Role Definition
| Field | Value |
|---|---|
| Job Title | OT/ICS Security Engineer |
| Seniority Level | Mid-Level (3-7 years) |
| Primary Function | Secures operational technology environments — SCADA systems, PLCs, HMIs, RTUs, DCS, and safety instrumented systems (SIS). Designs and implements network segmentation based on the Purdue model, conducts vulnerability assessments of industrial control systems using OT-specific tools (Claroty, Nozomi Networks, Dragos), implements IEC 62443 and NERC CIP compliance programs, performs incident response on plant-floor systems, and physically inspects industrial environments. Bridges the gap between process engineering and cybersecurity. |
| What This Role Is NOT | NOT a general Security Engineer (IT-focused, scored 44.6 Yellow). NOT a Network Security Engineer (enterprise IT networks, scored 51.5 Green). NOT a Cloud Security Engineer (cloud-native, scored 49.9 Green). This role works with proprietary industrial protocols (Modbus, DNP3, EtherNet/IP, OPC UA), physically visits plants, and must understand process safety — entirely distinct from IT security. |
| Typical Experience | 3-7 years. Often progressed from control systems engineering, industrial automation, or IT security with OT cross-training. Certs: GICSP (SANS), ISA/IEC 62443, GRID, CISSP, CSSA. Deep familiarity with Purdue model, industrial protocols, and safety systems (IEC 61511) expected. |
Seniority note: Junior (0-2 years) would score lower Yellow/low Green — primarily running OT scanning tools and following playbooks. Senior/Principal (8+ years) would score deeper Green (~78-82) — owns OT security strategy for entire critical infrastructure programmes, makes safety-critical risk acceptance decisions.
Protective Principles + AI Growth Correlation
| Principle | Score (0-3) | Rationale |
|---|---|---|
| Embodied Physicality | 2 | Regular physical plant-floor access required. Inspecting PLCs in substations, walking industrial environments, verifying air-gapped network segments, checking cabinet wiring. Semi-structured industrial environments with safety zones, hazardous areas, and physical access controls. 10-15 year protection. |
| Deep Interpersonal Connection | 1 | Significant cross-team collaboration with plant operators, process engineers, and safety teams who distrust IT-centric approaches. Must build trust with OT personnel to implement security without disrupting operations. Core value remains technical. |
| Goal-Setting & Moral Judgment | 2 | Makes safety-critical decisions — determines what security controls can be applied without disrupting safety instrumented systems. A wrong firewall rule on a safety PLC can kill people. Interprets IEC 62443 zones and conduits for specific plant configurations with no standard playbook. |
| Protective Total | 5/9 | |
| AI Growth Correlation | 1 | IT/OT convergence and Industry 4.0 increase the OT attack surface, driving demand. Not recursive like AI security, but every smart factory, connected pipeline, and IoT-enabled utility creates more OT security work. |
Quick screen result: Protective 5 + Correlation 1 = Likely Yellow Zone. Proceed to quantify — strong barriers and evidence may push Green.
Task Decomposition (Agentic AI Scoring)
| Task | Time % | Score (1-5) | Weighted | Aug/Disp | Rationale |
|---|---|---|---|---|---|
| Secure OT network architecture (Purdue model, segmentation, DMZ design) | 25% | 2 | 0.50 | AUGMENTATION | Each plant is unique — legacy equipment, proprietary protocols, safety system constraints. AI can suggest reference architectures but cannot determine where to place conduits between zones in a specific facility with 30-year-old PLCs and custom SCADA configurations. The engineer decides. |
| Vulnerability assessment & risk analysis of ICS/SCADA/PLC/HMI | 20% | 2 | 0.40 | AUGMENTATION | OT vulnerability scanning requires understanding process impact — patching a PLC mid-production can cause $1M+ downtime or safety incidents. AI tools (Claroty, Nozomi) detect anomalies, but risk prioritisation requires understanding the physical process. You cannot score risk without knowing what the PLC controls. |
| IEC 62443 / NERC CIP compliance implementation | 15% | 3 | 0.45 | AUGMENTATION | AI can map controls to frameworks and gather compliance evidence. But interpreting zone/conduit requirements for a specific plant, determining security levels (SL-T) for each zone, and making risk acceptance decisions requires human judgment. The structured evidence-gathering portion is increasingly automatable. |
| Incident response for OT-specific threats | 15% | 2 | 0.30 | AUGMENTATION | OT IR is fundamentally different from IT IR. You cannot "isolate and remediate" a compromised PLC controlling a chemical process without understanding the physical consequences. Some response requires hands-on access to air-gapped systems. AI assists with log correlation but cannot make the "shut down the plant or keep running?" decision. |
| Configure & maintain OT security monitoring | 10% | 3 | 0.30 | AUGMENTATION | Tools like Claroty, Nozomi Networks, and Dragos handle baseline detection and anomaly alerts. Configuration and tuning still require understanding of normal OT traffic patterns (Modbus polling cycles, DNP3 sequences). Trending toward more automation. |
| Physical site assessments & field work | 10% | 1 | 0.10 | NOT INVOLVED | Walking plant floors, inspecting network cabinets, verifying physical segmentation, checking serial connections to legacy PLCs. Unstructured industrial environments with confined spaces, hazardous areas, and no remote access. AI is not involved. |
| Stakeholder engagement (plant operators, process engineers, safety teams) | 5% | 1 | 0.05 | NOT INVOLVED | Bridging the cultural gap between IT security and OT operations. Plant operators resist changes that could disrupt production. Building trust, explaining risk in operational terms, negotiating maintenance windows. Human relationship work. |
| Total | 100% | 2.10 |
Task Resistance Score: 6.00 - 2.10 = 3.90/5.0
Displacement/Augmentation split: 0% displacement, 85% augmentation, 15% not involved.
Reinstatement check (Acemoglu): Yes — IT/OT convergence and Industry 4.0 create new tasks: securing IoT edge devices in industrial environments, implementing zero-trust for OT networks, integrating cloud SCADA platforms with on-premise safety systems, and validating AI-driven process control systems. The task portfolio expands as industrial digitalisation accelerates.
Evidence Score
| Dimension | Score (-2 to 2) | Evidence |
|---|---|---|
| Job Posting Trends | 2 | OT/ICS security postings surging well above 20% YoY. ZipRecruiter shows 60+ ICS/OT cyber roles at $80K-$231K as of Feb 2026. Indeed shows dedicated OT SCADA Security Engineer roles at $105K-$135K. SANS reports OT security as the fastest-growing cybersecurity sub-discipline. Demand far exceeds supply. |
| Company Actions | 2 | Major companies building dedicated OT security teams: Applied Materials, Siemens, Honeywell, Schneider Electric, utilities, oil & gas. Dragos raised $110M to address OT security. Claroty and Nozomi Networks expanding rapidly. CISA established dedicated ICS-CERT. No evidence of any company cutting OT security roles — acute talent shortage persists. |
| Wage Trends | 1 | Mid-level range $130K-$180K, strong growth above inflation. GICSP holders command $10K-$20K premium. Salaries growing faster than general cybersecurity but not yet at the surging premium level of AI security roles. Robert Half 2026 reports cybersecurity engineer salaries at $118K-$190K, with OT specialists at the upper end. |
| AI Tool Maturity | 2 | No viable AI tools exist for core OT security tasks. OT monitoring platforms (Claroty, Nozomi, Dragos) use ML for anomaly detection but cannot perform architecture design, risk assessment, or incident response for proprietary industrial protocols. Air-gapped systems, legacy serial connections, and safety-critical constraints make autonomous AI operation infeasible. The five robotics barriers (dexterity, safety certification, liability, cost, cultural trust) apply to physical plant work. |
| Expert Consensus | 2 | SANS ICS/OT surveys consistently rank talent shortage as the #1 challenge. Dragos Year in Review 2025: OT threat landscape expanding, human expertise irreplaceable. Gartner predicts 75% of OT security solutions will require human-in-the-loop by 2028. ISC2 2025: OT/ICS security among top-3 hardest-to-fill cybersecurity specialisms. Universal agreement that this role is protected. |
| Total | 9 |
Barrier Assessment
Reframed question: What prevents AI execution even when programmatically possible?
| Barrier | Score (0-2) | Rationale |
|---|---|---|
| Regulatory/Licensing | 2 | IEC 62443 mandates human security assessments for industrial automation. NERC CIP requires named responsible entities for bulk electric system cybersecurity. NIS2 (EU) expands mandatory cybersecurity for critical infrastructure operators. Nuclear facilities require security-cleared human personnel. These are legal mandates, not suggestions. |
| Physical Presence | 2 | Regular plant-floor access essential. Inspecting PLCs in substations, verifying air-gapped network segments, checking industrial cabinet wiring, working in hazardous classified areas. Unstructured industrial environments with confined spaces, explosive atmospheres (ATEX zones), and no remote access to air-gapped systems. Moravec's Paradox applies in full. |
| Union/Collective Bargaining | 0 | OT security engineers are typically non-unionised professionals. Some utility-sector roles have union adjacency but the security function itself is not collectively bargained. |
| Liability/Accountability | 2 | Safety-critical systems — incorrect security configurations on safety instrumented systems (SIS) can cause explosions, chemical releases, or loss of life. IEC 61511 (functional safety) requires human accountability for safety system modifications. Legal liability for critical infrastructure failures cannot be assigned to AI. Someone goes to prison if a security decision causes a plant incident. |
| Cultural/Ethical | 1 | Strong cultural resistance in industrial sectors to AI making safety-critical decisions. Plant operators and process engineers are deeply sceptical of IT-driven changes, let alone AI-driven ones. However, this is more operational conservatism than structural — it will erode slowly over 10+ years. |
| Total | 7/10 |
AI Growth Correlation Check
Confirmed at 1 (Weak Positive). IT/OT convergence, Industry 4.0, and smart manufacturing expand the OT attack surface, driving demand for OT security engineers. Every connected sensor, cloud-integrated SCADA system, and IoT edge device creates more work. However, this is not the recursive dependency of AI security (where AI growth directly creates the need) — OT security demand is driven by digitalisation of industrial processes, which correlates with but is not caused by AI adoption specifically. This is Green (Transforming), not Green (Accelerated).
JobZone Composite Score (AIJRI)
| Input | Value |
|---|---|
| Task Resistance Score | 3.90/5.0 |
| Evidence Modifier | 1.0 + (9 x 0.04) = 1.36 |
| Barrier Modifier | 1.0 + (7 x 0.02) = 1.14 |
| Growth Modifier | 1.0 + (1 x 0.05) = 1.05 |
Raw: 3.90 x 1.36 x 1.14 x 1.05 = 6.3489
JobZone Score: (6.3489 - 0.54) / 7.93 x 100 = 73.3/100
Zone: GREEN (Green >= 48, Yellow 25-47, Red <25)
Sub-Label Determination
| Metric | Value |
|---|---|
| % of task time scoring 3+ | 25% |
| AI Growth Correlation | 1 |
| Sub-label | Green (Transforming) — AIJRI >= 48 AND >= 20% of task time scores 3+ |
Assessor override: None — formula score accepted. The 73.3 sits logically between Enterprise Security Architect (71.1) and AI Security Engineer (79.3), reflecting the additional physical presence and safety-critical barrier protection that elevates OT/ICS security above most digital-only cybersecurity roles.
Assessor Commentary
Score vs Reality Check
The Green (Transforming) label at 73.3 is honest and well-supported. All four dimensions reinforce each other: high task resistance (3.90) driven by physical presence and safety-critical judgment, strong market evidence (9/10), unusually high barriers for a cybersecurity role (7/10 — second only to the Electrician at 9/10 among technical roles), and positive growth correlation. The barrier score is not doing the heavy lifting alone — task resistance alone would place this in Green. The barriers provide additional structural protection that is genuinely distinct from IT security roles.
What the Numbers Don't Capture
- Supply shortage confound. The extremely positive evidence is partly driven by an acute talent shortage — the intersection of industrial engineering knowledge and cybersecurity expertise is exceptionally rare. If training pipelines improve, evidence could soften from 9 to 6-7 without changing the zone.
- IT/OT convergence double-edge. As OT environments become more IT-like (cloud SCADA, IP-based protocols replacing serial), the distinct physical and protocol barriers that protect this role erode. A future where all OT is cloud-managed reduces the Physical Presence barrier from 2 to 0. This is a 10-15 year trajectory, not imminent.
- Vendor tool maturation. Claroty, Nozomi, and Dragos are rapidly improving their autonomous detection and response capabilities. The 25% of task time currently scoring 3 (compliance and monitoring) will likely expand to 35-40% within 3-5 years as these platforms mature.
Who Should Worry (and Who Shouldn't)
If you are an OT/ICS security engineer who regularly visits plant floors, designs Purdue model segmentation for unique industrial environments, makes safety-critical risk decisions, and understands industrial protocols at the packet level — you are in one of the most protected positions in cybersecurity. The combination of physical presence, safety liability, and proprietary protocol expertise creates a triple barrier that AI cannot bypass.
If you primarily configure OT monitoring dashboards remotely and run vendor scanning tools without understanding the underlying process engineering — you are in a weaker position. The monitoring and compliance portions of OT security are automating at the same pace as IT security. The engineers who survive are those who can walk a plant floor and explain to a process engineer why their PLC firmware needs updating without shutting down production.
The single biggest factor: hands-on industrial knowledge. The $180K+ roles go to engineers who understand both the cyber and the physical — who know what a PLC does, why you cannot reboot it, and what happens downstream if it fails.
What This Means
The role in 2028: The OT/ICS Security Engineer of 2028 will manage security for increasingly connected industrial environments — cloud SCADA, 5G-connected sensors, digital twins. AI-powered monitoring platforms will handle baseline anomaly detection, freeing engineers to focus on architecture design for hybrid IT/OT environments, safety system security assessments, and incident response for sophisticated attacks on critical infrastructure. The physical plant-floor component persists. Demand will be higher than today.
Survival strategy:
- Deepen industrial protocol expertise. Modbus, DNP3, EtherNet/IP, OPC UA at the packet level. This is the moat AI cannot cross — proprietary, undocumented, and context-dependent.
- Get IEC 62443 certified. The ISA/IEC 62443 Cybersecurity Certificate Program (CSCP) and GICSP are becoming mandatory for serious OT security roles as regulatory enforcement tightens globally.
- Bridge IT and OT fluency. The highest-value engineers understand both worlds — cloud security architecture AND safety instrumented systems. Master the Purdue model AND zero-trust principles.
Timeline: This role strengthens over the next 5-10+ years. The driver is critical infrastructure digitalisation — every smart grid, connected pipeline, and automated manufacturing plant needs OT security. The physical presence requirement provides a 10-15 year structural floor that digital-only roles lack.
