South Africa’s energy sector, already battered by decades of underinvestment and loadshedding, faces another escalating crisis: a wave of cyber threats that could turn disruptions into catastrophic failures – attacks already happening internationally. As Eskom and a growing pool of Independent Power Producers (IPPs) digitise their operations, integrate renewables into the grid, and roll out smart meters, the country’s energy infrastructure is becoming a high-value target – and a dangerously vulnerable one.
A perfect storm of loadshedding and cyber risk
South Africa’s ongoing loadshedding crisis significantly increases the risk and potential impact of even smaller cyberattacks on the grid.
A sobering report on the UK and EU energy sector recently published by KnowBe4, the world-renowned cybersecurity platform that comprehensively addresses human risk management, painted a picture of a worryingly active siege on critical infrastructure growing worldwide.
As disconcerting as the risks to grids are with cyberattacks increasing, the consequences are even more dire for grids that are already struggling.
Energy infrastructure under stress is far less resilient to additional shocks. According to the Council for Scientific and Industrial Research (CSIR), in a 2024 survey, 88% of South African organisations experienced at least one data breach in the past year, and almost half reported multiple incidents. The energy sector is firmly within this trend, with phishing emails and social engineering remaining primary entry points for attackers, including attempts to trick energy company staff into clicking malicious links.
During loadshedding, utilities rely on intricate, real-time load balancing across increasingly fragile networks. Cyberattacks exploiting this fragility – such as mass smart meter disconnects or fake load signals – would require far less effort to trigger instability or cascading failures than would be required to destabilise stable grids where supply isn’t constrained.
International case studies validate these fears, with KnowBe4’s 2025 EU Energy Report emphasising the cyber battlefield emerging around European utilities. In 2023 the International Energy Agency noted at an event in Paris that cyberattacks on EU-utilities had more than doubled between 2020 and 2022, with attackers increasingly targeting operational technologies. The same vulnerabilities are being introduced locally as South Africa races to install more remote-controllable infrastructure.
The underestimated weak link: Smart meters
South Africa’s rollout of smart prepaid meters by Eskom and municipalities is meant to modernise revenue collection and demand management. But Deloitte South Africa found that IoT-style devices introduce a slew of new cybersecurity risks.
Smart meters are not inherently unsafe. New models use encryption protocols under the Standard Transfer Specification (STS), with tamper detection and secure firmware updates. However, real-world breaches reveal that it’s not always the meters themselves, but the backend systems that are compromised:
● In 2022, Eskom’s online token vending platform was breached internally, allowing illicit prepaid electricity tokens to be generated.
● In 2019, City Power’s IT systems were crippled by ransomware, preventing customers from topping up their prepaid electricity
● Researchers globally have simulated attacks where compromised smart meters could trigger load oscillations, overwhelming substations and even whole energy grids.
These findings echo international concerns. The eFORT project funded by the EU found that manipulation of distributed energy devices, like smart meters and EV chargers, could trigger widespread outages.
In South Africa, where loadshedding already forces dynamic rebalancing of supply and demand, even a small-scale coordinated cyberattack on smart meters could have outsized effects.
Renewable expansion adds risks
The UK and EU experience shows that rapid decentralisation and renewables growth increases cyber risk. Europe’s shift to renewables has been accompanied by attacks on wind farms and solar installations, with 5 800 turbines in Germany knocked offline from a cyber disruption in 2022.
South Africa’s own decentralisation through Independent Power Producers (IPPs), and the reliance on remote monitoring of solar photovoltaic farms and wind facilities, replicate these vulnerabilities. Experts warn that many renewable operators lack hardened cybersecurity postures.
Even small gaps – such as using default passwords on control dashboards – can allow hackers to hijack systems.
This risk is magnified by geopolitical factors: while South Africa’s geopolitical alignment means it may not be a direct target, there is a growing concern that local infrastructure could be collateral damage or a testing ground for state-sponsored hackers, much as Ukraine’s grids were before the full-scale conflict began.
Skills shortages
Compounding the technical vulnerabilities is a severe shortage of cybersecurity skills. The CSIR reports that 63% of cybersecurity roles in South African companies are unfilled or only partially filled.
At the same time, only 32% of companies train a majority of their employees in cybersecurity – leaving the door wide open for phishing and social engineering attacks, still the top entry points into critical systems.
The exploitation of the human element is especially dangerous in energy infrastructure, where compromising just one employee’s credentials could provide a bridge into operational networks.
Resilience can’t wait
While South Africa has moved to introduce protections, such as the Critical Infrastructure Protection Act of 2019, enforcement and operational readiness lag behind. No major energy sites had been officially designated under the act as of late 2023 – the last public update around the issue by the government.
Building resilience must move from legislation to practical implementation:
● Critical sites must be formally designated and fortified – both digitally and physically.
● Utilities must secure smart meter backends better, encrypt communications end-to-end, and segment operational networks from administrative systems.
● Incident response plans must explicitly include cyberattack scenarios during loadshedding periods, not just normal operations.
● Real-time monitoring and anomaly detection must be mandatory for all IPPs connected to the grid.
● Ongoing security awareness training must be prioritised, particularly for frontline energy workers.
Martin Kraemer, security awareness advocate at KnowBe4, cautions that “the energy sector must take proactive steps to strengthen its cybersecurity defences”.
“The protection of critical infrastructure is paramount, as the research highlights how cyberattacks can cause widespread disruption across the energy sector, impacting everything from power generation to distribution. The need for continuous education, investment in threat detection technologies, and cross-border collaboration to safeguard power infrastructure against escalating cyber threats has never been more clear.”
As Europe’s energy security crises have demonstrated, cyber resilience is no longer an IT issue – it’s a national security imperative. For South Africa, where supply is already fragile, the consequences of inaction could be devastating. Fortifying the grid against cyberattacks is now as important as physically fortifying power stations themselves.
