Security Analyst (OT SOC)
About Gruve
Gruve is an innovative software services startup dedicated to transforming enterprises to AI powerhouses. We specialize in cybersecurity, customer experience, cloud infrastructure, and advanced technologies such as Large Language Models (LLMs). Our mission is to assist our customers in their business strategies utilizing their data to make more intelligent decisions. As a well-funded early-stage startup, Gruve offers a dynamic environment with strong customer and partner networks.
Position summary:
We are seeking a skilled Security Analyst (OT SOC) to join our OT Security Operations Center. The ideal candidate will have 3 - 6 years of experience in OT/ICS cybersecurity monitoring and incident investigation, with hands-on exposure to industrial environments such as ICS, SCADA, PLC, RTU, and HMI ecosystems. The analyst will act as the primary escalation point from L1, perform advanced monitoring and triage, support Nozomi and SIEM operations, assist integrations and deployments, and deliver high-quality customer support and reporting while safeguarding safety-critical industrial operations.
Key Roles & Responsibilities:
1. Security Monitoring and Incident Triage
Monitor OT and IT security alerts across SIEM and OT visibility platforms such as Splunk, QRadar, Sentinel, FortiSIEM, Elastic, and Nozomi Guardian.
Validate suspicious activities, correlate security events, monitor industrial communications, and track abnormal asset behavior in ICS/SCADA environments.
Escalate confirmed incidents with complete evidence, business impact, and recommended next actions.
2. Incident Investigation and Analysis
Investigate OT security alerts, malware indicators, unauthorized changes, policy violations, and suspicious network behavior affecting PLCs, RTUs, HMIs, historians, and engineering workstations.
Perform packet analysis using Wireshark, validate indicators of compromise, identify lateral movement, and support containment and recovery activities under defined runbooks.
3.SIEM, Nozomi, and Detection Administration
Support SIEM administration activities including log source validation, parser verification, dashboard usage, alert tuning, and false-positive reduction.
Assist in the administration and health monitoring of OT security monitoring platforms such as Nozomi Guardian and related collectors/sensors.
Contribute to the creation and maintenance of detection rules and OT use cases aligned to industrial threats and operational realities.
4.Deployment and Integration Support
Assist OT solution deployments by validating sensor connectivity, syslog forwarding, collector health, API integrations, use-case testing, and user acceptance activities.
Support integration of OT monitoring platforms with SIEM, SOAR, ticketing systems, and reporting workflows.
5. OT Log, Asset, and Protocol Analysis
Review logs, alarms, and network telemetry from OT and IT sources to identify anomalies and confirm incident context.
Demonstrate working knowledge of industrial protocols including Modbus, DNP3, OPC UA, IEC 60870-5-104, PROFINET, and related industrial Ethernet communications.
Support OT asset inventory validation, communication baseline analysis, and visibility improvement activities.
6. Customer Support and Troubleshooting
Provide remote troubleshooting, incident bridge support, health checks, upgrade support, and ticket resolution for customer OT security environments.
Communicate effectively with customers, internal stakeholders, and project teams while maintaining SLA commitments.
7. Reporting and Documentation
Prepare daily SOC reports, weekly incident summaries, asset visibility reports, security posture updates, and SLA-driven ticketing updates.
Maintain accurate incident records, SOPs, runbooks, troubleshooting notes, and knowledge-base documentation.
8. Collaboration and Escalation
Work closely with L1 analysts, L3 engineers, implementation teams, customer stakeholders, and cross-functional security teams to resolve operational issues.
Escalate complex OT incidents, persistent integration issues, and monitoring gaps to the appropriate engineering or management teams.
9.Compliance and Best Practices
Follow established OT security procedures, change controls, and documentation standards while supporting compliance and audit requirements.
Operate with awareness of plant safety, production availability, maintenance windows, and the sensitivity of safety-critical environments.
10. Continuous Improvement
Recommend improvements to alert quality, reporting accuracy, use cases, SOPs, dashboarding, and OT monitoring coverage.
Stay updated on OT cyber threats, industrial attack techniques, and evolving defensive controls relevant to manufacturing, utilities, energy, and other industrial sectors.
11. Report deviations and concerns to the SOC Manager
Basic Qualifications:
- Bachelor’s degree in computer science, Information Technology, Cybersecurity, Electronics, Instrumentation, or a related field.
- 3–6 years of experience in cybersecurity operations, OT SOC, ICS/SCADA monitoring, incident investigation, or industrial network security.
- Hands-on exposure to SIEM platforms such as Splunk, QRadar, Sentinel, FortiSIEM, or Elastic, and familiarity with Nozomi Guardian or similar OT monitoring tools.
- Working knowledge of OT/ICS environments including ICS, SCADA, PLC, RTU, HMI, historians, industrial switches, and engineering workstations.
- Understanding of industrial protocols such as Modbus, DNP3, OPC UA, IEC 60870-5-104, PROFINET, and related traffic analysis concepts.
- Experience with Wireshark, Syslog, Linux, Windows, Excel, and PowerShell for troubleshooting, analysis, and reporting.
- Strong analytical thinking, documentation discipline, customer interaction skills, time management, and team collaboration.
- Ability to work in rotational shifts, manage ticket queues, and operate effectively in high-availability industrial environments.
Preferred Qualifications:
- Certifications such as Security+, Microsoft SC-200, Splunk Power User, QRadar Analyst, Nozomi Fundamentals, GICSP (foundation level exposure), or equivalent.
- Exposure to SOAR workflows, API-based integrations, threat intelligence enrichment, and OT vulnerability management processes.
- Knowledge of Purdue Model, network segmentation, jump hosts, remote access controls, firewall policy validation, and OT asset inventory concepts.
- Experience supporting industrial customers in sectors such as manufacturing, energy, utilities, oil and gas, pharma, or critical infrastructure.
- Strong interest in building deeper expertise across OT detection engineering, incident response, industrial protocols, and customer-facing delivery.
Why Gruve
At Gruve, we foster a culture of innovation, collaboration, and continuous learning. We are committed to building a diverse and inclusive workplace where everyone can thrive and contribute their best work. If you’re passionate about technology and eager to make an impact, we’d love to hear from you.
Gruve is an equal opportunity employer. We welcome applicants from all backgrounds and thank all who apply; however, only those selected for an interview will be contacted.
Job Details
Experience
Mid · 3–6 yrs