As the power industry evolves, threats and regulatory demands for low-impact facilities grow. Although cybersecurity programs for low impact bulk electric system (BES) may not carry the same regulatory weight as their medium and high impact counterparts, they’re an attractive target for cyber adversaries.   

Think of them as the ‘soft underbelly’ of the grid, an easy entry point for potential coordinated attacks. In addition, low impact BES’s account for 80 to 85% of the total power facilities in the U.S. For this reason, regulators have turned their attention to them. In the October 2022 NERC CIP Low Impact Criteria Review Team Report (LICRT), regulators urged low impact facilities to close the following gaps:  

• Weak remote user authentication,  

• Unprotected authentication data in transit,  

• Undetected malicious communications,  

• Insufficient physical access monitoring and  

• Inadequate supply chain risk evaluation.  

The LICRT report recommendations, accepted by the NERC Board, led to the development of the CIP-003-11 standard, approved in December 2024. We offer a complete overview of these recommendations in our webinar, "Preparing for the future: compliance outlook for low impact facilities." In the meantime, let’s discuss ways to future-proof your low-impact facility below.

IED management solutions for NERC CIP compliance: Automating security for low-impact BES facilities

Deploying an Intelligent Electronic Device (IED) management solution is a practical way to automate compliance and strengthen security. These tools provide detailed activity logs—making compliance easier while reducing manual workload. Automation is essential because when the number of low impact assets grows, manual processes become unsustainable. Access management tools, which use multi-factor authentication, can integrate with these solutions, providing a central source of security information. 

Modernizing legacy systems to meet NERC CIP 003: Strategies for securing low-impact facilities

Whether building new facilities or upgrading existing ones, updating asset inventories and performing site-specific risk assessments are foundational practices. The integration of advanced systems with legacy devices must be strategically managed to prevent the introduction of potential operational risks. Systematically disabling unused features and closely monitoring network modifications are critical to sustaining robust security. 

Act now: Strengthening cybersecurity and compliance for low-impact facilities

Waiting for regulatory deadlines is a risky strategy. Cyber threats are evolving faster than policies and implementing new controls can take significant time and resources. Early adoption not only reduces risk, but also positions organizations as proactive leaders in resilience and security: 

• Begin implementing recommended changes now to ensure resilience and reduce risk. 

• Regularly update asset inventories and network diagrams. 

• Conduct site-specific risk assessments to tailor controls to your facility’s unique needs. 

• Automate compliance processes to minimize manual effort and risk of errors. 

• Plan for both financial and operational impacts, including outage schedules and deployment timelines. 

As NERC CIP standards continue to evolve, low impact facilities must prioritize cybersecurity not just for compliance, but for operational resilience and business continuity. Black & Veatch’s full suite of NERC CIP solutions protects your low, medium and high impact facilities with a robust cyber and physical security program, enhancing your safety, security and competitiveness in the marketplace.