technical Fundamentals:**

• Strong systems programming skills in Go, Rust, or a similar language.

• Solid understanding of networking (TCP/IP, TLS, firewalls) and identity (SAML, OIDC, PKI) fundamentals.

• Familiarity with the Purdue Model and IT/OT DMZ design patterns.

• Working knowledge of OT protocols: Modbus, DNP3, OPC-UA, EtherNet/IP.

• **Mindset:** A high degree of ownership, end-to-end accountability, and comfort in a small team where proactive problem-solving is essential.

🏝️ Benefits

• Competitive salary and performance-based bonuses.

• Comprehensive health, dental, and vision insurance.

• Flexible work hours and remote working opportunities.

• Professional development and continuous learning support.

• Inclusive and collaborative company culture.