Senior Cybersecurity Engineer at ON.energy

<div class="content-intro"><p>ON.energy is building the power infrastructure that makes the AI era possible. As AI demand surges past what the grid and traditional data centers can support, ON.energy provides a new class of power technology proven at gigawatt scale and trusted by the world’s leading cloud and AI companies. Our systems are already deployed across 2.5 GW of hyper-scale campuses, validated by top U.S. national labs, and certified for grid-safe operation by major utilities. With real products in the field, we’re scaling faster than the grid can, transforming power from a bottleneck into a competitive advantage for the companies building the future.</p></div><p>We are looking for a&nbsp;<strong>Senior Cybersecurity Engineer</strong>&nbsp;to architect and implement technical security controls for our grid-connected energy portfolio. As we scale our operations, we need a hands-on engineer to secure the entire data lifecycle - from the industrial control systems (OT) at the edge, through the cloud telemetry pipeline, to the corporate dashboards.</p> <p>This is a builder role. You will be responsible for deploying and managing our core security infrastructure - specifically&nbsp;<strong>Wazuh</strong>&nbsp;and&nbsp;<strong>Authentik</strong>&nbsp;- to secure our AWS environments and operational field assets. You will work directly with control systems engineers and DevOps teams to build security into our backbone.</p> <p><strong>Responsibilities will include:&nbsp;</strong></p> <p>Cloud &amp; Infrastructure Security</p> <ul> <li>Cloud Architecture: Secure the AWS infrastructure that hosts our energy management platforms. Implement hardening baselines and manage security groups for cloud resources</li> <li>SIEM &amp; Observability (Wazuh): Architect a centralized and on-prem SIEM deployment to ingest logs from CloudTrail, VPC Flow Logs, and Linux servers. Configure custom decoders to detect threats across both cloud and on-prem environments</li> <li>Infrastructure as Code (IaC): Review and secure Terraform/CloudFormation scripts. Manage security configurations (including Wazuh agents and Authentik outposts) via Ansible or similar automation tools</li> <li style="text-align: left;">IoT/Edge Security: Secure the telemetry pipeline from the edge device (site controller) to the cloud, ensuring encryption (TLS 1.2/1.3) and proper certificate management (PKI) for edge</li> </ul> <p>Identity &amp; Access Management (IAM)</p> <ul> <li>Unified IAM (Authentik): Architect Authentik as the central Identity Provider (IdP), enforcing MFA and SSO across cloud consoles, internal engineering tools, and Grafana dashboards</li> <li>Least Privilege: Engineer granular IAM roles for cloud resources and service accounts, ensuring that automated services have only the permissions necessary to function</li> </ul> <p>Operational Technology (OT) Security</p> <ul> <li>Network Segmentation: Design and implement IEC 62443-aligned network architectures (Purdue Model), strictly controlling traffic between the IT, Cloud, and OT zones</li> <li>Vulnerability &amp; Integrity Monitoring: Deploy Wazuh agents on industrial PCs and HMIs to perform File Integrity Monitoring (FIM) and vulnerability scanning without disrupting critical real-time processes</li> <li>Industrial Protocols: Analyze and secure communications (Modbus, DNP3) to ensure integrity between field assets and control centers</li> </ul> <p><br><strong>Requirements:</strong></p> <ul> <li>5–8 years&nbsp;of technical cybersecurity experience, with a specific blend of&nbsp;Cloud/Linux Engineering&nbsp;and&nbsp;OT/Industrial exposure</li> <li>Proven experience working with industrial control systems (ICS), SCADA, or utility/energy infrastructure</li> <li>Deep expertise in securing Linux-based cloud environments and managing infrastructure via code</li> <li>Comfortable debugging a failed Wazuh agent on a Linux server or tracing a dropped packet in a cloud VPC</li> <li>Tailoring flexible open-source tools to fit specific architectural needs rather than relying solely on "black box" commercial vendors</li> </ul> <p><strong>Technical stack proficiency:&nbsp;</strong></p> <ul> <li>Wazuh: Deep experience deploying managers/agents, writing custom rules/decoders, and tuning FIM/SCA modules for low-noise environments</li> <li>Authentik: Experience configuring Providers (OIDC, SAML), Outposts, and proxying legacy applications</li> <li>Cloud Platforms: Proficiency with AWS (GuardDuty, IoT Core, IAM) or Azure (Defender for IoT, Entra ID)</li> </ul> <p><strong>Preferred experience:</strong></p> <ul> <li>Experience with Docker/Kubernetes security in an edge computing context</li> <li>Knowledge of industrial protocols (Modbus TCP, DNP3, IEC 61850)</li> <li>Certifications: GICSP, GRID, AWS Certified Security – Specialty</li> </ul><div class="content-conclusion"><hr> <p><strong>For US-based roles - What you’ll get:</strong></p> <ul> <li>Competitive salary + annual performance-based bonus eligibility</li> <li>Medical, dental, and vision insurance</li> <li>401(k) with company match</li> <li>Paid time off and company holidays&nbsp;</li> </ul> <p><strong>For Mexico-based roles - What you’ll get:</strong></p> <ul> <li>Competitive salary + annual performance bonus eligibility</li> <li>Christmas Bonus (Aguinaldo): 30 days</li> <li>Major medical expenses and life insurance</li> <li>Paid time off and holidays (per local policy)</li> </ul> <p><strong>For all roles:</strong></p> <ul> <li>Professional development and growth opportunities</li> <li>Opportunity to grow with a mission-driven team shaping the future of clean energy</li> <li>Equal Opportunity: ON.energy is committed to equal employment opportunity and to maintaining a work environment free of harassment, discrimination, or retaliation.</li> <li>Accommodations: If you need an accommodation during the application process, email <a href="mailto:[email protected]">[email protected]</a></li> <li>Benefits vary by role and location and are subject to change.</li> </ul></div>