Skip to main content

OT Network & Cybersecurity Engineer

Integration & Controls · Sacramento, CA (Hybrid)

Hiring Senior Engineer ZA-31013 Sacramento, CA (Hybrid) Hybrid Compensation discussed during final conversation

Why This Role Exists

Every IEC 61850 GOOSE message, every DNP3 poll, and every Modbus register read travels across an industrial Ethernet network that must be both reliable and secure. This role exists because PRP dual-star network design, IEC 62443 zone/conduit architecture, and OT-specific cybersecurity require an engineer who understands both network infrastructure and protection system communication requirements. You design and harden the OT network that carries protection traffic — VLAN segmentation, QoS for GOOSE prioritization, PRP failover, ACL enforcement, and standards alignment across IEC 62443, NERC CIP, NIST 800-82, and IEEE 1686.

What You Own

  • PRP dual-star network architecture: Cisco Catalyst 9500/IE-2000 topology, DANP endpoint assignments, QoS for GOOSE traffic
  • IEC 62443 zone/conduit design: security zone architecture, VRF/VLAN segmentation, ACL-based zone boundary control
  • OT network hardening: RBAC on RTACs/relays/switches/HMI, allow-listing policies, unused protocol disabling
  • Cybersecurity standards alignment: IEC 62443, NERC CIP (concepts), NIST SP 800-82, IEEE 1686 — hardening baselines per device type
  • Network monitoring integration: Nozomi or Claroty deployment for OT traffic visibility and anomaly detection
  • Logging and forensics architecture: SOE audit trails, time-synchronized logging to SIEM or dual historian

Systems You'll Touch

Vendor Platforms

Cisco SEL

Software Tools

Wireshark Nozomi Networks Claroty AcSELerator RTAC

Standards

IEC 62443 IEC 62439-3 (PRP/HSR) NERC CIP IEEE 1686 IEC 61850

Protocols

SNMP IRIG-B

What Success Looks Like

First 90 Days

  • Reviewed existing OT network architecture on an active project — topology, VLAN assignments, security posture
  • Produced a zone/conduit diagram or network hardening baseline for a protection network scope
  • Assessed PRP network configuration: dual-plane separation, GOOSE multicast delivery, failover readiness

First 180 Days

  • Owning OT network design scope on at least one project — PRP architecture, VLAN/VRF, QoS, ACLs
  • Cybersecurity alignment documentation delivered against IEC 62443 and at least one additional standard
  • Network hardening applied to RTACs, relays, and switches with RBAC and allow-listing verified

Required Background

  • 7+ years OT network engineering or cybersecurity for industrial control systems or critical infrastructure
  • Industrial Ethernet network design: VLAN/VRF segmentation, QoS, managed switch configuration (Cisco IE or equivalent)
  • IEC 62443 zone/conduit model implementation — security zone architecture, boundary enforcement
  • OT network hardening: RBAC, allow-listing, unused protocol disabling, device hardening baselines
  • Network protocol analysis: Wireshark for GOOSE, DNP3, Modbus, SNMP traffic
  • Understanding of PRP or HSR per IEC 62439-3 for redundant industrial Ethernet

Preferred Background

  • IEC 61850 GOOSE communication architecture awareness — QoS requirements for protection traffic
  • Nozomi Networks or Claroty deployment for OT monitoring
  • NERC CIP compliance mapping for power systems or adapted federal facility context
  • NIST SP 800-82 (ICS security) and IEEE 1686 (substation IED cybersecurity)
  • Cisco Catalyst 9500 and IE-2000 series switch configuration

What to Expect in the Field

Travel
20–40% for network deployment, commissioning support, and security assessments
Site Hours
Standard office hours for design; site hours during network deployment and PRP commissioning
Customer-Facing
Interface with prime contractor network engineers, facility IT/OT teams, and cybersecurity stakeholders
Documentation
Heavy — network architecture diagrams, zone/conduit documentation, hardening baselines, standards alignment matrices, ACL rule sets
Field Safety
Minimal direct electrical exposure; NFPA 70E awareness for switchgear-adjacent network equipment

Why Ziggurat

  • OT cybersecurity for protection networks — your security architecture protects the systems that protect the power infrastructure
  • PRP dual-star with IEC 61850 GOOSE in production — real zero-SPOF network design, not theoretical compliance
  • Multi-standard alignment (IEC 62443, NERC CIP, NIST, IEEE 1686) on every project — deep standards exposure
  • Small firm means your security architecture decisions shape the practice standard, not a corporate cybersecurity policy you inherit

Hiring Process

1

Screen

Background review against role requirements — vendor platform experience, relevant certifications, project types, and standards familiarity. Quick assessment of baseline alignment before investing either party's time.

Resume review + 15-min intro call

2

Technical Review

Deeper evaluation of technical depth. We review sample work — relay settings files, protection study reports, commissioning test procedures, or SCADA configuration packages — depending on the role. If samples aren't shareable, we discuss specific project scenarios in detail.

Async work-sample review or 45-min technical call

3

Interview

Scenario-based conversation with the principal engineer. Real project situations: how you'd approach a coordination study for a complex switchgear lineup, sequence a commissioning plan across multiple vendor platforms, or troubleshoot a protection scheme failure during site acceptance testing.

60-min video call with founder

4

Exercise / Artifact Review

A practical evaluation matched to the role. Engineering roles receive a take-home exercise — review and mark up a set of relay settings, identify gaps in a protection study, or develop a test procedure for a specific scheme. Field-focused roles walk through a commissioning package or test report they've delivered, explaining their methodology and decisions.

Take-home exercise (2–4 hrs) or artifact walkthrough (60 min)

5

Final Conversation

Role scope, current project pipeline, working arrangements, and compensation. This is a two-way conversation — we want to confirm the role fits your goals, not just the other way around.

30-min call

This role supports our cybersecurity and architecture design service scopes.

Questions about this role? Email us at careers@zigguratautomation.com

Not ready to apply?

Stay on our radar — we'll reach out when a role matches your background.

Let's Talk Engineering

Send your background.
First step: a 15-minute call with the principal engineer.

Apply See All Roles