Apply on Employer Site

Brookfield Renewable U.S. · 22 hours ago

Engineer/Senior Engineer, Firewall

New York, New York, United States

Full-time

Hybrid

Mid, Senior Level

$120K/yr - $150K/yr

5+ years exp

Brookfield Renewable U.S. is a leading company in renewable energy, committed to employee development and sustainability. The Senior Engineer, Firewall will be responsible for designing, implementing, and maintaining secure network perimeters for renewable energy operations, ensuring compliance with NERC CIP standards and collaborating with cybersecurity and operations teams.

Renewable EnergyRetailSolarWholesale

Responsibilities

Design and implement OT network security controls, such as perimeter firewalls, internal segmentation, site‑to‑site and remote‑access VPNs, and WAFs

Build secure network solutions that align with system architecture for wind, solar, and BESS facilities, EMS/SCADA, and the system control centers

Define network security zones and conduits for OT, corporate IT, and cloud environments; enforce least privilege and micro‑segmentation

Engineer solutions using Cisco (ASA/Firepower/FTD) and Check Point (CCSA/CCSE) platforms; integrate with management consoles and policy orchestration tools

Implement secure remote access for operators, vendors, and field technicians using MFA, bastion/Jump hosts, and role‑based access

Administer firewall policies, objects, NAT, routing (OSPF/BGP), and HA/cluster configurations; manage rule lifecycle and clean‑up

Maintain WAF protections (e.g., F5, Fortinet, Check Point, or cloud WAF) including rule tuning, bot mitigation, and API security

Operate and improve monitoring and control tools (SIEM/SOAR, NetFlow, packet capture, IDS/IPS); build dashboards and alerts for NERC systems

Conduct log analysis, threat hunting, and participate in incident triage and response; provide on‑call support for critical events

Perform regular firewall health checks, performance tuning, firmware/OS upgrades, and vulnerability remediation

Support occasional after‑hours maintenance windows on an as needed basis

Implement and maintain controls aligned to NERC CIP standards applicable to Low Impact sites and Medium Impact control centers (e.g., CIP‑003, CIP‑005, CIP‑007, CIP‑008, CIP‑009, CIP‑010, CIP‑011, CIP‑013)

Serve as the technical owner for firewall‑related CIP controls (for example CIP‑005, CIP‑007, CIP‑010), including configuration baselines, access controls, logging, and evidence collection

Establish and enforce configuration baselines, access controls, evidence collection, and audit‑ready documentation

Run structured change management programs for firewall and WAF policies, including risk assessment, testing, approvals, and post‑implementation review

Support audits, self‑assessments, and impact ratings; assist with personnel risk assessment and vendor risk management where applicable

Collaborate with OT, IT, Compliance, Engineering, and Plant Operations to ensure controls meet operational needs without compromising reliability

Work in close partnership with the TERP Cybersecurity Manager to align firewall, VPN, and WAF controls with OT/IT cybersecurity strategy, incident response protocols, and compliance requirements

Participate in joint incident response, risk assessments, and continuous improvement initiatives with the Cybersecurity Manager and Operations Centre leadership

Coordinate with Operations Centre, plant operators, and engineering teams to ensure security controls support operational reliability and compliance

Evaluate new firewall, WAF, VPN, and OT security technologies; lead POCs and make data‑driven recommendations

Identify opportunities to enhance resilience (segmentation, Zero Trust, SD‑WAN security, secure cloud connectivity), and automate repeatable tasks (e.g., policy linting, backup/restore, compliance evidence collection)

Manage vendor and contractor access for maintenance and commissioning, ensuring robust controls for temporary access and logging

Design solutions that address site-specific challenges, including limited bandwidth, remote access constraints, and environmental factors

Support operational resilience by coordinating change windows with grid operations and implementing failsafe configurations to avoid plant outages

Qualification

Firewall administrationVPN configurationNERC CIP complianceNetwork security designWAF technologiesTCP/IP knowledgeSIEM/log managementIncident responsePrioritizationDocumentation skillsClear communicationCollaborationCustomer focusLeadershipMentoring

Required

5+ years of hands‑on experience administering enterprise firewalls and VPNs (Cisco ASA/Firepower/FTD; Check Point)

Working knowledge of WAF technologies and web security (OWASP Top 10, TLS, mTLS, API security)

Strong command of TCP/IP, routing (OSPF/BGP), NAT, ACLs, IPS/IDS, and packet analysis

Experience with SIEM/log management (e.g., Splunk, QRadar, LogRhythm), network monitoring (e.g., SolarWinds), and configuration management

Familiarity with NERC CIP concepts and control implementations for Low and/or Medium Impact environments, or equivalent experience in other regulated OT/ICS environments (for example IEC 62443)

Solid documentation skills and experience operating within formal change management processes

Clear communicator able to translate complex security topics for plant operations, engineering, compliance, and leadership

Strong prioritization and execution in high‑availability environments; calm under pressure during incidents

Collaborative and customer‑focused; builds trusted relationships with site personnel and external partners

Bachelor's degree in Computer Science, Electrical/Computer Engineering, Information Security, or related field; or equivalent experience

Preferred

10+ years in network security with deep expertise in Cisco and Check Point ecosystems, including clustering/HA, threat defense, and advanced policy design

Proven leadership of firewall/WAF architecture in OT/ICS or critical infrastructure (utilities, energy, industrial)

Demonstrated experience interpreting and implementing NERC CIP requirements in Medium Impact control centers, including evidence management and audit support

Proficiency guiding incident response and problem management for high-availability environments; ability to mentor engineers and lead complex changes

Track record of evaluating, selecting, and integrating new technologies; experience with automation (e.g., Ansible, Python) and policy compliance tooling

Relevant certifications preferred: Cisco: CCNP Security, CCIE (Security) (plus), Check Point: CCSA/CCSE, Others, a plus

Experience with the secure transport of with SCADA/EMS, plant DCS/RTUs/PLCs, and OT protocols (OPC, DNP3, Modbus)

Understanding of interconnections between substations, collector systems, BESS EMS, and corporate networks; secure data flows to forecasting, trading, and asset performance platforms

Knowledge of telecom links common in renewables (leased lines, microwave, LTE/private cellular) and secure backhaul to control centers

Awareness of site conditions (limited bandwidth, remote access constraints, environmental factors) and designing resilient, maintainable solutions

Vendor and contractor access management for maintenance, OEM support, and commissioning activities, with strong control over temporary access and logging

Safety and reliability mindset: change windows coordinated with grid operations, rollback plans, and fail‑safe configurations to avoid plant outages