img
Contract TypeFull-time
Workplace typeOn-site
LocationRiyadh

Job Description

About the Role

Accenture Middle East is seeking a skilled OT Incident Response professional to join its team in Riyadh, Saudi Arabia. This role is essential for maintaining the security and operational integrity of Operational Technology (OT) and Industrial Control Systems (ICS) environments. As a senior technical authority within the OT Security Operations Center (SOC), the position involves advanced threat hunting, OT-aware digital forensics and incident response (DFIR), and the development of detection capabilities. The role also includes mentoring junior analysts and serving as the primary escalation point for complex industrial threat scenarios, focusing on safeguarding critical infrastructure.

Key Responsibilities

  • Lead investigations and responses for complex, high-severity, and suspected targeted attacks against OT/ICS environments.
  • Conduct proactive, hypothesis-driven threat hunting across OT networks and assets, including the design and execution of hunt campaigns.
  • Perform OT-aware DFIR, including forensic acquisition and analysis of ICS hosts, engineering workstations, HMIs, controllers, and network captures, while preserving process safety and evidence integrity.
  • Design, build, and tune detection content and correlation rules, managing the detection engineering lifecycle for the OT SOC.
  • Operationalize OT threat intelligence, mapping it to detections via MITRE ATT&CK for ICS.
  • Define, document, and continuously improve OT incident response playbooks and runbooks.
  • Serve as the senior escalation point and mentor for L1/L2 analysts, providing technical coaching and quality review of investigations.
  • Lead and support OT tabletop exercises and purple team/adversary emulation activities.
  • Advise on OT network architecture, segmentation, and monitoring placement to identify and close detection gaps.
  • Produce executive and technical incident reports, briefing stakeholders on root cause, impact, and remediation strategies.
  • Support compliance, audit, and regulatory reporting aligned with NCA OTCC-1:2022, ECC, and ISA/IEC 62443, including incident notification expectations.

Qualifications and Experience

  • Bachelor's degree in Cybersecurity, Computer/Electrical/Instrumentation Engineering, or a related field. A Master's degree is considered a plus.
  • 6 to 10+ years of cybersecurity experience, with a minimum of 4 years specifically in OT/ICS security operations, DFIR, or threat hunting.
  • Deep expertise in OT protocols and ICS architectures (DCS, SCADA, PLC, SIS) and a strong understanding of the Purdue model.
  • Proven experience leading OT/ICS incident response and forensic investigations.
  • Strong command of OT monitoring platforms such as Nozomi, Claroty, Dragos, Tenable OT, and Defender for IoT.
  • Proficiency in SIEM detection engineering using platforms like Splunk, QRadar, or Sentinel.
  • Advanced working knowledge of MITRE ATT&CK for ICS, NIST SP 800-82, ISA/IEC 62443, and NCA OTCC.

Required Skills and Aptitude

  • Expert analytical, forensic, and reverse-engineering/malware analysis aptitude within an OT context.
  • Strong leadership, mentoring, and stakeholder management skills.
  • Sound judgment in balancing cybersecurity response with process safety and operational availability.
  • Excellent written and verbal communication skills in English; Arabic proficiency is strongly preferred for regulator and executive engagement.
  • Ability to perform OT incident response and threat hunting.
  • Proficiency in digital forensics and incident response methodologies.
  • Skilled in detection engineering and OT threat intelligence analysis.
  • Familiarity with MITRE ATT&CK for ICS, NCA OTCC-1:2022, ECC, and ISA/IEC 62443 standards.
  • Knowledge of OT protocols and ICS architectures, including the Purdue model.
  • Experience with OT monitoring platforms (Nozomi, Claroty, Dragos, Tenable OT, Defender for IoT) and SIEM detection engineering (Splunk, QRadar, Sentinel).
  • Understanding of NIST SP 800-82.
  • Strong general analytical and forensic skills.
  • Aptitude for reverse-engineering and malware analysis.

Work Environment and Additional Information

This is a full-time position based in Riyadh, Saudi Arabia. The role requires availability for on-call escalation and incident leadership outside of normal working hours. Preferred certifications include GRID, GCIP, GICSP, GCFA, or GREM (GIAC). Vendor expert-level certifications from Dragos, Claroty, or Nozomi are also highly valued.


Requirements

  • Requires 5-10 Years experience

Similar Jobs