Senior/Staff/Principal SWE – OT Security Engineering

This is a fully remote position, open to applicants in New York.

📋 Description

• **Secure Remote Access Platform:** Identity-bound, MFA-protected access established at the OT DMZ / Purdue Level 3, featuring session brokering, just-in-time privilege, and policy enforcement tailored for industrial environments.

• **Protocol-Aware Policy Authoring:** A Protocol Registry that associates OT protocol names (Modbus TCP, DNP3, IEC 61850, OPC-UA, EtherNet/IP) with default ports and transport settings, enabling OT-aware policy authoring without altering the underlying enforcement framework.

• **Evidence and Audit Baseline:** Structured access logs that capture user identity, target, session start/end times, and outcomes - transferable to platforms such as Splunk, Kinesis, Datadog, etc., in compliance with NERC CIP, IEC 62443, NIST SP 800-82, and CMMC audit requirements.

• **Session Governance:** Compulsory session recording, keystroke logging, step-up authentication, and dual-authorization approval workflows tailored for regulated and defense environments.

• **Asset Context Ingestion (Phase 2+):** API-based integration with OT visibility platforms (Dragos, Nozomi, Claroty) that are normalized into policy-ready attributes without obstructing access in critical paths.

• **Design and implement** backend services throughout AppGate's distributed architecture — including Controller, Gateway, and Connector components — prioritizing OT-safe deployment methodologies.

• **Build and maintain** REST and gRPC APIs that support policy evaluation, access control, protocol registry management, and OT-specific system integrations.

• **Apply Zero Trust principles** to remote access for industrial assets, considering the safety, uptime, and determinism constraints inherent in OT environments.

• **Integrate** with industrial protocols and OT asset types — PLCs, RTUs, HMIs, historians — operating Modbus, DNP3, OPC-UA, Profinet, and EtherNet/IP.

• **Own features end-to-end,** from architectural design through production deployment in real-world customer settings.

• **(Staff / Principal)** Set technical direction, lead architecture evaluations, and assist in recruitment as the OT engineering function expands.

⛳️ Requirements

• **Experience:** Practical background in building or managing secure remote access systems — VPN, ZTNA, jump servers, privileged access, session brokers, or similar.

• **OT Domain Knowledge:** Direct experience within OT / ICS environments — including manufacturing, energy, utilities, oil and gas, water, transportation, or defense.

• **Technical Fundamentals:**

• Strong systems programming skills in Go, Rust, or a similar language.

• Solid foundational knowledge of networking (TCP/IP, TLS, firewalls) and identity (SAML, OIDC, PKI).

• Familiarity with the Purdue Model and IT/OT DMZ design patterns.

• Practical understanding of OT protocols: Modbus, DNP3, OPC-UA, EtherNet/IP.

• **Mindset:** A strong sense of ownership, end-to-end accountability, and comfort in a small team setting where proactive problem-solving is essential.

🏝️ Benefits

• Competitive compensation package.

• Opportunities for professional development and growth.

• Flexible working arrangements.

• Collaborative and innovative work environment.