Engineer/Senior Engineer, Firewall

OverviewLocation: TerraForm Power Remote Operation Center, Albany NYEmployment Type: Full-timeTravel: Ability to travel to remote sites (10–20%)About UsTerraForm Power ("TERP"), a platform company of Brookfield, attracts high-performing individuals who are driven to make an impact in a fast-paced and collaborative environment. We offer unparalleled opportunities to lead and manage one of the largest renewable energy businesses with decades of history, while contributing to the global need for sustainable energy.The company is committed to employee development, encouraging curiosity, ownership, and continuous learning. You'll be empowered to take initiative, contribute ideas, and grow your career within a supportive and ambitious organization. This position will be based in remote.Job SummaryThis is an Operational Technology (OT) role embedded in the TerraForm Power Remote Operations Centre, responsible for designing, implementing, and maintaining secure network perimeters for wind, solar, and battery storage operations with a focus on NERC CIP compliant architecture. The Firewall Engineer will work in close partnership with the TERP Cybersecurity Manager, Compliance and Operations Centre staff to ensure robust, compliant, and resilient OT network security across all sites and control centers.ResponsibilitiesArchitecture, Design & ImplementationDesign and implement OT network security controls, such as perimeter firewalls, internal segmentation, site-to-site and remote-access VPNs, and WAFs.Build secure network solutions that align with system architecture for wind, solar, and BESS facilities, EMS/SCADA, and the system control centers.Define network security zones and conduits for OT, corporate IT, and cloud environments; enforce least privilege and micro-segmentation.Engineer solutions using Cisco (ASA/Firepower/FTD) and Check Point (CCSA/CCSE) platforms; integrate with management consoles and policy orchestration tools.Implement secure remote access for operators, vendors, and field technicians using MFA, bastion/Jump hosts, and role-based access.Operations, Monitoring & Incident ResponseAdminister firewall policies, objects, NAT, routing (OSPF/BGP), and HA/cluster configurations; manage rule lifecycle and clean-up.Maintain WAF protections (e.g., F5, Fortinet, Check Point, or cloud WAF) including rule tuning, bot mitigation, and API security.Operate and improve monitoring and control tools (SIEM/SOAR, NetFlow, packet capture, IDS/IPS); build dashboards and alerts for NERC systems.Conduct log analysis, threat hunting, and participate in incident triage and response; provide on-call support for critical events.Perform regular firewall health checks, performance tuning, firmware/OS upgrades, and vulnerability remediation.Support occasional after-hours maintenance windows on an as needed basis.Compliance & Change Management (NERC Focus)Implement and maintain controls aligned to NERC CIP standards applicable to Low Impact sites and Medium Impact control centers (e.g., CIP-003, CIP-005, CIP-007, CIP-008, CIP-009, CIP-010, CIP-011, CIP-013).Serve as the technical owner for firewall-related CIP controls (for example CIP-005, CIP-007, CIP-010), including configuration baselines, access controls, logging, and evidence collection.Establish and enforce configuration baselines, access controls, evidence collection, and audit-ready documentation.Run structured change management programs for firewall and WAF policies, including risk assessment, testing, approvals, and post-implementation review.Support audits, self-assessments, and impact ratings; assist with personnel risk assessment and vendor risk management where applicable.Collaborate with OT, IT, Compliance, Engineering, and Plant Operations to ensure controls meet operational needs without compromising reliability.Collaborative ResponsibilitiesWork in close partnership with the TERP Cybersecurity Manager to align firewall, VPN, and WAF controls with OT/IT cybersecurity strategy, incident response protocols, and compliance requirements.Participate in joint incident response, risk assessments, and continuous improvement initiatives with the Cybersecurity Manager and Operations Centre leadership.Coordinate with Operations Centre, plant operators, and engineering teams to ensure security controls support operational reliability and compliance.Technology Evaluation & Continuous ImprovementEvaluate new firewall, WAF, VPN, and OT security technologies; lead POCs and make data-driven recommendations.Identify opportunities to enhance resilience (segmentation, Zero Trust, SD-WAN security, secure cloud connectivity), and automate repeatable tasks (e.g., policy linting, backup/restore, compliance evidence collection).OT-Specific DutiesManage vendor and contractor access for maintenance and commissioning, ensuring robust controls for temporary access and logging.Design solutions that address site-specific challenges, including limited bandwidth, remote access constraints, and environmental factors.Support operational resilience by coordinating change windows with grid operations and implementing failsafe configurations to avoid plant outages.Education & CertificationsBachelor's degree in Computer Science, Electrical/Computer Engineering, Information Security, or related field; or equivalent experience.Relevant certifications preferred:• Cisco: CCNP Security, CCIE (Security) (plus)• Check Point: CCSA/CCSE• Others, a plusIndustry-Specific (Renewable Energy & OT/ICS) RequirementsExperience with the secure transport of with SCADA/EMS, plant DCS/RTUs/PLCs, and OT protocols (OPC, DNP3, Modbus).Understanding of interconnections between substations, collector systems, BESS EMS, and corporate networks; secure data flows to forecasting, trading, and asset performance platforms.Knowledge of telecom links common in renewables (leased lines, microwave, LTE/private cellular) and secure backhaul to control centers.Awareness of site conditions (limited bandwidth, remote access constraints, environmental factors) and designing resilient, maintainable solutions.Vendor and contractor access management for maintenance, OEM support, and commissioning activities, with strong control over temporary access and logging.Safety and reliability mindset: change windows coordinated with grid operations, rollback plans, and fail-safe configurations to avoid plant outages.Compensation: $120,000-$140,000 USD, bonus eligibleJ-18808-Ljbffr TerraForm Power