BES Cyber System Categorization Under NERC CIP-002

Every NERC CIP program stands or falls on one decision made early and revisited rarely: how you categorize your BES Cyber Systems under CIP-002. Get the impact rating wrong and you either over-spend on controls you do not owe or, far worse, leave a high-impact asset governed by low-impact obligations. Z Cyber runs this categorization work as your operating partner, on the Glance platform, so the foundation of your compliance program is defensible from the first audit to the last.

CIP-002 is short. It is also the single most consequential standard in the entire NERC Critical Infrastructure Protection family, because it is the gate that decides which other requirements apply to which assets. A misjudgment here does not stay contained. It propagates into CIP-003 through CIP-011, into your evidence repository, and into every Regional Entity audit for years. This guide explains how BES Cyber System categorization actually works, where responsible entities go wrong, and how Z Cyber operates the process on your behalf so it holds up under scrutiny.

What CIP-002 actually requires

NERC Reliability Standard CIP-002-5.1a requires each responsible entity to identify and categorize its BES Cyber Systems according to a High, Medium, or Low impact rating. The categorization is not a formality. It is the controlling input that determines the scope of every downstream CIP obligation. The criteria for the three impact levels live in CIP-002 Attachment 1, and the standard requires that the identification and categorization be reviewed and approved by the CIP Senior Manager or a delegate at least once every 15 calendar months.

The mechanics begin with two foundational definitions that the rest of the program inherits. Understanding them precisely is the difference between a clean audit and a Potential Noncompliance finding.

BES Cyber Asset versus BES Cyber System

A BES Cyber Asset is a Cyber Asset that, if rendered unavailable, degraded, or misused, would within 15 minutes adversely impact the reliable operation of the Bulk Electric System. The 15-minute window is the hinge of the entire definition. It is not a measure of how fast an attacker moves. It is a measure of how quickly the loss of that asset would degrade reliability. If the impact would manifest within that window, the asset is in scope. If the consequence is slower or indirect, it may fall outside.

A BES Cyber System is a grouping of one or more BES Cyber Assets logically grouped by the responsible entity to perform one or more reliability tasks. Grouping is a deliberate engineering and compliance decision, not an afterthought. How you draw the boundary around a BES Cyber System shapes your electronic security perimeters, your access management scope, and the volume of evidence you maintain. Group too broadly and you pull low-consequence assets into a high-impact regime. Group too narrowly and you fragment your program into an unmanageable sprawl of perimeters.

This is precisely the kind of judgment that benefits from an operating partner who has drawn these boundaries before. Z Cyber's forward-deployed team works alongside your engineers to define groupings that are both defensible to an auditor and operationally sane to maintain. The boundaries are then modeled in Glance, our AI-native GRC platform, so the categorization, the rationale, and the supporting evidence all live in one place rather than scattered across spreadsheets.

The three impact ratings and what triggers each

Attachment 1 sorts BES Cyber Systems into three tiers using a set of bright-line criteria. The tiers are not subjective. They are driven by the function the system supports and, for many facilities, by quantitative thresholds. The table below summarizes the qualitative shape of each tier. The exact numeric cutoffs and functional obligations are defined in CIP-002 Attachment 1 and the NERC Glossary, and your specific facilities must be measured against the current text of the standard, not a paraphrase.

Impact rating	Typically covers	CIP obligations that apply
High	Large control centers performing specific functional obligations for the Bulk Electric System, such as those associated with Reliability Coordinator, Balancing Authority, Transmission Operator, and Generator Operator functions at scale.	Full set of controls across CIP-003 through CIP-011.
Medium	Generation and transmission facilities meeting specific bright-line thresholds in Attachment 1. This includes certain large generating plants, transmission facilities operated at higher voltage levels or meeting an aggregate weighted-value criterion, and certain control centers.	Full set of controls across CIP-003 through CIP-011.
Low	BES assets that contain a BES Cyber System but do not meet any High or Medium criterion. This is the default residual category.	A reduced set of obligations, governed largely by CIP-003.

Two thresholds are worth describing at a high level because they drive a large share of Medium-impact determinations. On the generation side, Attachment 1 uses a single-plant capacity concept centered on the 1500 MW level to pull larger generating facilities into the Medium tier. On the transmission side, Attachment 1 uses a weighted-value methodology that assigns point values to facilities by voltage and sums them to a threshold, so a collection of transmission elements can aggregate into a Medium rating even when no single element would on its own. The precise point values, voltage bands, and aggregate cutoff are specified in the standard. Treat any number you carry in your head as a starting hypothesis to be verified against the current Attachment 1 text, not as a settled fact.

The difference between High, Medium, and Low in practice

The practical gap between the tiers is enormous, and it is almost entirely about scope of obligation rather than the nature of the controls. High and Medium impact BES Cyber Systems carry the full weight of CIP-003 through CIP-011: security management controls, personnel and training, electronic security perimeters, physical security, system security management, incident reporting and response planning, recovery plans, configuration change management and vulnerability assessments, and information protection. Low impact systems sit under a materially reduced regime, with the core obligations flowing through CIP-003 and its associated requirements for cyber security policies, physical and electronic access controls, and incident response.

The reason categorization is so unforgiving is that the rating you assign silently selects which of those obligations you are on the hook to evidence. An asset misclassified as Low when it should be Medium is not merely under-protected. It is also under-documented, under-tested, and under-reviewed against an entire body of requirements an auditor expects to see satisfied. The finding, when it comes, is rarely a single control gap. It is a systemic scope failure.

If your portfolio spans both the energy sector and industrial control environments that also touch IEC 62443, the categorization logic and the relationship between the two regimes deserve a deliberate read. Our comparison of IEC 62443 versus NERC CIP lays out where the frameworks converge and where they diverge.

How often categorization must be reviewed

CIP-002 requires that the identification and categorization of BES Cyber Systems be reviewed, and the result approved by the CIP Senior Manager or delegate, at least once every 15 calendar months. The 15-month cycle is not a suggestion. A lapse in the review and approval is itself a compliance violation, independent of whether any underlying categorization changed.

The trap is treating the 15-month review as a calendar event rather than a living process. Categorization should be re-evaluated whenever the underlying facts change: a plant uprate that crosses the generation threshold, a new transmission line that tips a weighted-value calculation, a control center taking on a new functional obligation, or the commissioning of new cyber assets inside an existing BES Cyber System. Z Cyber runs the categorization as a continuously maintained asset model in Glance, with the 15-month attestation tracked as a hard deadline and triggered re-evaluations tied to change events, so the periodic approval is a confirmation of work already done rather than a scramble.

Where responsible entities get it wrong

Most categorization failures are not exotic. They cluster into a handful of recurring patterns that Z Cyber's team has seen across the sector:

• Stale inventories. The asset list that fed the original categorization drifts out of sync with the plant. New devices appear inside a BES Cyber System and never get evaluated.
• Boundary games. Groupings drawn to minimize obligation rather than to reflect engineering reality. These do not survive a determined auditor.
• Misreading the 15-minute test. Treating it as a measure of attacker speed rather than reliability impact, and excluding assets that belong in scope.
• Weighted-value miscalculation. Aggregating transmission facilities incorrectly and landing on Low when the points sum to Medium.
• Treating Low as out of scope. Low impact is a reduced regime, not an exemption. CIP-003 obligations still apply.
• Letting the 15-month clock lapse. The review and approval cadence slips, creating a violation even where the categorization itself is correct.

For a structured walk through the full set of obligations that flow from your categorization, work through our NERC CIP compliance checklist for 2026. It maps each standard to the evidence an auditor will expect, organized by impact rating.

How Z Cyber operates CIP-002 for utilities

Z Cyber is a cybersecurity operating partner, not a software vendor you license and then run yourself. For electric and energy utilities, that means a dedicated, forward-deployed team that does the categorization work with you and then keeps it current. We build the BES Cyber Asset inventory, apply the 15-minute reliability test asset by asset, draw BES Cyber System boundaries that are both defensible and operationally workable, run the Attachment 1 criteria including the generation capacity and transmission weighted-value tests, and produce the impact ratings with the rationale documented for audit. All of it is modeled and maintained in Glance, our AI-native GRC platform, where the categorization, its justification, the 15-month attestation, and the downstream CIP-003 through CIP-011 evidence are linked rather than siloed.

The result is a categorization that is current, traceable, and ready for your Regional Entity. Because Glance holds the full chain from asset to impact rating to control to evidence, an audit request becomes a query rather than a fire drill. To see how Z Cyber supports the energy sector specifically, visit our page for utilities and energy providers.

For the authoritative text of the standard and Attachment 1 criteria, consult the official standard on the NERC CIP Standards page. Categorize against the current published version, because the criteria and definitions are subject to revision, and your program is only as defensible as the version of the standard you measured against.