Cyber Security Engineer - Compliance

As the nation’s first statewide, “transmission only” company, VELCO manages the safe, reliable, cost-effective transmission of electric power throughout Vermont and as a part of the integrated New England regional network.

Why you should join our team

At VELCO, we are committed to protecting our organization’s data, infrastructure and digital assets. You’ll have the opportunity to directly impact VELCO’s risk posture to keeping a safe, reliable, secure and compliant operating organization.

How You Will Make An Impact

You’ll be responsible for constructing systems that gather, analyze and measure adherence to North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) standards and National Institute of Standards and Technology (NIST) cybersecurity frameworks.

This role supports the secure operation of the utility’s business functions, customer support systems, and critical infrastructure, including substations, control centers, and related operational technology (OT) systems.

The Cyber Security Engineer- Compliance will maintain, enhance, develop, implement, and monitor compliance controls, risk assessment workflows, and collaborate with NERC Compliance, IT, OT, and Information Security teams to maintain regulatory compliance and enhance cybersecurity risk comprehension.

Responsibilities

- Regulatory & Business Compliance: Track compliance with NERC CIP standards (e.g., CIP-002 through CIP-014) and NIST frameworks (e.g., NIST 800-53, NIST CSF) for the protection of infrastructure & data.

- Risk Assessments: Catalog and document risk assessment findings for substations, control centers, and OT systems that will automate remediation and/or creation of compliance artifacts.

- Policy Lifecycle and Management: Integrate compliance policy requirements, procedures, and controls into digital workflows supporting subject matter experts with business processes and compliance artifacts.

- Audits and Reporting: Prepare for and support NERC CIP audit subject matter experts, including evidence collection, documentation, and response to audit findings.

- Awareness: Collaborate with NERC Compliance and Information Security to ensure adherence to current and future NERC CIP and NIST regulation/requirements, fostering a culture resilient to regulatory change.

- Incident Response: Collaborate with Information Security to scribe, document, and track the lifecycle of cybersecurity incidents, ensuring compliance with incident reporting obligations.

- System Monitoring: Monitor & correct the operational health of compliance data acquisition systems to ensure data quality and time bound accuracy.

- Continuous Improvement: Stay updated on evolving NERC CIP and NIST standards, recommending improvements to enhance compliance and security posture.

- Other duties as assigned.

Who You Are

A Bachelor’s degree in Computer Science, Cyber Security or related technical discipline and at least 3 years experience required. Equivalent work experience considered. Having relevant security certifications or the ability to obtain GIAC GCIP and/or GIAC GCCC is expected. A Master’s degree may be substituted for some experience.

Knowledge/Skills

The practicing Cyber Security Engineer will typically have 2 – 7 years’ relevant experience.

- 3+ years of experience in regulatory compliance, information technology and/or cybersecurity.

- Direct experience with NERC CIP standards and NIST frameworks is highly preferred.

- Familiarity with OT systems (e.g., SCADA, PLCs) and utility operations.

- Familiarity with networking technologies, operating systems, regular expressions, and API/Script based data acquisition methods.

- Experience with Tripwire Enterprise, Sigma Flow Beacon, or governance risk and compliance (GRC) tools with workflow and ability to dynamically retrieve data is highly preferred.

- Strong understanding of Information Security frameworks.

- A functional understanding of API and scripted data retrieval across various technologies.

- Proficiency with SQL Query languages

- Demonstrated ability to securely create and manage scripts for data acquisition

- Proficiency in risk assessment methodologies and cybersecurity tools.

- Excellent analytical, problem-solving, and documentation skills.

- Ability to communicate complex technical concepts to technical and semi-technical stakeholders.

- A desire to pursue training and certifications in information security & operational technologies as they evolve.

- Knowledge of OT networks, and traditional on-premises/utility infrastructure is a plus.

- Strong analytical, problem-solving skills, and project management skills.

- Superior verbal and written communication skills.

- Ability to interact effectively and professionally with a diverse group of employees throughout the organization.

- Ability to plan and complete multiple, diverse tasks and meet challenging deadlines.

- Able to clearly present complex technical information to committees, management, external regulators and industry associations.

Candidates may be asked to complete a skills evaluation/assessment or objective based activity for demonstration remotely or in-person.

Compensation Range

$89,704.89 - $107,652.48 - $125,594.56/salary

This compensation range represents the minimum, midpoint and maximum pay for this position. Individual offers will be based on various factors including, but not limited to, qualifications, education, skills, competencies, and experience. Please note that most offers for new employees fall under the midpoint of the range, allowing room for continued salary growth. Base pay is just one component of our total compensation package, which may also include comprehensive benefits, generous paid time off and incentive compensation (bonus) potential.

Important Considerations

- Visit Velco.com for additional information on VELCO culture, benefits, and the recruiting process.

- We are an equal opportunity employer, and ALL qualified applicants will receive consideration for employment without regard to race, color, religion, sex, national origin, disability status, protected veteran status, or any other characteristic protected by law. Eligible applicants must be authorized to work in the United States.

- VELCO is handling all aspects of talent acquisition internally and will not engage the services of third-party staffing agencies, recruiters, or headhunters. We kindly request that these entities refrain from contacting us.

- Any offer of employment will be contingent upon successful reference check, background check (including social media check), physical examination, drug screening.

If you need an accommodation as part of the application or interview process, please send a request to careers@velco.com