United Power is seeking to fill this Cybersecurity Analyst position at a level I, II, or III.

Job Title: Cybersecurity Analyst I, II, III, IV

Location: Brighton

Level I - Pay Grade: 16: $78,200 - $84,500 - $90,800 annually

Level II - Pay Grade: 17: $84,500 - $91,300 - $98,100 annually

Level III - Pay Grade: 19: $97,700 - $110,400 - $123,100 annually

Level IV - Pay Grade: 20: $107,000 - $123,600 - $140,200 annually

Position Purpose and Objectives:

This classification is a multi-level class in which incumbents will be assigned to the appropriate level based on their experience and may progress through the levels as proficiency and discretion advances.

This position is responsible for embracing and supporting the vision and mission of the cooperative and the department. Provides defensive, blue team cybersecurity services to anticipate, identify, respond to, and mitigate cyber threats in United Power’s IT and OT infrastructure. Receives general and specific supervision and direction from the Director of Cybersecurity. Major responsibilities of this position are collecting and analyzing relevant logs and data, threat hunting proactively, investigating abnormalities, responding to incidents, and participating in initiatives and projects in a variety of cybersecurity programs as needed.

This is a hybrid position, eligible to work remotely subject to the United Power hybrid work agreement.

Essential Job Functions:

All Classes

• Demonstrate and champion valued behaviors of be generous, be accountable and reliable, have integrity, create connections, inspire confidence in people and solutions, be curious, strive for excellence.
• Perform daily continuous monitoring and triage of security related detections, end user reports, and escalated Service Desk cases.
• Promptly respond to security threats and incidents, acting individually or as part of a team to resolve issues and coordinate with internal teams for remediation.
• Participate in the feedback process to analyze incidents and exercises; provide constructive feedback on how to improve incident handling procedures.
• Maintain a situational awareness of cybersecurity and risk related to the environment. Read and analyze threat intelligence reports covering threats, vulnerabilities, products, and research.
• Work collaboratively with IT Operations and Engineering in the identification and remediation of vulnerabilities both as a regular practice and in the rapid response to a zero-day vulnerability.
• Work collaboratively with IT Operations, Engineering, Data Governance, and others internally on projects and initiatives to strengthen foundational security posture and advance proactive cybersecurity measures.
• Occasionally conduct or contribute to audits of access and product configuration. May suggest new practices, configurations, or features to utilize because of a review.
• Serve on a team who are a resource to coworkers on strategic security choices in available technologies, helping them understand the full scope of information available and make informed decisions.
• Share knowledge and experiences with team members and leaders by communicating with transparency on daily activities and progress. This includes documenting remediation steps, writing or updating documentation such as knowledge base articles, standards documents, and technical environment documentation.
• Provide 24x7 technical support for critical issues.
• Cybersecurity is a field with consistent change, so at least 5% of incumbent’s time will be spent on self-study to increase and maintain knowledge in the field.
• Maintain and follow standards, data governance, change management procedures, and other procedures that deliver a secure and stable environment.
• Perform other duties as may be requested or assigned to meet the needs of United Power.

Cybersecurity Analyst I

• Navigate and operate basic functionality in cybersecurity tools such as SIEM, endpoint detection and response, email security tools, demonstrating an increasing trend of understanding how the tools work.
• Be responsible to learn and understand available investigation sources and demonstrate increasing trend of capability to accurately review and analyze what information is being conveyed.
• Follow existing playbooks and make suggestions for improvements to process or clarity of instructions.
• Assist with documenting investigative actions thoroughly.
• Participate in threat hunting activities under the guidance and direction of other team members.
• Participate in cybersecurity exercises under the guidance and direction of other team members.
• Help suggest topics to cover in awareness campaigns based on current tactics and experiences with end user behaviors in the environment.
• Occasionally attend meetings with cybersecurity vendors and build an understanding of relationships and vendor management practices.

Cybersecurity Analyst II

• Operate most functions within cybersecurity tools such as SIEM, endpoint detection and response, email security tools, demonstrating an increasing trend of understanding how the tools and programming interfaces work. Suggest ways to deliver a clearer picture from the existing data collection and participate in tuning alerts.
• Identify and suggest repetitive tasks to be automated.
• Understand available investigation sources and be able to accurately review and analyze information. Show an increasing trend of sophistication of interacting with them such as running scripts, creating queries, pulling logs, conducting analysis and other incident response tasks.
• Independently investigate and analyze most routine alerts and suspicious activity in the end user computing environment. Participate in more complex investigations and anomalous activity as directed.
• Follow existing playbooks and suggest improvements to process, clarity of instructions, and technical response or investigation tactics. Increase capability of authoring playbooks.
• Document investigation actions thoroughly, participating in the collection and documentation of all incidents and procedures.
• Assist with administering and maintaining incident response tools and out of bounds communication.
• Participate in hypothesis-based hunts as part of a team. Suggest opportunities for threat hunting activities and improvements to tools, methods, etc.
• Participate and consistently improve team performance in cybersecurity exercises as a member of the Cybersecurity Incident Response Team. Occasionally, assist in the planning and execution of cyber exercises.
• As part of our Cybersecurity Awareness Program, provide simple, practical, and up-to-date cybersecurity information. Assist the team with research, authoring and updating content. May assist with tasks related to awareness vendors and the deployment and delivery of material.
• Collaborate with cybersecurity vendors and be a reliable backup point of contact when needed. Ask questions and ensure you understand vendor recommendations; get recommendations recorded and approved in change management.

Cybersecurity Analyst III / Cybersecurity Analyst IV

• Design, conduct, and improve hypothesis-based hunts in pursuit of adversaries.
• Contribute to continual improvement and automation of threat hunt practices, sources, and tools.
• Be a subject matter expert on the full functionality of cybersecurity tools such as SIEM, endpoint detection and response, email security tools.
• Deeply understand available investigation sources and be able to accurately review and analyze information. Demonstrated ability to work with them including running scripts, building scripts, creating queries, pulling logs, conducting analysis and other incident response tasks.
• Ability to independently investigate and analyze alerts and threats for anomalous, suspicious, or malicious activity in a corporate environment and support remediation efforts.
• Ensure logs from appropriate systems are being ingested.
• Design, execute and improve playbooks. Incorporate forward thinking practices like automation and integration. Be responsible for evaluating, designing and integrating suggestions from other team members on playbook improvements.
• Create new threat detection signatures to detect adversary activities. And actively find ways to deliver a clearer picture from the existing data collection by integrating sources and applying enrichment and correlation filters.
• Automate repetitive tasks and support the lifecycle of automated tasks (documentation, deliver communication or training about automation, etc..).
• Document actions thoroughly, creating reports and documentation of all incidents and procedures. Synthesize data points into coherent understanding of event. Present findings to team and leadership on a routine basis
• Assist with administering and maintaining incident response tools and out of bounds communication.
• Participate and consistently improve team performance in cybersecurity exercises as a member of the Cybersecurity Incident Response Team. Regularly, take on role of designing and conducting cybersecurity exercises either alone or as part of a team.
• Support the ingestion of threat intelligence informed indicators and behaviors into security workflows and products.
• As part of our Cybersecurity Awareness Program, provide simple, practical, and up-to-date cybersecurity information. Assist the team with research, authoring and updating content. May assist with tasks related to awareness vendors and the deployment and delivery of material.
• Proactively mentor other team members by sharing knowledge, skills, and experiences and helping them grow and develop their own skills.
• Create solutions to resolve complex operational problems, determine root cause and id issues or trends that need immediate attention.
• Effectively manage cybersecurity vendor relationships and ensure vendors are meeting requirements. Evaluate and select vendors for cybersecurity functions. Regularly assist in the review and cybersecurity capabilities of vendors in third party risk management program.

Required Knowledge, Skills, and Abilities:

All Classes

• Ability to organize and drive daily activities.
• Ability to work both independently and collaboratively, as a member of a team.
• Possess exceptional communication skills, both written and verbal. Ability to determine the technical skill level of the information recipient and tailor communications accordingly.
• Demonstrated strong passion for learning, growth, and development of self.
• Must be familiar with the CIS Controls, NIST CSF, and DOE C2M2 frameworks and other security principles; they are foundational to our cybersecurity program.
• Demonstrate systems thinking.
• Desire to read and analyze threat intelligence.
• Demonstrated knowledge and experience to ask the right questions to end users.
• Successfully engage in high-pressure situations.
• Demonstrate good research skills and attention to detail.
• Demonstrate empathy and sensitivity to priority, risk, and impact.

Cybersecurity Analyst I, incumbents are expected to also possess:

• Based on specific foundational experience you bring to the position, incumbent may initially cross-train with IT Operations to better understand the United Power technical environment and how it supports industry-specific activities. Length of time and objectives for both will be tailored based on incumbent’s technical understanding and experience working in a technical role in an environment where end users are utilizing primarily Windows production business systems in a TCP/IP network.
• Ability to identify patterns and trends in data.
• Awareness of social engineering tactics, phishing, business email compromise and malware types.
• Ability to explain best practices to end users related to their responsibility around password management, MFA and securing endpoint devices.
• Capacity to master Endpoint Detection and Response products
• Basic knowledge of navigation and use of Windows 10/11 operating system and Apple iOS operating system.

Cybersecurity Analyst II, incumbents demonstrate all Level I skills plus:

• Based on specific foundational experience you bring to the position, incumbent may initially cross-train with IT Operations to better understand the United Power technical environment and how it supports industry-specific activities. Length of time and objectives for both will be tailored based on incumbent’s technical understanding and experience working in a technical role in an environment where end users are utilizing primarily Windows production business systems in a TCP/IP network.
• Ability to identify patterns and trends in large and possibly disparate datasets. Ability to understand and create basic queries in SQL or a similar query language.
• Demonstrated technical triage and problem-solving skill set.
• Experience documenting remediation steps in ticketing system such as Freshservice.
• Experience with or capacity to master Endpoint Detection and Response products.
• Experience with SIEM or other log analysis tools.
• Advanced knowledge of navigation and use of Windows 10/11 operating system and Apple iOS operating system.
• High level knowledge of Enterprise architectures, protocols, and management practices.
  • TCP/IP networking
  • Active Directory and/or Entra
  • Group policy
  • Mobile device management
  • Secure configurations/baselines
  • SaaS
  • DNS resolution
  • Common ports and services

Cybersecurity Analyst III, incumbents demonstrate all Level I and II skills plus:

• It is expected that the incumbent achieves and maintains a high-level knowledge of the overall IT Infrastructure environment and what normal baselines look like.
• Working knowledge of:
  • SPF, DKIM, DMARC
  • IPv4 and IPv6 packet structure
  • User and Entity Behavior Analytics
• Working knowledge of analyzing network log sources.
• Strong understanding of logging, parsing, and SIEM technologies.
• Working knowledge of generic threat detection rules and languages, such as Sigma Rules.
• Ability to work with API Rest interfaces.
• Foundational knowledge of Digital Forensics and Incident Response (DFIR) processes.
• Should be comfortable with public speaking and presenting to others, including leadership.
• Experience in protecting and managing Windows, Linux, and/or iOS fleets.
• Experience administering SaaS solutions, specifically cybersecurity configurations.
• Working knowledge of secure email gateways and other email security products.
• Working knowledge of using OSINT sources.
• Proficiency in at least one scripting language such as PowerShell or Python.
• Experience evaluating third-party cybersecurity risk posture.

Cybersecurity Analyst IV, incumbents demonstrate all Level I, II, III skills plus:

• Knowledge of ICS/OT protocols and architectures.
• Increasing working knowledge of OT environment related to cybersecurity.
• Experience with Digital Forensics and Incident Response (DFIR) processes.
• Experience designing, conducting, and participating in cybersecurity exercises.
• Experience with hypothesis-based hunts.

Supervision Received and Exercised:

Receives both general and specific guidance and direction from Director of Cybersecurity, Chief Information Officer, or IT project managers.

Education, Training and Experience:

Minimum of high school diploma or equivalent required, plus

Cybersecurity Analyst I

AND at least 1 year of relevant work history in a cybersecurity role or information technology role supporting end users who are utilizing primarily Windows production business systems in a well-managed TCP/IP network.

Cybersecurity Analyst II

AND at least 2 years of relevant work history in a cybersecurity role supporting end users who are utilizing primarily Windows production business systems in a well-managed TCP/IP network.

One of the following foundational cybersecurity certifications (CompTIA Security , GIAC Security Essentials (GSEC), or ISC2 Certified in Cybersecurity (CC)) may be substituted for 1 year of equivalent experience.

Cybersecurity Analyst III

AND at least 3 years of experience anticipating, identifying, responding to, and mitigating cyber threats.

AND at least 3 years of experience with Incident Response functions.

AND any training from SANS Institute or one or more of the following specialized security certifications in security operations, incident handling, digital forensics, and/or ICS cybersecurity are preferred to show continuous development:

• CompTIA Security
• CompTIA Cybersecurity Analyst
• GIAC Certified Forensic Analyst (GCFA)
• GIAC Certified Forensic Examiner (GCFE)
• GIAC Certified Incident Handler (GCIH)
• GIAC Industrial Cyber Security Professional Certification (GICSP)
• GIAC Network Forensic Analyst (GNFA)
• GIAC Response and Industrial Defense (GRID)
• GIAC Security Operations Certified (GSOC)
• Infosec Certified SCADA Security Architect (CSSA)
• ISC2 Systems Security Certified Practitioner (SSCP)
• Microsoft Cybersecurity Architect Expert
• Microsoft Certified Azure Security Engineer Associate

Cybersecurity Analyst IV

AND at least 5 years of experience anticipating, identifying, responding to, and mitigating cyber threats.

AND at least 5 years of experience with Incident Response functions.

AND relevant work history in electric utility systems and ICS/OT cybersecurity.

AND The Cybersecurity Analyst IV is expected to achieve CISSP certification in the first year.

AND Any training from SANS Institute or one or more of the following specialized security certifications in security operations, incident handling, digital forensics, and/or ICS cybersecurity are preferred to show continuous development:

• CompTIA Security
• CompTIA Cybersecurity Analyst
• GIAC Certified Forensic Analyst (GCFA)
• GIAC Certified Forensic Examiner (GCFE)
• GIAC Certified Incident Handler (GCIH)
• GIAC Industrial Cyber Security Professional Certification (GICSP)
• GIAC Network Forensic Analyst (GNFA)
• GIAC Response and Industrial Defense (GRID)
• GIAC Security Operations Certified (GSOC)
• Infosec Certified SCADA Security Architect (CSSA)
• ISC2 Systems Security Certified Practitioner (SSCP)
• Microsoft Cybersecurity Architect Expert
• Microsoft Certified Azure Security Engineer Associate

Problem Solving:

Ability to collaborate with others to participate in root cause analysis and solve problems both within and outside area of technical expertise.

Cybersecurity Analyst I

Diagnoses and resolves some common or routine technical problems independently using defined standards and procedures. Increases the frequency of solving routine problems independently in a relatively unpressured situation.

Cybersecurity Analyst II

Diagnoses and resolves common or routine technical problems effectively under constraints of time, pressure, and with minimal or no assistance. Increases the frequency of solving moderately complex problems independently. Participates in root cause analysis.

Cybersecurity Analyst III

Diagnoses and resolves most moderately complex technical problems independently in conditions of uncertainty and stress. Increases the frequency of solving moderately complex problems independently. Leads and participates in root cause analysis.

Cybersecurity Analyst IV

Diagnoses and resolves most complex technical problems independently in conditions of high uncertainty, stress and conflict. Increases the frequency of solving highly complex problems independently. Leads and participates in root cause analysis.

Discretion/Latitude:

Works independently and as a member of the Cybersecurity team, based on general and specific direction, detection alerts, Service Desk cases, project task assignments, and department priorities. Day-to-day work is self-initiated and self-directed based on priorities established by Director of Cybersecurity, Chief Information Officer, or IT project managers.

Cybersecurity Analyst I/Cybersecurity Analyst II

Ability to organize and drive own daily activities based on both broad and specific directives, processes and procedures, with ability to meet multiple deadlines, and effectively handle multiple tasks.

Cybersecurity Analyst III/ Cybersecurity Analyst IV

Ability to organize and drive own daily activities based on primarily broad directives, processes and procedures, with ability to meet multiple deadlines, and effectively handle multiple tasks with little direct guidance.

Impact:

It is essential that the end users’ and members’ experience with the technology environment be positive and productive. This position significantly contributes to that experience, and United Power’s ability to deliver services to our members. This role is critical to the goal of delivering a reliable and high- performance infrastructure.

Liaison:

Works with all employees and external vendors.

Essential Physical & Mental Requirements:

• Majority of time requires sitting, bending at neck, waist, legs, and arms; twisting body; and changing positions at will. Occasional driving, standing, walking, stooping, bending, kneeling, reaching and stooping.
• Lift and carry 5-40 pounds frequently and push/pull up to 100 pounds occasionally.
• Requires repetitive motions with hands and fingers such as keyboarding, use of telephones, cell phones, etc.
• Requires close vision, distance vision, color vision, peripheral vision, depth perception and the ability to focus.
• Noise level in work environment is moderate. Work requires close attention to detail and accuracy and is varied in nature with regular interruptions. Work is subject to irregular hours.

Working Conditions:

Office setting 95% of the time. 5% of the time may need to work in a support role while outdoors, in a warehouse or maintenance environment (dust, uneven surfaces and all types of weather and temperature variations).

The position may work at any of the offices.