Petrofac is a leading international service provider to the energy industry, with a diverse client portfolio including many of the worlds leading energy companies.We design, build, manage and maintain infrastructure for our clients. We recruit, reward, and develop our people based on merit regardless of race, nationality, religion, gender, age, sexual orientation, marital status or disability. We value our people and treat everyone who works for or with Petrofac fairly and without discrimination.The world is re-thinking its energy supply and energy security needs, planning for a phased transition to alternative energy sources. We are here to help our clients meet these evolving energy needs.This is an exciting time to join us on this journey.We support flexible working requests and have adopted a hybrid approach for most of our office-based roles. We ask employees to be present in the office at least three days per week.Are you ready to bring the right energy to Petrofac and help us deliver a better future for everyone?JOB TITLE: Manager / Deputy Manager - ICSS/OT/IT Cyber SecurityKEY RESPONSIBILITIES:\xc2\xb7 Responsible for procurement related activities such as preparation of Inquiry Requisition, participate in Technical Evaluation of vendor offers, Purchase Requisitions, Preparation and providing guidance on Technical Bid Evaluations and Vendor Document Reviews.\xc2\xb7 Review the ITB (Invitation to Bid) documents submitted in the proposals stage, Contract documents, issue inquiry requisitions, review techno-commercial vendor offers, prepare equipment, material, and man-hour estimates.\xc2\xb7 Responsible for leading Overall OT/IT cyber security for major ICSS (Integrated Control and Safety System) OT projects.\xc2\xb7 Responsible for developing Cyber Security Plan for the project and approval from Client.\xc2\xb7 Reviewing network architectures and determining if good practices are being followed (e.g., the zones & conduits concept, proper network segmentation, use of Industrial DMZ, etc.); and providing recommendations to comply with applicable cybersecurity framework.\xc2\xb7 Reviewing security products utilized (e.g., firewalls, IDS, IPS) and determining if they are configured properly.\xc2\xb7 Monitor deployment of network infrastructure devices (e.g., switches, routers, etc.), security appliances (e.g., firewalls, IDS, etc.), and virtualization solutions\xc2\xb7 Reviewing security policies, plans, and procedures; assessing network monitoring capabilities; analyzing system logs, security events, and packet captures to identify security threats; and providing recommendations to comply with applicable cybersecurity framework.\xc2\xb7 Lead design reviews/workshops, preparation of required EPC phase deliverables, Lead interfaces with various Package Vendors, prepare gap analysis against the project requirements for various control systems supplied by package vendors.\xc2\xb7 Responsible for reviewing security products utilized (e.g., firewalls, IDS, IPS) and determining if the proposed configuration meets Project requirement and Industry standards.\xc2\xb7 Responsible to review security policies, plans, and procedures; assessing network monitoring capabilities; analyzing system logs, security events, and packet captures to identify security threats; and providing recommendations and work with ICSS (Integrated control and Safety Systems) vendor to comply with applicable cybersecurity framework.\xc2\xb7 Review administrative, technical, and physical security controls proposed by ICSS Vendor and providing recommendations to mitigate the identified security risks.
Participate and contribute to Cyber security workshops, vulnerability, and risk assessments with ICSS Vendors to identify security risks and threats (e.g., unsecure remote access points, suspicious remote connections, unauthorized devices on the network, etc.) and providing recommendation to remediate the identified issues, Prepare Report/Update/Maintain and coordinate with all parties to close out action points.
Review/Comments vendor submitted detailed diagrams (e.g., network, cabling, server, rack, logical architecture, etc.), procedures, and plans (e.g., implementation, SAT, mitigation, etc.) as needed to support projects.
Responsible to handle Technical Queries/issues from all stake holders, document review/approval of Automation & Package vendors, certification requirements if any, participate in regular meetings with vendors & Client/JV Partner,
Responsible to lead and participate in ICSS cyber security test at ICSS and package Vendor test locations, Responsible to accept the test and signoff reports.
Responsible for coordination with client, PMCs, consortium partners, subcontractors, other discipline engineers and Project team.
Participating in cross-functional and inter-office meetings to provide design input to Engineering team.
Proactively identify and mitigate technical risks during project stage.
\xc2\xb7 Travel to the clients site/ JV Partner location as and when required.
Support the construction, commissioning, and start-up activities, to ensure no delay.
ESSENTIAL QUALIFICATIONS AND SKILLS:
Bachelors degree in cyber security /Control & Instrumentation / Electronics/ Information Technology /Computer science Engineering with a minimum of 15 to 20 years of Hands-on Work experience in Industrial Automation Projects (In Oil & Gas / Refinery/Offshore Wind Farm Projects) and familiar with all Major ICSS vendor Architecture.
Experience in implementing large scale (multi-site) Industrial Automation network and OT cyber security.
Have a minimum of 5 years of experience in assessing, architecting, designing, and implementing cyber security capabilities, including incident response, threat intelligence, security monitoring, and vulnerability management.
Deep understanding of cybersecurity terms and principles (defense-in-depth, network segmentation, security monitoring and incident response, access management, OT patch management, secure remote access, anti-malware protection etc.).
Very good knowledge of local manufacturing and automation systems in use.
Advanced knowledge on networking (LAN/WAN) and industrial networking including significant low-level networking experience with the TCP/IP (Transmission Control Protocol/Internet Protocol).
Solid knowledge of IT and OT infrastructure, including ICSS security and protection.
Current knowledge of technology capabilities and trends; types, and techniques of hacking attacks.
A background in OT and ICS system security administration and/or development.
Certified Information Systems Security Professional (CISSP)
Global Industrial Cyber Security Professional Certification (GICSP)- vendor-neutral, practitioner focused certification that bridges IT, engineering, and cyber security to achieve security throughout the industrial control systems lifecycle to engineer or support control systems and share responsibility for the security of these environments.
Strong understanding of cybersecurity frameworks for ICSS/OT environments
Strong understanding of OT network communication protocols, industrial networking topologies, as well as L2/L3 networking and architecture.
Preferable experience in NIST-SP800-82, IEC62443 / ISA99, NERC-CIP, IEC 27002, ISO/IEC 15408, BSI TL-02103, etc.
Comprehensive knowledge of internet protocols, firewalls, proxies, and intrusion detection/prevention systems.
Familiarity/Knowledge of the Purdue Enterprise Reference Architecture (PERA)
An ability to work autonomously, cooperatively, and remotely from the corporate office with other locations.
Excellent problem solving, critical thinking, and analytical skills with the ability to deconstruct problems.
Familiarity of the threats, vulnerabilities, exploits in ICS environments, and appropriate mitigation techniques.
Have at least any one of the following certificates
o Certified Ethical Hacker (CEH),o CompTIA Security+o ISA/IEC 62443 Cybersecurity Specialist certification,o Global Industrial Cyber Security Professional (GICSP).
Preferable candidates having experience of working with Hitachi/ ABB or equivalent.
Good presentation, training, and communication skills to both internal and external stakeholders
Strong time management skills including ability to meet deadlines and manage priorities.