Lead Consultant - Incident Response

Overview

As a Lead Incident Response – OT Cyber Security, you bring deep expertise in industrial control systems and a strong foundation in enterprise security to lead complex incident response engagements across OT and IT environments. The role involves conducting threat hunting, forensic investigations, and industrial protocol analysis to support safe containment and recovery, particularly within critical operational environments. Additionally, you will deliver technical reports and executive briefings, contribute to incident response playbooks, and support the continuous improvement of OT cybersecurity services.

• Act as the technical lead for IT and OT/ICS incident response engagements and support customers across industrial sectors (energy, utilities, manufacturing, oil & gas, transport).
• Independently execute assigned tasks following an initial onboarding period, demonstrating accountability and technical ownership.
• Conduct proactive threat hunting across IT and OT/ICS environments, including SCADA servers, historians, HMIs, and engineering workstations.
• Perform host‑based and network‑based forensic investigations across OT and IT environments (Windows HMIs/EWS, Linux‑based SCADA systems, enterprise endpoints).
• Analyze industrial network traffic and protocols (e.g., Modbus, DNP3, Ether Net/IP, OPC‑UA/DA, PROFINET, IEC 61850) to determine attack scope and root cause.
• Lead and support digital forensic investigations (IT and OT), including evidence acquisition, artifact analysis, and timeline reconstruction.
• Assess IT/OT segmentation, Purdue Model alignment, and DMZ configurations during incident scoping and post‑incident reviews.
• Coordinate with operations, engineering, and safety teams to implement containment and recovery actions without impacting critical physical processes.
• Provide expert guidance on OT security hardening, IC architecture improvements, and defensive control enhancements.
• Contribute to OT incident response playbooks, procedures, and documentation, driving continuous service improvement.
• Produce detailed technical reports and executive briefings, effectively communicating findings to both technical and non‑technical stakeholders.
• Demonstrate thought leadership through knowledge sharing, blog publication, and participation in industry forums.
• Support on‑call incident response activities, including cross‑time‑zone engagements.
• Mentor junior team members and contribute to a collaborative, high‑performance team culture.
• Strong understanding of OT/ICS architectures and the Purdue Reference Model (Levels 0–4).
• Strong understanding of IT incident response life cycle.
• Hands‑on experience with industrial platforms, including PLCs (Siemens, Allen‑Bradley, Schneider), HMIs, DCS, RTUs, and SCADA systems.
• Deep knowledge of industrial communication protocols, including Modbus TCP/RTU, DNP3, IEC 61850/60870, Ether Net/IP, OPC‑UA/DA, PROFINET, and BACnet.
• Familiarity with Safety Instrumented Systems (SIS) and safety constraints during incident response operations.
• Understanding of OT asset lifecycle challenges, including patching limitations, legacy systems, and operational constraints.

• Strong working knowledge of the MITRE ATT&CK for ICS framework.
• Solid understanding of enterprise networking concepts, TCP/IP, and network architectures.
• Proficiency in host‑based forensics across Windows and Linux systems.
• Working knowledge of Active Directory, authentication systems, and Windows event logging.
• Experience with network analysis tools (e.g., Wireshark, Zeek, Suricata, RITA).
• Ability to perform log analysis across SIEM platforms and OT security monitoring solutions (e.g., Claroty, Dragos, Nozomi, Tenable OT).
• Basic understanding of malware analysis techniques, including both static and dynamic approaches, with exposure to OT‑targeted malware.
• Strong organizational and prioritization skills, with the ability to work independently in high‑pressure environments.
• Excellent technical report writing and communication skills, delivering both detailed analysis and executive‑level summaries.

• GIAC Global Industrial Cyber Security Professional (GICSP) – primary OT certification requirement.
• GIAC Response and Industrial Defense (GRID) – highly desirable.
• CREST Registered Intrusion Analyst (CRIA) or equivalent – desirable.
• GIAC certified in a minimum of one IT discipline: GCIH, GCFE, GCFA, GNFA, GCIA, GDAT, or equivalent.
• Any other certification with proven relevance to incident response and OT cybersecurity.

8 Years of experience in incident response, specifically in OT and IT environments.

Bachelor’s degree in computer science or engineering desirable but not mandatory.