The resumption of load-shedding by Eskom recently has made organisations double-check that their business continuity plans are updated, and that their arrangements for power backups are in good shape. But it would be a mistake to think that load-shedding is the only issue relating to power, says Nadia Veeran-Patel, Manager: Cyber Resilience, ContinuitySA.

“The recent cyberattack on City of Johannesburg (CoJ) systems should be ringing alarm bells in every boardroom—it was a vivid demonstration of the fact that cyber-risk threatens other important systems, like power,” she warns. “We have to start thinking about, and laying plans for, the real possibility that the whole grid is somehow compromised. Load-shedding is a controlled process, this is something quite different, and the consequences are unpredictable at best.”

The CoJ cyber-attack meant that prepaid users could not purchase power, but its impact was limited to the financial systems. But what if the hackers had targeted the operational systems that control the grid, and showed their control by shutting it down? This is no fantasy: in September this year, hackers seem to have penetrated the US power grid.[1] There was no blackout but given the extent to which Russian hackers are probing the US power grid,[2] and the growing emphasis on cyber-terrorism and –warfare, it could happen anytime. Security experts warn that power grids are seen as a prime target for hackers.

Another important consideration is that while the US grid may prove to be a hard nut to crack, the fact that CoJ was also hacked in July this year implies that the utility does not take cybersecurity too seriously.

In addition, considering the state of Eskom’s network, if the economy does begin growing again, we will again face the spectre of the grid collapsing if anything goes wrong with the management of the load-shedding schedule.

“Companies should assess the risk of a more prolonged and pervasive power blackouts, and what their response should be,” Ms Veeran-Patel believes. “The infamous New York blackouts in 1977 and again in 2019, as well as the repeated blackouts in Venezuela, led to outbreaks of looting and the spectre of civic collapse,” she says. “A long blackout over a wide area will almost certainly result in unrest of some kind. The question is whether your organisation has prepared a plan to deal with this eventuality, and assessed the likelihood of its happening.”

Of course, this assessment would include internal plans for dealing with an extended power outage—extra generators, bigger fuel storage facilities and so on—but it also needs to take into account the state’s emergency response plans. As Ms Veeran-Patel points out, we know they exist but how, exactly, do we rate their efficacy? It will also be necessary to look at the impact on the organisation, paying particular attention to the domino effect: business partners, suppliers and customers will also be affected. So, too, will other utilities on which everybody depends, most notably water. No power means that reservoirs will run dry, as has already happened.

“As the Internet of Things takes off, not just power grids will get smarter, so will the water and transport grids. Greater use of IT will mean artificial intelligence can be deployed to make management of these resources more effective, but ironically will also make them more vulnerable to cybercriminals, especially as the proliferating number of sensors are unlikely to be well-protected,” she concludes. “Just how resilient is your organisation, really?”

[1] Brian Barrett, “Security news this week: An unprecedented cyberattack hit US power utilities”, Wired (7 September 2019), available at https://www.wired.com/story/power-grid-cyberattack-facebook-phone-numbers-security-news/.

[2] Lily May Newman, “Russian hackers haven’t stopped probing the US power grid”, Wired (28 November 2018), available at https://www.wired.com/story/russian-hackers-us-power-grid-attacks/.