Principal OT​/ICS Cybersecurity Engineer

We are seeking a Cybersecurity Operational Technology (OT) Engineer to support the protection, monitoring, and modernization of OT and Industrial Control System (ICS) environments within the Cybersecurity Division’s Cyber Enhancements Group. This role is responsible for engineering, operating, and enhancing OT cybersecurity capabilities to improve visibility, detection, and response across industrial and research control systems while ensuring alignment with applicable regulatory and compliance requirements.

In this role, the engineer will focus on maintaining and advancing OT security monitoring platforms, supporting threat detection and response activities, collaborating with operations teams to modernize legacy ICs environments, and developing standardized processes for monitoring, investigating, and responding to OT related cyber events. The position works closely with Defensive Cyber Operations, Cyber Policy & Risk Management, Networking, Platform Services, and OT system owners to ensure secure architecture, effective monitoring, and continuous improvement of OT cybersecurity posture.

This position resides in the Cyber Enhancements Group within the Cybersecurity Division of the Information Technology Services Directorate at Oak Ridge National Laboratory (ORNL).

• Serve as the primary technical authority and program owner for the OT/ICS cybersecurity strategy, roadmap, and maturity model aligned with laboratory mission and DOE requirements
• Own the architecture, implementation, and continuous improvement of OT security monitoring platforms (e.g., Nozomi, Dragos), including alert triage, tuning, use-case development, and integration with enterprise detection and response processes
• Establish and maintain laboratory-wide standards, processes, and playbooks for OT cybersecurity monitoring, incident response, threat hunting, and post-incident analysis
• Lead OT-specific threat detection, investigation, and response activities in coordination with Defensive Cyber Operations and relevant SMEs, ensuring safe containment strategies appropriate for control systems
• Collaborate with OT system owners and engineering teams to modernize legacy ICs environments, including network segmentation, secure architecture design, device inventory, registration, and patching programs
• Assist with risk assessments, root cause analysis, and long-term remediation planning for OT cybersecurity events, vulnerabilities, and architectural gaps
• Interpret and apply applicable standards and requirements for OT environments
• Serve as key interface between OT operations, cybersecurity governance, compliance, and audit activities, including preparation of documentation, risk artifacts, and technical briefings
• Guide integration of OT cybersecurity tooling and workflows with SIEM, SOAR, EDR, and endpoint protection platforms
• Utilize EDR tools to help develop detection rules, investigate threats, and resolve alerts
• Collaborate to create and test threat hunting hypotheses and perform proactive detection activities
• Review and provide guidance on secure design approaches for OT systems and interfaces with enterprise IT and research networks
• Participate in penetration testing activities and cybersecurity exercises where appropriate
• Mentor and provide technical guidance to engineers and analysts supporting OT cybersecurity capabilities
• Prepare technical reports, metrics, findings, and briefings for laboratory leadership and authorized stakeholders

• BS in computer science, cybersecurity, or a related field with a minimum of eight years of relevant professional experience in OT/ICS cybersecurity, industrial control systems, or critical infrastructure environments
• Demonstrated experience owning or leading cybersecurity capabilities, architectures, or programs, not solely operating tools
• Strong knowledge of OT/ICS security principles, including secure architecture, segmentation, monitoring, and incident response
• Ability to interpret and apply regulatory standards such as NERC CIP, DOE cybersecurity directives, and other industry-specific compliance frameworks
• Proficiency in network protocols (TCP/IP, UDP) and industrial protocols such as Modbus, DNP3, OPC UA, IEC 61850, and others
• Knowledge of secure architecture principles for ICs/SCADA systems and segmented network design
• Experience with SIEM platforms (Elastic, Splunk) and Endpoint Detection and Response (EDR) tools for host security monitoring
• Demonstrated ability to analyze OT security events and articulate detection, response, and remediation approaches across operational scenarios

• A master’s degree in computer science, cybersecurity, or a related discipline
• Four (4) or more years of experience supporting OT, ICs, or cyber operations in industrial or critical infrastructure environments
• Industry certifications such as GRID (SANS) certifications in Control Systems
• Active DOE Q or Top-Secret clearance
• Experience with SOAR development to improve metrics,…