On 25 July 2019, the City of Johannesburg's electricity service provider, City Power, suffered a ransomware attack which encrypted its databases, applications and network. The attack disabled the utility's website and prevented its customers from being able to purchase electricity from the utility which potentially impacted up to a quarter of a million customers. In addition, City Power was delayed from responding to localised blackouts, leaving several suburbs in the dark, as City Power's systems were unable to efficiently detect faults in the entity's distribution system.
Similarly, in March 2022, South Africa's state-owned national electricity utility, Eskom, which generates and distributes the majority of South Africa's electricity, suffered a ransomware attack. During the attack, crucial information from the company's servers was offered for sale by the hackers on the dark web.
A matter of particular concern is the vulnerability of generation and distribution assets in South Africa to cyber security threats. Whilst there has been no publicised event in which an Eskom power station or a private renewable energy company's generating assets have been attacked, the threat of this cannot be discounted as many such attacks have been observed overseas. A prominent example is the cyberattack suffered by a European wind turbine manufacturer whose satellite connection, remote monitoring and control of its wind turbines was disrupted. The disruption affected approximately 5800 wind turbines or the equivalent of 11 gigawatts of installed capacity. Fortunately, power supply stability could be maintained as the affected wind turbines switched to automatic mode, thus allowing them to operate, despite the disruption. However, the attack had necessitated the need for lengthy and costly upgrades to the company's hardware and software as well as the several months it took to restore connection with all of the affected wind turbines.
The above examples represent, amongst other threats, an attack on a company's ability to generate revenue, maintain the functioning of its critical infrastructure, a data breach of sensitive information and a disruption of communication between a company and its generating assets.
Increasingly, these threats represent a hybrid threat to both a company's cyber space (eg. an online payment system) as well as its physical assets (eg. with the operation of generating assets). Such a threat clearly necessitates increased cyber security resilience from a practical, IT and legal perspective.
Statutory and contractual obligations on energy clients to ensure cyber security resilience
In its most basic form, cyber security resilience refers to specific measures or strategies, developed, implemented and monitored by an organisation to both reduce the risk of a cyberattack and, upon occurrence, to mitigate against its effect.
This could include taking preventative technical and organisational steps to reduce the risk of a successful cyberattack and upon the occurrence of an attack, to establish or activate a response team, identify the breadth and depth of the risk, to contain it and, once initial threat vector has been established, recover and build back stronger from the cyberattack.
We believe that the development, implementation and monitoring of a cyber resilience strategy may become both a contractual and / or statutory obligation in the South African energy sector.
In respect of statutory obligations, entities in the energy sector should familiarise themselves with the Critical Infrastructure Protection Act No 8 of 2019 ("CIPA"; in force since 1 April 2022).
Under CIPA Chapter 4, a 'person in control' of any 'infrastructure', which has been declared as 'critical infrastructure', by the Minister of Police must take such steps as may be prescribed to them by the Minister of Police to 'secure' such 'critical infrastructure'. Subject only to certain narrow exceptions, it is the 'person in control' of a 'critical infrastructure' who shall bear the cost and responsibility to implement the required security measures and must appoint a person to oversee the fulfilment of these duties.
CIPA defines the term 'security' as including, but not limited to (i) physical security, (ii) contingency plans applicable to critical infrastructure and (iii) measures aimed at protecting critical infrastructure. We believe the obligation to develop and implement a cyber resilient strategy will form part of the security measures, in terms of items (ii) and (iii) above, that must be taken once 'infrastructure' is declared 'critical infrastructure'. We note, however, that no 'infrastructure' has yet been declared as 'critical infrastructure' as per Chapter 3 of CIPA.
Nevertheless, given the significant consequences for a company of a hybrid cyberattack, we anticipate that contractual obligations will become increasingly prevalent as these do not require a legislative process to be followed before being put in place and the extent of the obligations are subject to negotiation between parties who may freely draw inspiration from common practices abroad.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.