[Remote] Engineer/Senior Engineer, Firewall

Note: The job is a remote job and is open to candidates in USA. TerraForm Power is a platform company of Brookfield focused on renewable energy. They are seeking a Senior Engineer for their Remote Operations Centre to design, implement, and maintain secure network perimeters for wind, solar, and battery storage operations, ensuring compliance with NERC CIP standards.

Responsibilities

• Design and implement OT network security controls, such as perimeter firewalls, internal segmentation, site‑to‑site and remote‑access VPNs, and WAFs
• Build secure network solutions that align with system architecture for wind, solar, and BESS facilities, EMS/SCADA, and the system control centers
• Define network security zones and conduits for OT, corporate IT, and cloud environments; enforce least privilege and micro‑segmentation
• Engineer solutions using Cisco (ASA/Firepower/FTD) and Check Point (CCSA/CCSE) platforms; integrate with management consoles and policy orchestration tools
• Implement secure remote access for operators, vendors, and field technicians using MFA, bastion/Jump hosts, and role‑based access
• Administer firewall policies, objects, NAT, routing (OSPF/BGP), and HA/cluster configurations; manage rule lifecycle and clean‑up
• Maintain WAF protections (e.g., F5, Fortinet, Check Point, or cloud WAF) including rule tuning, bot mitigation, and API security
• Operate and improve monitoring and control tools (SIEM/SOAR, NetFlow, packet capture, IDS/IPS); build dashboards and alerts for NERC systems
• Conduct log analysis, threat hunting, and participate in incident triage and response; provide on‑call support for critical events
• Perform regular firewall health checks, performance tuning, firmware/OS upgrades, and vulnerability remediation
• Support occasional after‑hours maintenance windows on an as needed basis
• Implement and maintain controls aligned to NERC CIP standards applicable to Low Impact sites and Medium Impact control centers (e.g., CIP‑003, CIP‑005, CIP‑007, CIP‑008, CIP‑009, CIP‑010, CIP‑011)
• Serve as the technical owner for firewall‑related CIP controls (for example CIP‑005, CIP‑007, CIP‑010), including configuration baselines, access controls, logging, and evidence collection
• Establish and enforce configuration baselines, access controls, evidence collection, and audit‑ready documentation
• Run structured change management programs for firewall and WAF policies, including risk assessment, testing, approvals, and post‑implementation review
• Support audits, self‑assessments, and impact ratings; assist with personnel risk assessment and vendor risk management where applicable
• Collaborate with OT, IT, Compliance, Engineering, and Plant Operations to ensure controls meet operational needs without compromising reliability
• Work in close partnership with the TERP Cybersecurity Manager to align firewall, VPN, and WAF controls with OT/IT cybersecurity strategy, incident response protocols, and compliance requirements
• Participate in joint incident response, risk assessments, and continuous improvement initiatives with the Cybersecurity Manager and Operations Centre leadership
• Coordinate with Operations Centre, plant operators, and engineering teams to ensure security controls support operational reliability and compliance
• Evaluate new firewall, WAF, VPN, and OT security technologies; lead POCs and make data‑driven recommendations
• Identify opportunities to enhance resilience (segmentation, Zero Trust, SD‑WAN security, secure cloud connectivity), and automate repeatable tasks (e.g., policy linting, backup/restore, compliance evidence collection)
• Manage vendor and contractor access for maintenance and commissioning, ensuring robust controls for temporary access and logging
• Design solutions that address site-specific challenges, including limited bandwidth, remote access constraints, and environmental factors
• Support operational resilience by coordinating change windows with grid operations and implementing failsafe configurations to avoid plant outages

Skills

• 5+ years of hands‑on experience administering enterprise firewalls and VPNs (Cisco ASA/Firepower/FTD; Check Point)
• Working knowledge of WAF technologies and web security (OWASP Top 10, TLS, mTLS, API security)
• Strong command of TCP/IP, routing (OSPF/BGP), NAT, ACLs, IPS/IDS, and packet analysis
• Experience with SIEM/log management (e.g., Splunk, QRadar, LogRhythm), network monitoring (e.g., SolarWinds), and configuration management
• Familiarity with NERC CIP concepts and control implementations for Low and/or Medium Impact environments, or equivalent experience in other regulated OT/ICS environments (for example IEC 62443)
• Solid documentation skills and experience operating within formal change management processes
• Clear communicator able to translate complex security topics for plant operations, engineering, compliance, and leadership
• Strong prioritization and execution in high‑availability environments; calm under pressure during incidents
• Collaborative and customer‑focused; builds trusted relationships with site personnel and external partners
• Bachelor's degree in Computer Science, Electrical/Computer Engineering, Information Security, or related field; or equivalent experience
• 10+ years in network security with deep expertise in Cisco and Check Point ecosystems, including clustering/HA, threat defense, and advanced policy design
• Proven leadership of firewall/WAF architecture in OT/ICS or critical infrastructure (utilities, energy, industrial)
• Demonstrated experience interpreting and implementing NERC CIP requirements in Medium Impact control centers, including evidence management and audit support
• Proficiency guiding incident response and problem management for high-availability environments; ability to mentor engineers and lead complex changes
• Track record of evaluating, selecting, and integrating new technologies; experience with automation (e.g., Ansible, Python) and policy compliance tooling
• Relevant certifications preferred: Cisco: CCNP Security, CCIE (Security) (plus), Check Point: CCSA/CCSE, Others, a plus
• Experience with the secure transport of with SCADA/EMS, plant DCS/RTUs/PLCs, and OT protocols (OPC, DNP3, Modbus)
• Understanding of interconnections between substations, collector systems, BESS EMS, and corporate networks; secure data flows to forecasting, trading, and asset performance platforms
• Knowledge of telecom links common in renewables (leased lines, microwave, LTE/private cellular) and secure backhaul to control centers
• Awareness of site conditions (limited bandwidth, remote access constraints, environmental factors) and designing resilient, maintainable solutions
• Vendor and contractor access management for maintenance, OEM support, and commissioning activities, with strong control over temporary access and logging
• Safety and reliability mindset: change windows coordinated with grid operations, rollback plans, and fail‑safe configurations to avoid plant outages

Benefits

• Bonus eligible

Company Overview

Company H1B Sponsorship