Embedded Security Architect
Description
Enphase Energy is a global energy technology company and a leading provider of solar, battery, and electric vehicle charging products. Founded in 2006, our innovative microinverter technology revolutionized solar power, making it a safer, more reliable, and scalable energy source. Today, the Enphase Energy System enables users to make, use, save, and sell their own power. Enphase is also one of the most successful and innovative clean energy companies in the world, with more than 80 million products shipped across 160 countries.
Join our dynamic teams designing and developing next-gen energy technologies and help drive a sustainable future!
This role at Enphase requires working onsite 3 days a week, with plans to transition back to a full 5 day in office schedule over time.
About the role:
Join Enphase Energy as an Embedded Security Architect and help secure the IQ Gateway and IQ Microinverter platforms—ARM-based IoT devices that connect millions of solar homes worldwide via Wi-Fi, Ethernet, and cellular networks with cloud-managed OTA firmware delivery. In this role, you will drive security-by-design across embedded systems, working closely with firmware, cloud, and product teams to build highly secure and scalable energy solutions.
You will own critical security components such as secure boot chains, TrustZone partitioning, hardware Root-of-Trust, and cryptographic key provisioning across the fleet, ensuring robust, end-to-end device security.
What you will be doing:
- Architect secure boot chains with a hardware-anchored root of trust — signed, staged bootloaders, anti-rollback counters, and eFuse/OTP provisioning — using ARM TrustZone to isolate secure and non-secure worlds (TEE/OP-TEE)
- Design hardware Root-of-Trust and device-identity provisioning (secure elements, PUF, eFuse) and manage the key lifecycle from manufacturing through rotation and revocation
- Build and maintain mutual-TLS and PKI frameworks — per-device certificates, certificate lifecycle, and secure key storage for authenticated device-to-cloud communication
- Design secure OTA update architectures: signed and encrypted images, A/B partitioning, anti-rollback, and fail-safe recovery for the embedded fleet
- Lead threat modeling (STRIDE) and risk assessments, defining attack surfaces, abuse cases, and mitigations for large embedded fleets
- Secure cloud-to-device trust across Enphase platforms (e.g., app and cloud ecosystems)
- Drive security integration across firmware, hardware, and cloud teams
- Harden IoT communication protocols across BLE, Wi-Fi (802.11), Ethernet, and PLC/powerline interfaces
- Define and enforce security-by-design standards and lead security architecture reviews across the embedded fleet
Who you are and what you bring:
- BE/BTech/MS/MTech in Computer Science, Electrical Engineering, or a related field.
- 8+ years of experience in embedded security or IoT security architecture
- Expertise in ARM TrustZone (TEE/OP-TEE), secure bootloaders, chain-of-trust, and hardware Root-of-Trust on ARM Cortex-A/M
- Experience with HSM/TPM integration, secure elements, and cryptographic key management (AES, RSA, ECC, hardware crypto accelerators)
- Strong knowledge of TLS/mTLS, PKI, certificate lifecycle management, and secure communication protocol design
- Familiarity with IoT protocols: BLE, Wi-Fi (802.11), Ethernet, and PLC/powerline communication
- Knowledge of security standards: IEC 62443, ETSI EN 303 645, EU Cyber Resilience Act
- Experience embedding security-by-design in partnership with firmware, cloud, and product security teams
- Familiarity with secure firmware signing and encrypted, authenticated OTA update delivery
- Strong problem-solving skills with the ability to thrive in a fast-paced, cross-functional environment
- Proficiency in C/C++ and embedded development on RTOS and embedded Linux for ARM Cortex-A/M targets
Nice to have:
- Experience designing secure OTA update pipelines for large device fleets
- Familiarity with side-channel analysis and hardware fault-injection countermeasures
- Relevant certifications such as CISSP-ISSAP, GPEN, or GXPN
What we offer:
- Competitive compensation and comprehensive employee benefits
- Opportunity to architect security for large-scale global IoT energy systems
- Exposure to cutting-edge technologies in embedded and IoT security
- Collaborative and innovation-driven work environment
- Career growth and development opportunities
#ITSecurity