Cybersecurity is no longer just an information technology (IT) issue – it’s an operational risk that could trigger grid instability, disrupt load balancing and compromise independent power producer (IPP) generation capacity if not addressed with urgency, says Martin Kraemer, Security Awareness Advocate at KnowBe4.
South Africa’s power sector is already stretched thin. Load shedding forces operators to walk a constant tightrope between supply and demand, leaving little room for error – or for sabotage. Yet, despite this fragility, the sector is rapidly digitising: rolling out smart meters, onboarding IPPs with remote access capabilities and managing systems through increasingly interconnected platforms.
Every new digital interface expands the attack surface. As recent events have shown – from the breach of Eskom’s token vending platform to ransomware attacks at City Power – attackers don’t need to take down the grid to cause chaos. They only need to disrupt the systems we now rely on to manage it.
This is not unique to South Africa. In Europe, the number of cyberattacks on utilities doubled between 2020 and 2022. In one case, 5 800 wind turbines were knocked offline in Germany. Globally, researchers have simulated how compromised smart meters and electric vehicle chargers can be used to destabilise substations and overload feeders. These aren’t distant hypotheticals. The technology – and the risk – already exist in our market.
We need to act on three fronts:
- Smart meter infrastructure must be protected from end to end. It’s not enough that the meters themselves are Standard Transfer Specification-compliant or tamper-proof. The backend systems – the platforms that authorise tokens, store user data and connect to financial systems – are often where attackers strike. These must be segmented, encrypted and monitored continuously.
- We must enforce minimum cybersecurity standards for IPPs. Many renewable operators are startups or smaller firms without in-house security teams. They may use default passwords, unsecured dashboards or outdated firmware – vulnerabilities that could expose the broader grid to risk. If an IPP is feeding power into the national system, it should meet basic security criteria as a condition of connection.
- We must finally implement the Critical Infrastructure Protection Act of 2019. As of late 2023, no energy sites have been formally designated. Without this designation, we lack the enforcement muscle and coordinated response capacity to deal with a serious attack. The law exists. What’s missing is implementation.
Beyond the technical fixes, we must also address the human factor. Phishing and social engineering remain the number one entry point for attackers. Yet the Council for Scientific and Industrial Research reports that 63% of cybersecurity roles in South African organisations are unfilled. Only 32% of companies train a majority of staff. This leaves control room operators, engineers and support teams exposed – often without even knowing it.
Cybersecurity is not an IT budget line. It’s a pillar of grid stability. In a country already managing daily supply constraints, we cannot afford to wait until a crisis to act.
