Cyber Security Engineer Compliance

As the nations first statewide transmission only company VELCO manages the safe reliable cost-effective transmission of electric power throughout Vermont and as a part of the integrated New England regional network.

Why you should join our team

At VELCO we are committed to protecting our organizations data infrastructure and digital assets. Youll have the opportunity to directly impact VELCOs risk posture to keeping a safe reliable secure and compliant operating organization.

How you will make an impact

Youll be responsible for constructing systems that gather analyze and measure adherence to North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) standards and National Institute of Standards and Technology (NIST) cybersecurity frameworks.

This role supports the secure operation of the utilitys business functions customer support systems and critical infrastructure including substations control centers and related operational technology (OT) systems.

The Cyber Security Engineer- Compliance will maintain enhance develop implement and monitor compliance controls risk assessment workflows and collaborate with NERC Compliance IT OT and Information Security teams to maintain regulatory compliance and enhance cybersecurity risk comprehension.

Responsibilities

• Regulatory & Business Compliance: Track compliance with NERC CIP standards (e.g. CIP-002 through CIP-014) and NIST frameworks (e.g. NIST 800-53 NIST CSF) for the protection of infrastructure & data.

• Risk Assessments: Catalog and document risk assessment findings for substations control centers and OT systems that will automate remediation and/or creation of compliance artifacts.

• Policy Lifecycle and Management: Integrate compliance policy requirements procedures and controls into digital workflows supporting subject matter experts with business processes and compliance artifacts.

• Audits and Reporting: Prepare for and support NERC CIP audit subject matter experts including evidence collection documentation and response to audit findings.

• Awareness: Collaborate with NERC Compliance and Information Security to ensure adherence to current and future NERC CIP and NIST regulation/requirements fostering a culture resilient to regulatory change.

• Incident Response: Collaborate with Information Security to scribe document and track the lifecycle of cybersecurity incidents ensuring compliance with incident reporting obligations.

• System Monitoring: Monitor & correct the operational health of compliance data acquisition systems to ensure data quality and time bound accuracy.

• Continuous Improvement: Stay updated on evolving NERC CIP and NIST standards recommending improvements to enhance compliance and security posture.

• Other duties as assigned.

Who you are

A Bachelors degree in Computer Science Cyber Security or related technical discipline. Equivalent work experience considered. Having relevant security certifications or the ability to obtain GIAC GCIP and/or GIAC GCCC is expected. A Masters degree may be substituted for some experience.

Knowledge/Skills

• Direct experience with NERC CIP standards and NIST frameworks is highly preferred.

• Familiarity with OT systems (e.g. SCADA PLCs) and utility operations.

• Familiarity with networking technologies operating systems regular expressions and API/Script based data acquisition methods.

• Experience with Tripwire Enterprise Sigma Flow Beacon or governance risk and compliance (GRC) tools with workflow and ability to dynamically retrieve data is highly preferred.

• Strong understanding of Information Security frameworks.

• A functional understanding of API and scripted data retrieval across various technologies.

• Proficiency with SQL Query languages

• Demonstrated ability to securely create and manage scripts for data acquisition

• Proficiency in risk assessment methodologies and cybersecurity tools.

• Excellent analytical problem-solving and documentation skills.

• Ability to communicate complex technical concepts to technical and semi-technical stakeholders.

• A desire to pursue training and certifications in information security & operational technologies as they evolve.

• Knowledge of OT networks and traditional on-premises/utility infrastructure is a plus.

• Strong analytical problem-solving skills and project management skills.

• Superior verbal and written communication skills.

• Ability to interact effectively and professionally with a diverse group of employees throughout the organization.

• Ability to plan and complete multiple diverse tasks and meet challenging deadlines.

• Able to clearly present complex technical information to committees management external regulators and industry associations.

**Candidates may be asked to complete a skills evaluation/assessment or objective based activity for demonstration remotely or in-person.**

Compensation Range:

This compensation range represents the minimum midpoint and maximum pay for this position. Individual offers will be based on various factors including but not limited to qualifications education skills competencies and experience. Please note that most offers for new employees fall under the midpoint of the range allowing room for continued salary growth. Base pay is just one component of our total compensation package which may also include comprehensive benefits generous paid time off and incentive compensation (bonus) potential.