OT SOC Detection Engineer

Job Summary

The OT SOC Detection Engineer is responsible for enhancing and maintaining cybersecurity detection capabilities across Operational Technology (OT) and Industrial Control System (ICS) environments. This role focuses on the design, development, implementation, and continuous improvement of detection rules, analytics, and automated workflows to identify and respond to cyber threats targeting critical infrastructure.

The engineer will work closely with key stakeholders to protect critical infrastructure, maintain real-time visibility into OT network activity, and support the safety, reliability and continuity of operational systems.

Essential Functions

• Design, develop, implement, and maintain OT-specific detection rules, analytics, and signatures within SIEM and SOAR platforms. 
• Engineer and tune detection logic using network telemetry, and OT monitoring data to identify anomalous behavior, indicators of compromise (IOCs), and threat activity within ICS environments.  Integrate and optimize data ingestion from OT security platforms, network devices, and control system assets to improve detection coverage and fidelity. 
• Collaborate with OT SOC analysts to refine alert logic, reduce false positives, and ensure detections are actionable and operationally safe. 
• Develop and maintain SOAR workflows to automate alert enrichment, contextualization, and response actions in accordance with OT SOC playbooks and approval requirements. 
• Perform root-cause analysis on missed detections or detection gaps and implement corrective improvements. 
• Support incident response activities by providing detection context, analytics, and technical expertise during investigations. 
• Maintain documentation for detection logic, analytics, and automation workflows, including rationale, data sources, and dependencies. 
• Partner with OT engineering, operations, IT security, and compliance teams to ensure detection capabilities align with operational constraints and regulatory expectations. 
• Maintain awareness of emerging OT threats, attack techniques, and adversary behaviors relevant to industrial and critical infrastructure environments.

Education Description

• Bachelor’s degree in Cybersecurity, Computer Science, Information Technology, Engineering, or a related technical field is preferred, or equivalent practical experience.

Experience

• 3–5 years of experience in cybersecurity detection engineering, SOC engineering, or security operations roles, with a strong focus on detection development and analytics.
• Extensive hands-on experience with SIEM and SOAR platforms, preferably Splunk, including the design and implementation of automated workflows, data models, and operational dashboards.   
• Experience supporting OT or industrial control system environments is strongly preferred, including exposure to SCADA, PLCs, RTUs, or related systems. 
• Experience configuring OT passive monitoring and threat detection tools, such as Nozomi, Dragos, and Claroty. 
• Solid understanding of networking fundamentals, including TCP/IP, routing, firewalls, network segmentation, and common OT protocols such as Modbus and DNP3. 
• Familiarity with NERC CIP and TSA cybersecurity requirements and how detection engineering and monitoring support regulatory obligations within OT environments. 
• Strong analytical and communication skills, with attention to detail and the ability to clearly document detection logic and collaborate across technical and non-technical teams. 
• Experience supporting OT cybersecurity, detection engineering, or security operations within regulated critical infrastructure environments is highly desirable. 
• Hands-on experience designing, tuning, and maintaining SIEM and SOAR detections in an operational security environment. 
• Relevant Splunk SIEM/SOAR and GIAC certifications, including GICSP, are highly desirable.

Physical Requirements

Working Conditions