South Africa’s energy sector, already battered by decades of underinvestment and loadshedding, faces another escalating crisis; a wave of cyberthreats that could turn disruptions into catastrophic failures. Attacks are already happening internationally.
As Eskom and a growing pool of independent power producers (IPPs) digitise their operations, integrate renewables into the grid, and roll out smart meters, the country’s energy infrastructure is becoming a high-value target – and a dangerously vulnerable one.
Loadshedding and cyber risk
South Africa’s ongoing loadshedding crisis significantly increases the risk and potential impact of even smaller cyberattacks on the grid. A report on the UK and EU energy sector recently published by KnowBe41, painted a picture of a worryingly active siege on critical infrastructure growing worldwide.
As disconcerting as the risks to grids are with cyberattacks increasing, the consequences are even more dire for grids that are already struggling.
Energy infrastructure under stress is far less resilient to additional shocks. According to the Council for Scientific and Industrial Research (CSIR), in a 2024 survey2, 88% of South African organisations experienced at least one data breach in the past year, and almost half reported multiple incidents. The energy sector is firmly within this trend, with phishing emails and social engineering remaining primary entry points for attackers, including attempts to trick energy company staff into clicking malicious links3.
During loadshedding, utilities rely on intricate, real-time load balancing across increasingly fragile networks. Cyberattacks exploiting this fragility, such as mass smart meter disconnects or fake load signals, would require far less effort to trigger instability or cascading failures than would be required to destabilise stable grids where supply is not constrained.
International case studies validate these fears, with KnowBe4’s 2025 EU Energy Report emphasising the cyber battlefield emerging around European utilities. In 2023, the International Energy Agency noted at an event in Paris that cyberattacks on EU utilities had more than doubled between 2020 and 2022, with attackers increasingly targeting operational technologies. The same vulnerabilities are being introduced locally as South Africa races to install more remotely controllable infrastructure.
The underestimated weak link: Smart meters
South Africa’s rollout of smart prepaid meters by Eskom and municipalities is meant to modernise revenue collection and demand management, but Deloitte South Africa4 found that IoT-style devices introduce a slew of new cybersecurity risks.
Smart meters are not inherently unsafe. New models use encryption protocols based on the Standard Transfer Specification (STS), with tamper detection and secure firmware updates. However, real-world breaches reveal that it is not always the meters themselves, but the backend systems that are compromised:
• In 2022, Eskom’s online token vending platform was breached internally, allowing illicit prepaid electricity tokens to be generated.
• In 2019, City Power’s IT systems were crippled by ransomware, preventing customers from topping up their prepaid electricity
• Researchers globally have simulated attacks5 in which compromised smart meters could trigger load oscillations, overwhelming substations and even entire energy grids.
These findings echo international concerns. The eFORT project, funded by the EU, found that manipulation of distributed energy devices, like smart meters and EV chargers, could trigger widespread outages. In South Africa, where loadshedding already forces dynamic rebalancing of supply and demand, even a small-scale coordinated cyberattack on smart meters could have outsized effects.
Renewable expansion adds risks
The UK and EU experiences show that rapid decentralisation and renewable energy growth increase cyber risk. Europe's shift to renewables has been accompanied by attacks on wind farms and solar installations, with 5800 turbines in Germany knocked offline due to a cyber disruption in 2022.
South Africa’s own decentralisation through independent power producers (IPPs) and the reliance on remote monitoring of solar photovoltaic farms and wind facilities replicate these vulnerabilities. Experts warn that many renewable energy operators lack robust cybersecurity postures. Even small gaps, such as using default passwords on control dashboards, can allow hackers to hijack systems.
This risk is magnified by geopolitical factors; while South Africa’s geopolitical alignment means it may not be a direct target, there is a growing concern that local infrastructure could be collateral damage or a testing ground for state-sponsored hackers, much as Ukraine’s grids were before the full-scale conflict began.
Skills shortages
Compounding the technical vulnerabilities is a severe shortage of cybersecurity skills. The CSIR reports that 63% of cybersecurity roles in South African companies are unfilled or only partially filled. At the same time, only 32% of companies train a majority of their employees in cybersecurity, leaving the door wide open for phishing and social engineering attacks, which are still the top entry points into critical systems.
The exploitation of the human element is especially dangerous in energy infrastructure, where compromising just one employee’s credentials could provide a bridge into operational networks.
Resilience cannot wait
While South Africa has moved to introduce protections, such as the Critical Infrastructure Protection Act of 2019, enforcement and operational readiness lag behind. As of late 2023, no major energy sites had been officially designated under the act, according to the last public update from the government. Building resilience must move from legislation to practical implementation:
• Critical sites must be formally designated and fortified, both digitally and physically.
• Utilities must secure smart meter backends better, encrypt communications end-to-end, and segment operational networks from administrative systems.
• Incident response plans must explicitly include cyberattack scenarios during loadshedding periods, not just normal operations.
• Real-time monitoring and anomaly detection must be mandatory for all IPPs connected to the grid.
• Ongoing security awareness training must be prioritised, particularly for frontline energy workers.
“The protection of critical infrastructure is paramount, as the research highlights how cyberattacks can cause widespread disruption across the energy sector, impacting everything from power generation to distribution. The need for continuous education, investment in threat detection technologies, and cross-border collaboration to safeguard power infrastructure against escalating cyberthreats has never been clearer.”
As Europe’s energy security crises have demonstrated, cyber resilience is no longer an IT issue, it is a national security imperative. For South Africa, where supply is already fragile, the consequences of inaction could be devastating. Fortifying the grid against cyberattacks is now as important as physically fortifying power stations themselves.
[References]
© Technews Publishing (Pty) Ltd. | All Rights Reserved.
printer friendly version