Cybersecurity / OT Security Engineer

Ryan Mahoney

Why this role is hard · Ryan Mahoney

Standard corporate security rules fall apart in active rail depots, so we look for people who know how to fix old controllers without interrupting train charging schedules. Top candidates will politely but firmly refuse unsafe setups while staying in constant touch with the maintenance staff. They accept that finding every device on site actually requires walking the floors instead of relying on automated scans. We quickly pass up anyone obsessed with flawless network isolation and keep the practical engineers who build reliable workarounds when the timetable leaves no room for downtime.

Core Evaluation

Critical questions for this role

The competency and attitude questions below are where the hiring decision is made. They run in the live interview rounds and are calibrated to the level selected above.

12 Competency Questions

1 of 12

  1. Discipline

    OT Security Engineering & Architecture

  2. Job requirement

    Asset Discovery & Vulnerability Management

    Executes passive asset discovery scans, catalogs device attributes, and applies vendor patches during approved maintenance windows.

  3. Expected at Junior

    Role independently executes passive scans, catalogs attributes, and coordinates patching during maintenance windows; directly accountable for >95% inventory accuracy and zero critical vulnerabilities.

Interview round: Hiring Manager Technical Deep Dive

Walk me through how you tracked and maintained an inventory of operational devices in a previous role.

Positive indicators

  • Uses passive scanning to avoid operational impact
  • Tracks device lifecycle and ownership
  • Establishes regular update cadence
  • Validates records with field technicians

Negative indicators

  • Relies solely on outdated manual spreadsheets
  • Ignores stale or decommissioned records
  • Uses active scanning in production environments
  • Fails to reconcile discrepancies

12 Attitude Questions

1 of 12

Active Listening

The disciplined practice of fully concentrating on, accurately interpreting, and retaining verbal and non-verbal input from operators, engineers, vendors, and stakeholders before formulating technical responses or design decisions. In OT and cybersecurity environments, it requires suspending inherent technical bias, actively capturing ground-level operational constraints, and synthesizing multidisciplinary feedback to ensure security architectures align with real-world safety protocols, production uptime, and organizational culture.

Interview round: Recruiter Fit & Baseline Alignment

How do you approach conversations with PLC operators to capture their workflow constraints before implementing new monitoring thresholds?

Positive indicators

  • Prioritizes operator input over assumptions
  • Validates constraints against real telemetry
  • Adjusts thresholds to match workflow capacity

Negative indicators

  • Dictates thresholds without consultation
  • Ignores documented operational limits
  • Relies solely on automated scanner defaults

Supporting Evaluation

How candidates earn the selection conversation

The goal is to reduce effort for everyone by collecting more useful signal before adding more interviews. Lightweight application prompts and structured screens help the panel focus live time on the candidates most likely to succeed.

Stage 1 · Application

Filter at the door

Runs the moment a candidate hits Submit. Disqualifying answers end the application; everything else is captured for review.

Video-Response Questions

1 of 3

Application Screen: Video Response

During a joint IT-OT coordination session for deploying new network segmentation controls at a transit depot, field technicians raise concerns about potential latency impacts on charging infrastructure. What specific steps would you take to address their operational constraints while ensuring compliance with security mandates, and how would you communicate the final decision to both engineering and maintenance teams?

Candidate experience

REC
0:42 / 2:00
1Record
2Review
3Submit

Response time

2 min

Format

Recorded video

Stage 2 · Resume Screening

Read the resume against fixed criteria

Reviewers score every application that clears the door against the same criteria. Stronger reviews advance to live interviews; weaker ones are archived without further screening.

Resume Review Criteria

8 criteria
Demonstrates hands-on experience deploying zone-based firewall rules, access controls, and network isolation for industrial control systems in transit or charging facilities.
Shows experience running passive vulnerability scans, reviewing SIEM or IDS alerts, and triaging security findings on PLCs, SCADA, or charging infrastructure without disrupting operations.
Provides evidence of facilitating tabletop exercises, mapping threat models to operational scenarios, and compiling audit-ready documentation for regulatory or internal compliance.
Demonstrates implementation of hardened configurations, privileged session logging, and secure remote access policies for depot controllers or telematics endpoints.

Does the cover letter or personal statement convey clear relevance and familiarity with the job?

Does the resume indicate required academic credentials, relevant certifications, or necessary training?

Is the resume complete, well-organized, and free from formatting, spelling, and grammar mistakes?

Does the resume show relevant prior work experience?

Stage 3 · During Interviews

Where the hire is decided

Interview rounds use the competency and attitude questions outlined above, then add tests, work simulations, and presentations that reveal deeper evidence about how the candidate thinks and works.

Presentation Prompt

Walk us through your approach to implementing baseline IEC 62443 security controls on a depot SCADA controller for an electric bus charging network while balancing strict network segmentation with daily maintenance uptime requirements. Slides are optional; you may talk through your reasoning step-by-step.

Format

approach-walkthrough · 20 min · ~2 hr prep

Audience

Engineering leads and depot operations managers.

What to prepare

  • A brief outline of your diagnostic steps, segmentation strategy, and stakeholder communication plan.
  • Key assumptions about legacy PLC behavior and technician workflow constraints.

Deliverables

  • A 15-20 minute verbal walkthrough of your technical and operational reasoning.
  • Live Q&A defending your configuration choices against simulated depot manager objections.

Ground rules

  • Focus on your reasoning and past experience; do not use proprietary, classified, or client-specific artifacts from previous employers.
  • Slides are entirely optional; the evaluation focuses on your verbal reasoning and ability to navigate operational constraints.

Scoring anchors

Exceeds
Proactively frames the problem around safety and uptime tradeoffs, asks precise clarifying questions, and delivers a pragmatic, phased control rollout plan that anticipates field resistance.
Meets
Walks through a logical IEC 62443 implementation strategy, acknowledges maintenance constraints, and communicates clearly with operational stakeholders.
Below
Presents a theoretical compliance checklist without addressing depot-specific constraints, jumps to rigid technical mandates, or struggles to explain tradeoffs under questioning.

Response time

20 min

Positive indicators

  • Asks high-information clarifying questions about depot constraints before proposing solutions
  • Surfaces assumptions about legacy protocol behavior and maintenance window realities
  • Walks through step-by-step reasoning, explicitly mapping controls to operational impact
  • Demonstrates emotional empathy by validating technician friction before enforcing mandates

Negative indicators

  • Jumps to a rigid segmentation solution without scoping operational impact or latency risks
  • Ignores maintenance workflow realities and relies solely on compliance checklists
  • Fails to articulate clear escalation pathways for failed authentication or access bottlenecks
  • Uses unexplained technical jargon when addressing non-technical depot staff

Work Simulation Scenario

Scenario. You are an OT Security Engineer at a transit electrification scaleup. A newly commissioned electric bus depot has just been connected to the regional grid. The depot manager reports intermittent latency in the smart charging load-balancing system after the IT team deployed a new firewall. You've been asked to investigate and propose a segmentation strategy that satisfies IEC 62443-3-3 zone requirements without disrupting daily charging cycles. You have 40 minutes with an informed partner who knows the network topology, legacy PLC constraints, and recent changes.

Problem to solve. Diagnose the root cause of the latency, identify the segmentation boundary failures, and outline a pragmatic approach to re-zone the network that maintains charging uptime while meeting security compliance.

Format

discovery-interview · 40 min · ~2 hr prep

Success criteria

  • Ask targeted, high-information clarifying questions about network topology, traffic flows, and firewall rules.
  • Surface assumptions about legacy PLC latency tolerances before proposing changes.
  • Develop a phased segmentation approach that balances security mandates with operational uptime.
  • Clearly articulate escalation paths if compliance and operational requirements conflict.

What to review beforehand

  • IEC 62443-3-3 security zone concepts
  • Modbus/TCP and DNP3 protocol characteristics
  • Basic principles of OT/IT network segmentation and unidirectional gateways

Ground rules

  • Treat this as a live working session, not a presentation. You are driving the investigation.
  • Ask questions to gather missing context; do not assume network details.
  • Focus on your decision-making process and how you navigate tradeoffs, not on producing a final document.

Roles in scenario

Lead Control Systems Engineer (informed_partner, played by cross_functional)

Motivation. Wants charging cycles uninterrupted but recognizes compliance mandates.

Constraints

  • Legacy PLCs cannot handle deep packet inspection or high-throughput logging.
  • Budget for new hardware is frozen this quarter.
  • IT firewall rules are currently blocking legitimate broadcast traffic.

Tensions to introduce

  • Depot manager is pressuring for immediate firewall rollback.
  • Network topology documentation is partially outdated.
  • Latency thresholds for PLCs are not formally documented.

In-character guidance

  • Answer questions factually about the topology and PLC limits.
  • If asked about specific firewall rules or traffic flows, provide them.
  • Do not volunteer the solution; wait for the candidate to ask.

Do not

  • Do not coach the candidate on IEC 62443 standards.
  • Do not solve the segmentation design for them.
  • Do not withhold factual answers to direct questions about the network.

Scoring anchors

Exceeds
Systematically uncovers root cause through targeted questioning, validates constraints, and designs a pragmatic, phased segmentation strategy that explicitly balances security and uptime.
Meets
Asks relevant clarifying questions, identifies likely segmentation issues, and proposes a reasonable approach with some tradeoff awareness.
Below
Makes assumptions without verification, proposes disruptive or unfeasible solutions, or fails to navigate the ambiguity of the scenario effectively.

Response time

40 min

Positive indicators

  • Asks specific questions about traffic types, latency thresholds, and firewall rule impacts before proposing solutions.
  • Surfaces assumptions about legacy hardware constraints and validates them with the partner.
  • Proposes a phased, risk-aware segmentation plan that explicitly addresses uptime requirements.
  • Communicates technical tradeoffs clearly to a cross-functional partner without unnecessary jargon.

Negative indicators

  • Guesses at network topology or firewall misconfigurations without asking clarifying questions.
  • Proposes immediate, disruptive network changes without assessing operational impact.
  • Uses excessive security jargon without checking for shared understanding.
  • Freezes or defaults to generic compliance checklists when faced with ambiguous latency data.

Progression Framework

This table shows how competencies evolve across experience levels. Each cell shows competency at that level.

OT Security Engineering & Architecture

5 competencies

CompetencyJuniorMidSeniorPrincipal
Asset Discovery & Vulnerability Management

Executes passive asset discovery scans, catalogs device attributes, and applies vendor patches during approved maintenance windows.

Develops continuous asset tracking pipelines, prioritizes vulnerabilities using OT-specific risk scoring, and orchestrates safe remediation campaigns without disrupting critical transit operations.

Architects enterprise asset lifecycle frameworks, integrates vulnerability data into risk dashboards, and establishes SLAs for critical control system patching.

Drives strategic investment in automated discovery platforms, shapes industry vulnerability disclosure standards for industrial IoT, and aligns asset security with business resilience.

Compliance, Risk & Cryptographic Governance

Gathers compliance evidence, assists in risk register updates, and manages routine cryptographic certificate rotations.

Conducts formal risk assessments, maps controls to regulatory frameworks, and implements enterprise PKI for OT device authentication across transit electrification assets.

Develops comprehensive compliance programs, establishes risk acceptance thresholds, and designs cryptographic key lifecycle architectures for industrial transit systems.

Shapes organizational risk appetite, influences regulatory policy development for critical infrastructure, and directs strategic investments in post-quantum cryptographic readiness.

Continuous Monitoring & Incident Response

Monitors security dashboards, triages alerts against known baselines, and executes predefined containment steps during incidents.

Tunes detection rules, correlates telemetry across IT/OT boundaries, and leads technical incident response for mid-severity OT events to maintain operational continuity.

Designs centralized monitoring architectures, develops advanced incident playbooks, and coordinates cross-functional crisis response with transit operations teams.

Defines enterprise threat hunting strategies, integrates predictive analytics into monitoring frameworks, and advises on national-level critical infrastructure incident coordination.

OT Network Segmentation & Protocol Security

Implements baseline segmentation rules, configures protocol filters, and verifies network access controls under supervision.

Designs optimized segmentation architectures, troubleshoots complex protocol anomalies, and leads deployment of hardened OT network zones across regional transit ecosystems.

Defines enterprise-wide segmentation strategies, aligns network architecture with operational continuity requirements, and oversees cross-system integration across regional transit networks.

Establishes long-term network security vision, drives adoption of zero-trust principles in industrial environments, and advises executive leadership on strategic risk posture.

Security Architecture & System Integration

Assists in deploying security controls, validates configuration compliance, and documents integration procedures for standard OT systems.

Architects secure integration patterns, conducts threat modeling for new OT deployments, and ensures backward compatibility with legacy control systems during IT/OT convergence.

Develops enterprise reference architectures, standardizes secure integration frameworks across multiple facilities, and leads vendor security assessments for electrification initiatives.

Drives industry-wide secure architecture standards, pioneers zero-trust OT integration models, and aligns system design with long-term digital transformation roadmaps.