Webinar - CIP-015 Is Here: Paths to Compliance for Every Organization  Register Today
Support

SOLUTIONS

OT Asset Management
Configuration & Change Management
Policy Compliance
Vulnerability Management

PLATFORM

Industrial Defender Platform
Phoenix for SMBs
Services
Partners

INDUSTRIES

Power
Oil & Gas
Water
Manufacturing
US Government
See all

RESOURCES

Blog
Podcast
Resource Library
OT Cybersecurity Risk Assessment Calculator
Innovations by Industrial Defender
FAQ

COMPANY

About Us
How We Compare
Team
Events
Press
Careers
Contact Us

SUPPORT

REQUEST DEMO

No items found.

Are You Really Low Impact? CIP-002-8 May Be Raising Your Compliance Requirements

Industrial Defender Staff
October 6, 2025

Updates expected in CIP-002-8 refine how certain Control Centers and their associated BES Cyber Systems are categorized, bringing greater clarity to what truly counts as “low” or “medium” impact. The goal is to right-size risk across the grid: ensuring that smaller but operationally significant Transmission Owner (TO) and Transmission Operator (TOP) control footprints are properly classified, while providing a data-driven off-ramp for truly local, load-serving areas.

That clarification means some organizations that long considered their systems low impact may now fall into the medium impact category, triggering additional compliance obligations.

Background

CIP-002-8 was adopted by the NERC Board of Trustees in December 2024 and filed with FERC (Docket RD25-8-000), where it now awaits formal approval and implementation timelines. While enforcement is not yet in effect, entities should begin reviewing how their systems will be categorized under the new criteria.

CIP-002 has always been the scoping standard — the foundation for all other NERC CIP requirements. It determines which of your systems count as BES Cyber Systems, and therefore, which standards apply. The latest revision, CIP-002-8, keeps that familiar structure but tightens how Control Centers are evaluated and introduces a quantifiable test to determine impact level.

Here’s what’s driving the change:

  • Control Centers are now more clearly defined. If you’re a Transmission Owner (TO) with the capability to operate BES facilities at multiple locations through SCADA, you may now fall squarely under the Control Center definition — even if a third-party TOP holds operational authority.
  • Defined replaces guesswork. A new weighted scoring system determines whether your Control Center qualifies as Medium Impact. Once your total hits the threshold, there’s no gray area.
  • Some “Low Impact” entities are being recategorized. For many, this shift means new requirements for authentication, monitoring, and evidence.

Doing the math

If you want to see what that looks like in practice:

  • Under Attachment 1, Criterion 2.12, Control Centers that monitor and control BES Transmission Lines must now calculate an Aggregated Weighted Value (AWV).
  • Each line adds points based on voltage class. If the total AWV reaches 6,000 or higher, the Control Center is Medium Impact.
  • A local load-serving “bubble” exclusion can apply if the network is smaller (typically <300 kV), exports ≤ 75 MWh per hour, and has an overall AWV < 12,000.

These examples aren’t exhaustive, but they highlight how the new math pulls more assets into Medium Impact territory — and why “we’re still Low” may no longer be a safe assumption.

Patrick Miller does a great job explaining how to calculate the Aggregated Weighted Value (AWV), interpret the counting rules, and assess whether you qualify for the local load-serving exclusion in his blog on AmpyxCyber.com. His breakdown translates the drafting language into straightforward examples you can apply directly.

For the definitive source, refer to the NERC CIP-002-8 technical rationale and redline documents, which detail the official definitions, formulas, and implementation timelines.

Why This Matters

Moving from Low to Medium Impact isn’t just a line change in your compliance spreadsheet, it means:

  • Stronger identity and access controls
  • Expanded monitoring and logging obligations
  • More rigorous documentation and evidence retention requirements

If you’re not already preparing, now is the time to:

  1. Review your control capabilities — not just your authority.
  2. Calculate your AWV and see where you land.
  3. Document your justification (especially if you believe you qualify for the exclusion).

As compliance expectations rise, visibility and automation become your best allies. With Industrial Defender, asset owners and operators can make the transition from Low to Medium Impact much smoother by:

  • Maintaining a complete OT asset inventory that supports classification and scope definition
  • Monitoring configurations, vulnerabilities, and logs to meet enhanced security and reporting requirements
  • Automatically generating defensible evidence for audits and assessments

Industrial Defender helps you turn compliance into confidence — ensuring that when auditors come calling, you have clear data, organized records, and the right systems in place to prove your compliance posture.

Reach out to our team if you need help tackling NERC CIP challenges here: https://www.industrialdefender.com/contact-us

Automating NERC CIP Compliance

View Resource

Stay up to date.

Sign up for our newsletter to receive the latest
Industrial Defender news, updates and content.

PRODUCTS
Industrial Defender Platform
SERVICES
Cyber Diligence ServiceCopilOT ServiceTMCommissioningSupportTrainingSustain
SOLUTION BY TYPE
OT Asset ManagementVulnerability ManagementSecurity Event MonitoringCompliance Reporting
SOLUTION BY FUNCTION
SecurityComplianceOperationsExecutive
SOLUTION BY INDUSTRY
Building AutomationChemicalElectricFederal GovernmentFood & AgricultureMaritimeMetals & MiningOil & GasPharmaceuticalsRailWater
RESOURCES
Resource CollectionGlossaryDefenderSphereIT-OT Integration LabOT Cybersecurity Risk CalculatorInnovations by IDGlossary
COMPANY
About UsHow We CompareTeamEventsPressCareersContact Us