OT SOC Analyst II

Job Summary

The OT SOC Analyst is responsible for monitoring, detecting, analyzing, and responding to cybersecurity events impacting Operational Technology (OT) and Industrial Control System (ICS) environments.  This role performs advanced analysis of alerts and events generated by OT security monitoring platforms and SIEM/SOAR technologies, conducts investigations into suspicious activity, and escalates confirmed or potential incidents in accordance with established OT SOC playbooks and procedures.

The analyst will work closely with key stakeholders to protect critical infrastructure, maintain real-time visibility into OT network activity, and support the safety, reliability and continuity of operational systems.

Essential Functions

• Perform continuous (24/7) monitoring of OT networks, systems, and devices, including SCADA systems, PLCs, RTUs, IEDs, and associated communications infrastructure. 
• Analyze alerts, logs, and telemetry from OT security platforms and SIEM/SOAR solutions to identify anomalies, indicators of compromise (IOCs), and potential cyber threats. 
• Conduct initial triage and investigation of detected events, determining scope, severity, and potential operational impact. 
• Escalate confirmed or suspected incidents in accordance with OT SOC playbooks, incident classification criteria, and escalation procedures. 
• Perform in-depth analysis of suspicious activity within OT environments, including log review, network traffic analysis, and correlation across multiple data sources. 
• Support forensic analysis of impacted OT systems to assist in identifying root causes, attack paths, and contributing factors. 
• Accurately document incidents, investigations, and response actions within organizational ticketing and case management systems. 
• Provide timely notification of identified cybersecurity incidents or attempted compromises to appropriate stakeholders. 
• Collaborate with OT SOC leadership and engineering teams to refine detection logic, improve SIEM/SOAR use cases, and enhance OT-specific playbooks. 
• Participate in incident response activities, including coordination with operations, engineering, compliance, and external partners as required. 
• Maintain awareness of emerging OT threats, vulnerabilities, and attack techniques relevant to electric utilities.

Education Description

Bachelor’s degree in Cybersecurity, Computer Science, Information Technology, Engineering, or a related technical field is preferred, or equivalent practical experience

Experience

• 1–3 years of hands-on Security Operations Center (SOC) experience, including alert triage, investigation, and incident escalation in an IT and/or OT environment.
• Experience supporting OT cybersecurity or security operations within regulated critical infrastructure environments is highly desirable.
• Hands-on experience configuring, tuning, and operating SIEM/SOAR platforms in an operational security environment.
• Relevant certifications from Splunk and GIAC including GICSP, GRID, GCIP, GCIA or GCIH are highly desirable.
• Demonstrated, hands-on experience with SIEM and SOAR platforms, preferably Splunk, including data correlation, workflow automation and dashboard creation. 
• Experience supporting OT or ICS environments is strongly preferred, including exposure to SCADA, PLCs, RTUs, or related systems.Experience working with OT passive monitoring and threat detection tools, such as Nozomi, Dragos, and Claroty. 
• Solid understanding of networking fundamentals, including TCP/IP, routing, firewalls, network segmentation, and common OT protocols such as Modbus and DNP3. 
• Ability to analyze logs, network flows, and alerts to identify security-relevant events, and apply incident response principles, investigation techniques, and evidence handling practices. 
• Familiarity with NERC CIP and TSA cybersecurity requirements and how security monitoring and incident response support regulatory obligations within OT environments. 
• Strong analytical and communication skills, with attention to detail and the ability to clearly document findings and collaborate across technical and non-technical teams.

Physical Requirements

Working Conditions