Duration: 24 Months
Type: Hybrid (3 days onsite presence is required)
Vaccination: Mandatory (Weekly testing for exemptions)
Job Description
Serve as a part of an integrated team of engineers and Cybersecurity experts helping to expand the firm's operational technology (OT), industrial control system (ICS), and supervisory control and data acquisition (SCADA) Cybersecurity strategy practices. Consult with stakeholders on the secure design of ICS and SCADA environments, conduct Cybersecurity risk assessments, develop security documentation, and design and implement industrial Cybersecurity monitoring solutions. Work both remotely and onsite at various commercial, industrial, or government facilities. Perform onsite activities, including implementing Cybersecurity solutions or performing security assessment activities, such as physical security walks, observations, technical configuration reviews, and personnel interviews. Work across several industries, including water and wastewater, oil and gas, energy, manufacturing, and physical security.
Program and Technical Responsibilities
Organizational Coordination Responsibilities
- Certified Information Systems Auditor (CISA)
- SCADAHacker Certification
- ICS410: ICS/SCADA Security (ISC2)
- Certified Information Security Law Specialist - Industrial (GLEG-I)
Apply Now
Back to Search
Type: Hybrid (3 days onsite presence is required)
Vaccination: Mandatory (Weekly testing for exemptions)
Job Description
Serve as a part of an integrated team of engineers and Cybersecurity experts helping to expand the firm's operational technology (OT), industrial control system (ICS), and supervisory control and data acquisition (SCADA) Cybersecurity strategy practices. Consult with stakeholders on the secure design of ICS and SCADA environments, conduct Cybersecurity risk assessments, develop security documentation, and design and implement industrial Cybersecurity monitoring solutions. Work both remotely and onsite at various commercial, industrial, or government facilities. Perform onsite activities, including implementing Cybersecurity solutions or performing security assessment activities, such as physical security walks, observations, technical configuration reviews, and personnel interviews. Work across several industries, including water and wastewater, oil and gas, energy, manufacturing, and physical security.
Program and Technical Responsibilities
- Evaluate PANYNJ ICS information security policies, processes, and technical controls. Apply leading information security frameworks in an asset management system program.
- Ensure that business line units can maximize the functionality of ICS systems and devices in a wide variety of operating technology environments that include operations, health, safety and environmental systems.
- Develop and maintain an accurate inventory of PA ICS systems and devices, categories of criticality, system attributes and crucial information for the purpose of applying risk management controls.
- Work with business line units and PANYNJ network staff to conduct thorough and effective assessments and remediation strategies.
- Assess the robustness of cybersecurity architectures, technologies, and procedures being implemented within organizational facilities, especially oriented toward host-based and network-based environments.
- Serve as a resident PANYNJ TEC Department ICS SME for internal and external assignments and emergencies.
- Lead and execute industrial infrastructure vulnerability assessments, utilizing network monitoring systems to collect network traffic log data and security analytics methodologies to identify potential cyber threats and system gaps;
- Develop detailed risk assessment reports, which explain identified gaps in policies, describe potential business risks, and create prioritized recommendations with estimated costs and effort levels for remediation;
- Develop strategic and tactical objectives to include new ICS product and service offerings, identify additional business line unit needs, and generate program and project management plans.
- Assist with converting standalone ICS systems to interconnected devices where assessments have determined that functionality and security dictate regular and/or remote access.
- Assist with disconnecting ICS systems or devices where assessments have determined that functionality and security dictate isolation from external connections.
- Maintain knowledge of current security areas such as Auditing, Policy, Database Security, Firewall Design and Implementation, Threat Assessments, Risk Analysis, Identity Management, Access Management, and data storage Services;
- Solve complex digital and operational security problems facing Industrial Control Systems (ICS) used throughout the PA business line unit technology environment(s).
- Design comprehensive technical solutions that meet client requirements and implement the appropriate software to mitigate critical security risks (e.g., system and mobile antivirus software, encryption modules, patch management programs, insider threat protection, incident response plans, forensic capabilities, and regulation compliance).
- Provide comprehensive, skills-based training to organizational employees regarding protective ICS functionality and security measures and the understanding of proper maintenance of ICS systems and devices. Identify adequate Knowledge, Skills and Attributes for ICS personnel at each business unit.
- Securing cross-domain IT/OT communications and pathways by injecting the ICS team in ICS project development processes from planning through engineering, procurement, implementation, operations and maintenance.
Organizational Coordination Responsibilities
- As a function of standing up a complete ICS Asset Management Program, the successful candidate will be required to explain the risks and mitigation of the crucial ICS systems with other entities within the PANYNJ.
- Coordinate strategic, tactical and cooperative alignment between PA corporate support services and ICS team to optimize functionality of ICS systems; to include:
- Department responsible to design, develop and implement ICS Disaster Recovery Plans, tabletop exercises and System Restoration Procedures.
- Department responsible to design, develop and implement an ICS Cyber Incident Response Plan to isolate and collect evidence, preserve the chain-of-custody, and to conduct technical investigations pursuant to the OIG charter.
- Department responsible to design, develop and implement total ICS loss scenarios, including calculations for optimal Recovery Point Objectives and Recovery Time Objectives for key business-related ICS systems.
- Department responsible to ensure that PANYNJ RM function has adequately gauged precise ICS risk to the financial, reputational, operational and legal health of the PA.
- Department responsible to develop an ICS/OT Internal Audit Program to include standard and non-standard audit principles based on ICS regulated asset audits and evidence documentation. To include detailed Findings and Recommendations, including remediation strategies.
- Department responsible to design and develop workflow processes for the ICS team to work with engineering teams to ensure that unique feature sets of ICS systems and devices are based on accurately translated specifications when business requirements are converted into technical requirements.
- Department responsible to design and develop processes to better manage ICS supply chain risk to include secure software development for firmware and custom operating systems, addressing obligations of parties with respect to required notifications; to map cyber incident liability distribution and to clarify ongoing cyber maintenance of procured devices and systems.
- Overall Background:( 6 years ) as an OT/ICS/Client/SCADA security contributor and leader across multiple industrial critical infrastructure sectors.
- ICS Architecture: Minimum five (5) years' experience in assessing, planning, design, implementation, and maintenance of ICS Security environments.
- Regulatory Environment: Minimum five (5) experience with security frameworks such as: IEC 62443, NIST SP 800-82, NERC-CIP, NEI 08-09, or other industrial control security frameworks.
- Required certification: Currently ACTIVE Certified Information Systems Security Professional (CISSP)
- May substitute for any two (2) of the following:
- Certified Information Systems Auditor (CISA)
- SCADAHacker Certification
- ICS410: ICS/SCADA Security (ISC2)
- Certified Information Security Law Specialist - Industrial (GLEG-I)
- Able to demonstrate a solid understanding of ICS infrastructure and industrial network monitoring and asset management solutions.
- Able to demonstrate an understanding of ICS Functional Design Specifications and Detailed Architectural Design Specifications.