Anirban “Sunny” Ghosh is NERC CIP lead, global industrial cybersecurity, at Black & Veatch.
Under frameworks such as the North American Electric Reliability Corp.’s Critical Infrastructure Protection reliability standards, power facilities are classified by how much their loss would affect the wider grid’s reliability. A “low impact” designation reflects the grid’s ability to absorb the loss of a smaller generation facility without broader disruption.
System operators are increasingly building visibility into these environments, strengthening configurations and setting internal standards that go beyond compliance.
That shift reflects a growing recognition: NERC CIP “low impact” is a reliability term, not a security risk rating. The designation was never intended to represent low cyber risk. As a result, new approaches are taking shape as operators at generation facilities begin to recognize this gap.
Past versus present
Consider the realities of today’s grid. The power grid is built to handle an outage at one major facility. For example, if a single small power plant (considered “low impact” in NERC terms) goes offline, others can usually pick up the slack. But the real danger is if many smaller facilities fail at once. At that point, what might have been a contained incident becomes something broader.
In addition, the grid itself has changed. It now incorporates a growing number of smaller, distributed sources of power, including battery storage, wind and solar farms and other distributed energy resources. Grids established decades ago were not designed for these additional power sources and complex two-way power flows.
These resources are connected and coordinated through control systems. When one site goes offline, utilities can compensate by adjusting generation output elsewhere. But when multiple sources are lost simultaneously, it can strain the grid’s stability — for instance, making it difficult to keep frequency and voltage within safe limits.
The result: the grid’s frequency and voltage must remain within tight thresholds to remain stable. When the thresholds are exceeded, automatic protection systems are designed to respond. Safety systems jump in to protect equipment, and may disconnect some power plants or power lines to prevent physical damage.
While these are necessary and intentional safeguards, these actions can also trigger outages as the grid stabilizes — a technology challenge that grows as the grid becomes more interconnected and automated, with less margin to absorb multiple disruptions at once.
Assumptions versus reality
When it comes to updating regulations, the drafting and approval process can take years, followed by additional time before new compliance requirements are enforced. By then, the operating and threat environment has often shifted again. As a result, a facility can be 100% compliant with yesterday’s rules yet still have security gaps against today’s challenges.
The classification itself can also reinforce misplaced assumptions. A “low impact” designation is often interpreted to mean lower priority or reduced need for attention. Although there is a growing change in awareness, that mindset still persists in the field.
Another common assumption is that cybersecurity has already been addressed by the vendor. If equipment is sourced from a well‑known supplier, it is often presumed to be secure by default, but that may not in fact be the case.
Vendors might build security features into their products, but security really depends on how systems are configured, integrated and maintained over time to effectively utilize those features. When those elements are not actively managed, the features themselves offer limited protection. In those situations, compliance becomes the objective rather than the baseline, and that is where gaps emerge.
In assessing these sites, the findings are rarely isolated and tend to follow a pattern. Older equipment remains in place alongside newer digital control systems. Over time, companies add remote network connections to equipment that was originally designed to stand alone. Devices end up operating in architectures they were never designed to support.
Additionally, documentation often lags behind reality. Network diagrams and equipment lists no longer reflect what is actually in the field. Changes or upgrades get made incrementally over time but not always recorded. Personnel transitioned, systems were upgraded and, gradually, the documented view of the environment drifted from the actual one. Without seeing the full picture, it becomes difficult to make meaningful claims about cybersecurity.
Finally, day‑to‑day operational issues like unpatched systems, inconsistently tracked changes and unreviewed access can add up to significant cyber risk. Risk accumulates from a gradual buildup of unresolved issues, rather than through a single failure. Individually, these facilities continue to behave as the traditional grid model anticipates: one goes offline, the system compensates. That remains manageable. But today’s grid no longer relies on a small number of large assets. It depends on many smaller ones.
The time to address these realities is now.
A practical starting point
To ensure facility resiliency, the first question to answer is a simple one: Do you know what you have? Not what you believe is there, but what is truly in place.
That requires a current asset inventory, accurate network documentation and a clear understanding of how systems are connected. Without that foundation, subsequent actions tend to be reactive to surprises rather than intentional.
Practical steps can be taken immediately. Assets that are no longer reliable, supported or secured should be isolated. Out-of-date systems should be updated and hardened where appropriate.
Access management is another critical consideration, particularly with remote access, to understand who has access, how it is provisioned and whether activity is monitored. This includes setting up logging and monitoring so every remote login and action is recorded and checked in real time, not just looked at after the fact. Visibility should be real‑time, not retrospective.
Network architecture plays a central role, as well. How groups of systems are segmented, what they can reach and how traffic is controlled within and outside the networks often determine where risk concentrates.
Forward-thinking companies are choosing not to wait for regulations to evolve once these realities become clear. Owners of facilities classified as “low impact” are now building their sites to higher security standards, and working to define appropriate cybersecurity requirements and uphold clearer and safer expectations.
Building better security often starts on day one — choosing devices with built-in security functionality and capabilities required to secure them — and continues through configuration, operation and ongoing maintenance.
It also starts earlier than many expect. Security decisions made during design, construction and commissioning shape outcomes long before operations begin. Controls and checks are needed at each stage, not just at the end.
The classification has not changed. The world around it has. “Low impact” still describes what happens when one facility goes offline. It does not describe what happens when several do.
The good news is that this risk is manageable. With the right visibility and design choices, owners can strengthen these environments and remain ahead of any challenges a more connected grid brings.
