The national electricity grid has reached a level of physical stability worthy of praise. As it increasingly decentralises, its digital footprint is growing too. The task now is to keep it equally stable amidst mounting cyber threats to its physical infrastructure.
South Africa’s energy landscape is undergoing its most profound structural shift in a century. The new and rapidly expanding, complex mesh of state utilities, independent power producers (IPPs), municipal micro-grids, and industrial self-generation projects are reshaping the foundation of the economy. While this decentralisation is the primary solution to the nation’s energy security crisis and a ‘brighter’ future, it also represents a significantly expanded digital attack surface, where physical infrastructure stands with one foot in cyberspace and one in the real world.
As billions of rands flow into grid expansion and the integration of private power, the real test of our new energy architecture will be its digital resilience as much as it is about the amount of megawatts it carries. In a decentralised system, every connection point between a private producer and the public grid is a potential gateway for cyber-adversaries. We now have a duty to continue our work on a unified security blueprint, or else we risk trading the newly waning physical energy crisis for a systemic digital one.
The vulnerability of the connection point
The transition to a decentralised grid is, at its heart, a transition from isolated physical assets to hyper-connected digital ones. To manage the intermittent nature of renewables and the bidirectional flow of electricity, the grid relies on a sophisticated layer of information technology (IT) and operational technology (OT). These two worlds, once entirely separate, have now converged.
This convergence is occurring at a time when South Africa has become a primary target for global cybercrime. The danger lies in the integration. Whether through Cloud adoption for digital twins, advanced analytics and reporting or IPP interconnectivity such as connectivity from solar or wind farms into the national transmission network, it expands data flows and consequently the attack surface. If cybersecurity controls across these connection points are fragmented or inconsistent, a breach within a 3rd party private provider’s network could move laterally into national critical infrastructure.
An example emerged from Poland in late 2025, in an incident that prompted a global alert from the US Cybersecurity and Infrastructure Security Agency (CISA). The alert drove awareness of threats to energy infrastructure after the strike against wind and solar sites in Poland set the tone for the new risks faced by modernising grids worldwide.
Once inside, they deployed destructive tools that crippled remote terminal units and wiped data on human-machine interfaces. While power production continued, the attack effectively blinded the operators, stripping away their ability to monitor or control the generation sites remotely. This incident serves as a global case study in the vulnerability of distributed energy resources, proving that in a modern grid, a breach at the edge can quickly lead to a total loss of operational visibility.
Learning from the ‘digital state of emergency’
We have already seen syndicates targeting our own South African metropolitan infrastructure. Massive breaches and ransomware attacks in recent years have served as critical industry lessons – with some that have even been dubbed digital “states of emergency”.
All of them now serve as foundational case studies in how digital disruptions have immediate, physical consequences for citizens. Cyber-adversaries aren’t content with just stealing data, and are also becoming focused on systemic disruption.
Smart meters as protected sovereign assets
The pioneering rollout of smart meters is a cornerstone of the national Load Reduction Elimination Programme. Eskom recently hit a major milestone of installing more than 500 000 smart meters targeted for load reduction feeders, and aims to install over 6 million smart meters in total within the next three years. The project has already freed around half a million people from load reduction cycles.
Smart meters are essential for managing demand and preventing blackouts, but because they also represent thousands of new gateways into the municipal and national grids, authorities have been working around the clock to ensure these world-class upgrades are also protected by world-class cybersecurity measures. The threats being hedged against highlight why the implementation of the Critical Infrastructure Protection Act (2019), which is now fully active, has become more vital than ever. It provides the legal framework to ensure that every asset – from a residential smart meter to a massive wind farm – is treated as a protected sovereign asset.
Moving toward a unified security fabric
There are three forces that are reshaping OT and CPS security at the same time. The first aspect is AI which accelerates both the attack and defence aspects putting pressure on security response windows to reduce drastically. The second aspect is governance and accountability and lastly convergence and sovereignty.
When we consider these forces and what implications they have on a traditional cybersecurity approach – where treating each plant or substation as an isolated “island” protected by its own firewall is the standard – it becomes quite evident that the old model isn’t fit for purpose anymore. While tremendous progress in cybersecurity modernisation has been made, we cannot afford to rest on our laurels now.
True operational resilience requires a platform approach that allows security to scale through consistency, shared intelligence, common policy and simplicity. This can only be achieved by a fully integrated Platform approach. While a platform offers many capabilities, three core capabilities are essential to shape today’s isolated and fractured security operating models into a modern platform operating model.
The three core capabilities include; secure networking, sovereign SASE and SecOps with OT context, all underpinned with native integrated AI intelligence and protection. The outcome is Zero Trust Network Access Control (ZTNA) with Identity based access for users and devices with role-based policy enforcement and continues verification for each session allowing organisations to secure the plant, connect safely with SD-WAN and SASE and full visibility and protection across the entire path (E.g. from device to Cloud or wind turbine to central control centre) without sacrificing control or visibility.
A sovereign priority for progress
The decentralisation of South Africa’s energy sector is a major milestone for economic growth and stability. It represents an opportunity for the country to rapidly upgrade our energy infrastructure to a world-class, sustainable grid. However, this progress is only sustainable if it is built on a foundation of trust and integrity.
Securing the national power grid is key. If we treat cybersecurity as a sovereign priority – designing it into the very foundations of every new energy project and grid expansion – we can ensure that South Africa’s energy transition remains a success story. The future of our economy depends on keeping the lights on, but it also depends on ensuring the systems that control those lights remain unhackable.
