Senior Product Security Architect

Job Description Summary

GE Vernova is seeking a highly skilled and experienced Senior Cyber Security Architect to join the Product Security team, focusing on the Wind portfolio of products. This role is responsible for conducting in-depth cyber security assessments of wind farm design and architecture at both the product and component levels. This include leading these assessments in accordance with GE Vernova’s Secure Development Lifecycle (SDL) process, aligned with IEC 62443-4-1, and reviewing applicable requirements outlined in IEC 62443-4-2 and IEC 62443-3-2 standards. The role involves collaboration with various subsystem teams to identify relevant products and execute these assessments.

This position reports to Wind's Product Security Leader, who oversees Wind's Product Security Team. The Product Security Team drives a product cyber security strategy aimed at meeting applicable standards and regulations while leading the industry towards more fundamentally secure wind farms.

Job Description Essential Responsibilities

- Perform security assessments, following the defined engineering processes, to discovery design flaws, vulnerabilities, weaknesses, and missing security controls and support the secure implementation of security features.

- Lead and conduct comprehensive cybersecurity assessments of wind turbine components, SCADA systems, Wind Farm software, and digital service platforms in accordance with IEC 62443-4-2 and IEC 62443-3-2 standards.

- Document security assessments with sufficient detail to underwrite the cyber security reviews.

- Represent the cyber security team in applicable design reviews and contribute for cyber security related milestones, deliverables, and/or tasks.

- Identify and document security vulnerabilities, risks, and non-conformities within products and systems.

- Develop recommendations for effective security controls and mitigation strategies to address identified risks.

- Collaborate closely with product development, engineering, and R&D teams to integrate security by design principles throughout the product lifecycle.

- Provide expert guidance on the interpretation and application of IEC 62443 series of standards (specifically IEC 62443-4-1 and IEC 62443-3-3) during the requirements definition and design phases.

- Perform threat modeling and risk assessments for new and existing products and features.

- Evaluate the security posture of industrial protocols commonly used in wind farms and other industrial control environments (e.g., Modbus TCP, DNP3, OPC UA, IEC 61850).

- Stay current with emerging product cyber security regulations, standards, threats, vulnerabilities, and technologies relevant to Wind and industrial control systems in general.

- Contribute to the development and improvement of internal product security processes and guidelines.

- Propose recommendation and facilitate discussion on high level wind-farm level security improvements that can be driven across subsystems.

- Work with product management and development teams to set the technical cyber security roadmap.

- Work with development teams to guide and ensure consistent adoption of the technologies, including security solutions (e.g., Antivirus).

- Together with the product teams, ensure the security features and architecture is aligned with the evolving cyber security regulations within the industry.

- Review customer facing documentation to align it with security best practices and the as-designed security requirements.

- Contribute to the development and improvement of internal product security processes and guidelines, including hardening guides.

- Support incident response activities related to product security vulnerabilities.

Required Qualifications

- Bachelor’s Degree from an accredited university in Engineering, Computer Science, Cybersecurity, Information Technology, or related field. Alternative acceptable experience will be considered on a case-by-case basis.

- Minimum 8 years of experience in cybersecurity with at least 3 years focused on industrial control systems (ICS), operational technology (OT), or product security.

Desired Characteristics

- Demonstrable in-depth knowledge and practical experience with the IEC 62443 series of standards, specifically:

- IEC 62443-4-2 (Technical security requirements for IACS components)

- IEC 62443-3-2 (Security risk assessment and system design)

- 62443-4-1 (Secure product development lifecycle requirements)

- Strong knowledge of cyber security best practices and frameworks (e.g., NIST CSF, OWASP top 10).

- Strong understanding of industrial communication protocols used in power generation, wind farms, SCADA systems, and other industrial environments (e.g., Modbus, DNP3, OPC [DA, AE, UA], IEC 61850).

- Demonstrated experience with Microsoft Windows and/or Linux operating systems including access and identity management, system hardening & device control, and patch management.

- Demonstrated knowledge and understanding cybersecurity solutions (e.g., Firewalls, antivirus, security incident and event management systems, intrusion detection systems, intrusion prevention systems), including experience providing installation/configuration recommendations.

- Knowledge of logging best practices.

- Experience using cyber security vulnerability tools (e.g., Dynamic Application Security Testing (DAST), Static Application Security Testing (SAST), or other weakness / vulnerability scanning tools).

- Familiarity with Industrial Automation and Control Systems products and components including PLCs, SCADA and DCS.

- Ability to work independently and collaboratively as necessary with a cross-functional team.

- Working knowledge of electrical power industry technology, preferably Renewables or Wind.

- Strong oral and written communication skills. Demonstrated ability to analyze and resolve problems.

- Demonstrated ability to lead, document, plan, market, and execute security assessments. Established project management skills.

- Master's degree in a relevant field.

- Wind Turbine product knowledge and/or SCADA product/cyber security knowledge.

- Knowledge and understanding of network cyber security practices.

- Familiarity with containerization technologies (Docker, Kubernetes) and associated security best practices.

- Cyber security certification (ex. GICSP, CEH, CCNA, CISSP).

- Experience with cloud security principles and practices.

- Experience with secure coding practices in any language.

- Experience with penetration testing and vulnerability assessment tools for OT environments.

- Familiarity with functional safety standards (e.g., IEC 61508) as they intersect with cybersecurity.

*The salary range for this position is $111,200 - $185,400 USD Annual. The specific salary offered to a candidate may be influenced by a variety of factors including the candidate’s experience, their education, and the work location. In addition, this position is eligible for a performance bonus/variable incentive compensation. This posting is expected to close on August 15th or thereafter.*

- The Company pays a geographic differential of 110%, 120% or 130% of salary in certain areas.

Healthcare benefits include medical, dental, vision, and prescription drug coverage; access to a Health Coach, a 24/7 nurse-based resource; and access to the Employee Assistance Program, providing 24/7 confidential assessment, counseling and referral services. Retirement benefits include the GE Retirement Savings Plan, a tax-advantaged 401(k) savings opportunity with company matching contributions and company retirement contributions, as well as access to Fidelity resources and planning consultants. Other benefits include tuition assistance, adoption assistance, paid parental leave, disability insurance, life insurance, and paid time-off for vacation or illness. General Electric Company, Ropcor, Inc., their successors, and in some cases their affiliates, each sponsor certain employee benefit plans or programs (i.e., is a “Sponsor”). Each Sponsor reserves the right to terminate, amend, suspend, replace, or modify its benefit plans and programs at any time and for any reason, in its sole discretion. No individual has a vested right to any benefit under a Sponsor’s welfare benefit plan or program. This document does not create a contract of employment with any individual.

GE Vernova offers a great work environment, professional development, challenging careers, and competitive compensation. GE Vernova is an Equal Opportunity Employer. Employment decisions are made without regard to race, color, religion, national or ethnic origin, sex, sexual orientation, gender identity or expression, age, disability, protected veteran status or other characteristics protected by law.

GE Vernova will only employ those who are legally authorized to work in the United States for this opening. Any offer of employment is conditioned upon the successful completion of a drug screen (as applicable).

Relocation Assistance Provided:

Yes