Cybersecurity Researcher Reverse Engineer
NLRPosting Title
Cybersecurity Researcher Reverse Engineer.
Location
CO - Golden.
Position Type
Regular.
Hours Per Week
40.
Working at NLR
NLR is located at the foothills of the Rocky Mountains in Golden, Colorado is the nation's primary laboratory for energy systems research and development.Join the National Laboratory of the Rockies (NLR), where world-class scientists, engineers, and experts are accelerating energy innovation through breakthrough research and systems integration. From our mission to our collaborative culture, NLR stands out in the research community for its commitment to an affordable and secure energy future. Spanning foundational science to applied systems engineering and analysis, we focus on solving complex challenges to deliver advanced, secure, reliable, and cost-effective energy solutions. Our work helps strengthen U.S. industries, support job creation, and promote national economic growth.
At NLR, you'll find a mission-driven environment supported by state-of-the-art facilities, multidisciplinary research teams, and strong collaborations with industry, academia, and other national laboratories. We offer robust professional development opportunities, and a competitive benefits package designed to support your career and well-being.
Job Description
The National Renewable Energy Laboratory (NLR) is seeking a skilled Cybersecurity Researcher Reverse Engineer to join our Cyber Threat Analysis Group, within the Cybersecurity Research Center. This role requires candidates to analyze, deconstruct, and evaluate the security of highly complex embedded devices and systems that are critical to the nation's energy infrastructure and national security.
You will conduct deep-dive vulnerability research on hardware and firmware found in Industrial Control Systems (ICS), smart grid components, electric vehicle supply equipment (EVSE), and distributed energy resources (DERs). Drawing on a comprehensive understanding of system internals, cryptography, and network protocols, you will reverse engineer proprietary systems to uncover zero-day vulnerabilities, develop reliable exploits in constrained environments, and design system-level mitigations to secure the energy grid against advanced persistent threats (APTs).
Responsibilities include:
Design and deploy advanced discovery techniques against black-box embedded systems. Implement custom fuzzing harnesses for hardware-in-the-loop and emulated environments.
Develop robust, weaponized proof-of-concept (PoC) exploits for constrained environments. Bypass embedded exploit mitigations. Write custom shellcode and achieve persistent execution within RTOS or bare-metal environments.
Intercept, reverse engineer, and exploit communications across all layers. Analyze local hardware buses (CAN, I2C, SPI), industrial control protocols (Modbus, DNP3, IEC 61850 GOOSE/SV, CIP/EtherNet/IP), and modern Smart Grid/EV protocols (OCPP, IEEE 2030.5, MQTT).
Perform static and dynamic analysis of compiled binaries, RTOS (e.g., VxWorks, QNX, FreeRTOS), and bare-metal systems. Reverse engineer boot sequences, evaluate kernel-level internals, and identify privilege escalation vectors from user-space tasks to the kernel or hypervisor.
Defeat hardware security mechanisms and extract firmware using debug interfaces (JTAG, UART, SWD). Execute advanced hardware attacks, including side-channel analysis and fault injection (glitching), to extract cryptographic keys or bypass authentication.
Translate highly technical vulnerability findings and exploitation mechanics into actionable intelligence. Brief technical peers, leadership, and federal stakeholders on systemic risks to critical infrastructure and propose hardware/software mitigations
Researcher IV:
Solves uniquely significant problems: Defeats advanced hardware security mechanisms (Secure Boot, TrustZone) utilizing novel techniques like side-channel analysis and fault injection.
Serves as a technical authority: Briefs federal stakeholders and influences directorate-level strategy regarding systemic risks to critical infrastructure.
Translates national needs: Directly addresses national security priorities by developing advanced mitigations against Advanced Persistent Threats (APTs) targeting the energy grid.
Drives lab-wide capability: Architects and maintains custom reverse engineering plugins and automation frameworks utilized by multiple teams across the laboratory.
Mentors at the lab level: Serves as a recognized expert, mentoring staff across the organization in highly specialized areas like kernel-level privilege escalation and deep firmware analysis.
Researcher III:
Solves complex problems: Develops robust proof-of-concept exploits and performs deep static/dynamic analysis on constrained embedded environments.
Leads project-level decisions: Designs and deploys advanced vulnerability discovery techniques, including custom fuzzing harnesses and symbolic execution.
Applies broad engineering concepts: Adapts established principles to bypass exploit mitigations (e.g., ASLR, DEP/NX) on ARM, MIPS, and PowerPC architectures.
Coordinates project efforts: Guides the technical execution of intercepting and analyzing complex hardware buses (CAN, SPI) and industrial protocols (Modbus, DNP3).
Represents the laboratory: Translates highly technical vulnerability findings into actionable intelligence for internal peers and project leadership.
.
Basic Qualifications
Researcher IV:Relevant PhD and 4 or more years of experience . Or, relevant Master's Degree and 7 or more years of experience . Or, relevant Bachelor's Degree and 9 or more years of experience . Demonstrated in-depth knowledge of laws, regulations, principles, procedures and practices related to specific field. Excellent leadership, communication, problem solving and project management skills. Ability to use various computer software programs.
Researcher III:
Relevant PhD . Or, relevant Master's Degree and 3 or more years of experience . Or, relevant Bachelor's Degree and 5 or more years of experience . Demonstrates broad understanding and wide application of engineering technical procedures, principles, theories and concepts in the field. General knowledge of other related disciplines. Demonstrates leadership in one or more areas of team, task or project lead responsibilities. Demonstrated experience in management of projects. Very good writing, interpersonal and communication skills.
* Must meet educational requirements prior to employment start date.
Additional Required Qualifications
- Must be able to obtain and maintain a DOE security clearance at the DOE (Q) and SCI access or DoD (TS) and SCI level. SCI access may require a polygraph examination. Eligibility requirements: To obtain a clearance, an individual must be at least 18 years of age; U.S. Citizenship is required except in very limited circumstances. See DOE O 472.2A for additional information.
Preferred Qualifications
.
Job Application Submission Window
The anticipated closing window for application submission is up to 30 days and may be extended as needed.
Annual Salary Range (based on full-time 40 hours per week)
Job Profile: Researcher IV / Annual Salary Range: $120,400 - $216,700 Job Profile: Researcher III / Annual Salary Range: $100,400 - $180,700NLR takes into consideration a candidate’s education, training, and experience, expected quality and quantity of work, required travel (if any), external market and internal value, including seniority and merit systems, and internal pay alignment when determining the salary level for potential new employees. In compliance with the Colorado Equal Pay for Equal Work Act, a potential new employee’s salary history will not be used in compensation decisions.
Benefits Summary
Benefits include medical, dental, and vision insurance; short*- and long-term disability insurance; pension benefits*; 403(b) Employee Savings Plan with employer match*; life and accidental death and dismemberment (AD&D) insurance; personal time off (PTO) and sick leave; paid holidays; and tuition reimbursement*. NLR employees may be eligible for, but are not guaranteed, performance-, merit-, and achievement- based awards that include a monetary component. Some positions may be eligible for relocation expense reimbursement. Limited-term positions are not eligible for long-term disability or tuition reimbursement.* Based on eligibility rules
Badging Requirement
NLR is subject to Department of Energy (DOE) access restrictions. All employees must also be able to obtain and maintain a federal Personal Identity Verification (PIV) card as required by Homeland Security Presidential Directive 12 (HSPD-12), which includes a favorable background investigation.Drug Free Workplace
NLR is committed to maintaining a drug-free workplace in accordance with the federal Drug-Free Workplace Act and complies with federal laws prohibiting the possession and use of illegal drugs. Under federal law, marijuana remains an illegal drug.
If you are offered employment at NLR, you must pass a pre-employment drug test prior to commencing employment. Unless prohibited by state or local law, the pre-employment drug test will include marijuana. If you test positive on the pre-employment drug test, your offer of employment may be withdrawn.
Submission Guidelines
Please note that in order to be considered an applicant for any position at NLR you must submit an application form for each position for which you believe you are qualified. Applications are not kept on file for future positions. Please include a cover letter and resume with each position application.
.
Equal Opportunity Employer
All qualified applicants will receive consideration for employment without regard basis of age (40 and over), color, disability, gender identity, genetic information, marital status, domestic partner status, military or veteran status, national origin/ancestry, race, religion, creed, sex (including pregnancy, childbirth, breastfeeding), sexual orientation, and any other applicable status protected by federal, state, or local laws.
E-Verify www.dhs.gov/E-Verify For information about right to work, click here for English or here for Spanish.
E-Verify is a registered trademark of the U.S. Department of Homeland Security. This business uses E-Verify in its hiring practices to achieve a lawful workforce.