Job Description:
• **Secure Remote Access Platform: **Identity-bound, MFA-protected access anchored at the OT DMZ / Purdue Level 3, with session brokering, just-in-time privilege, and policy enforcement designed for industrial environments.
• **Protocol-Aware Policy Authoring: **A Protocol Registry that maps OT protocol names (Modbus TCP, DNP3, IEC 61850, OPC-UA, EtherNet/IP) to port and transport defaults, making policy authoring OT-aware without changing the underlying enforcement model.
• **Evidence and Audit Baseline: **Structured access logs capturing user identity, target, session start/end, and outcome - forwardable to Splunk, Kinesis, Datadog etc. supporting NERC CIP, IEC 62443, NIST SP 800-82, and CMMC audit requirements.
• **Session Governance: **Enforced session recording, keystroke logging, step-up authentication, and dual-authorization approval workflows for regulated and defense environments.
• **Asset Context Ingestion (Phase 2+): **API-based integration with OT visibility platforms (Dragos, Nozomi, Claroty) normalized into policy-ready attributes, without blocking access in the critical path.
• **Design and implement **backend services across AppGate's distributed architecture — Controller, Gateway, and Connector components — with a focus on OT-safe deployment patterns.
• **Build and maintain **REST and gRPC APIs supporting policy evaluation, access control, protocol registry management, and OT-specific system integrations.
• **Apply Zero Trust principles **to remote access for industrial assets, accounting for the safety, uptime, and determinism constraints of OT environments.
• **Integrate **with industrial protocols and OT asset types — PLCs, RTUs, HMIs, historians — running Modbus, DNP3, OPC-UA, Profinet, and EtherNet/IP.
• **Own features end-to-end, **from architecture through production deployment in real customer environments.
• **(Staff / Principal) **Define technical direction, lead architecture reviews, and support hiring as the OT engineering function scales.
Requirements:
• **Experience: **Hands-on background building or operating secure remote access systems — VPN, ZTNA, jump servers, privileged access, session brokers, or equivalent.
• **OT Domain Knowledge: **Direct experience in or with OT / ICS environments — manufacturing, energy, utilities, oil and gas, water, transportation, or defense.
• **Technical Fundamentals: **
• Strong systems programming in Go, Rust, or a comparable language
• Solid networking (TCP/IP, TLS, firewalls) and identity (SAML, OIDC, PKI) fundamentals
• Familiarity with the Purdue Model and IT/OT DMZ design patterns
• Working knowledge of OT protocols: Modbus, DNP3, OPC-UA, EtherNet/IP
• **Mindset: **High ownership, end-to-end accountability, comfortable in a small team where you solve problems before they become fires.
Benefits: