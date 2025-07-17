On 23 December 2015, about 23,000 residents of western Ukraine found themselves without electricity. The cause? An Advanced-Persistent-Threat (APT) — that is, a non-state actor, often a proxy for a nation-state, hacking into the power grid and turning off local substations.

While that incident was later traced to a Russian-backed Advanced-Persistent-Threat, it was the first noted example of a power grid being disabled by cyberattacks. That was almost a decade ago — connectivity, and the corresponding vulnerability, has only accelerated since then.

“In today’s world, you don’t need to physically access infrastructure to disable it. You can disable it from a continent away. That’s the terrifying shift in power we’ve seen in cyberwarfare,” says cybersecurity firm ESET’s chief security evangelist Tony Anscombe. With more than 25 years of cybersecurity experience, Anscombe paints a picture of both a capable state and private sector where not enough attention is being devoted to the threat that cyberattacks pose.

Despite producing world-class cybersecurity experts, South Africa’s infrastructure is lagging — and increasingly in the crosshairs of both cybercriminals and state-aligned attackers. Prominent breaches such as those at the South African National Defence Force (SANDF), the Government Employees Pension Fund, and the National Health Laboratories Services show that this is no longer just a consumer nuisance — it’s costing the country billions, and is a national security vulnerability. The 2023 SANDF breach exposed both classified data and President Cyril Ramaphosa’s personal contact details — underscoring how deeply these attacks can cut.

(Not) OK computer

South Africa has featured prominently in cybersecurity reports over recent years, especially with regard to our continental performance — and not in a good way.

South Africa’s connected society and developed telecoms make it a prime target for cybercriminals.

Interpol’s Africa Cyberthreat Assessment Report of 2025 placed us fifth on the continent in terms of suspected scam attacks, and second in terms of cybercrime detections. This underscores both the benefits — and pitfalls — of our connectivity: we can better detect attacks, but we’re also more likely to be targeted.

While this offers some defensive potential, South Africa’s rapid digitisation without legislative guardrails has left critical systems exposed. The infrastructure that governs water flow, power grids and chemical treatments is increasingly vulnerable to manipulation by both cybercriminals and hostile states.

If this seems remote, recall that cyberattacks during the Israel-Iran conflict were used to cause actual flooding in Israeli towns. The 2010 Stuxnet virus reportedly sabotaged Iranian nuclear centrifuges. These are not sci-fi threats — they’re documented precedents.

And they’re not limited to global players.

“We’ve also seen things like the Uganda water treatment system being targeted,” Check Point’s global research group manager Eli Smadja said. “That’s a real infrastructure breach. It wasn’t publicised much, but the fingerprints were there. If they can go for Uganda, they can go for anyone.”

Target-rich environment

“South Africa is actually among the most attacked countries in Africa, but also one of the most capable at detecting and reporting,” continued Smadja. “That makes it a double-edged sword: threat actors know there’s infrastructure to exploit, but defenders are watching.

“We monitor threat activity across Africa. The same techniques used in Ukraine are now being adapted here — and we’ve observed probes in South African infrastructure,” he said.

According to Smadja, this isn’t hypothetical.

“We’ve seen entire playbooks reused — reconnaissance activity, credential stuffing, port scanning — these are standard steps before a full-scale intrusion.”

Check Point has also observed code injections targeting legacy industrial control systems. Probes into protocol vulnerabilities, particularly on outdated systems, often come from known botnets and command-and-control servers.

“South Africa’s critical infrastructure is particularly attractive because it operates in a hybrid environment: old tech connected to new interfaces. That creates blind spots,” Smadja said. “You’ll often have a 1998-era controller (a system used to control industrial processes) that is remotely accessed through a 2020s web interface. That kind of mismatch is what attackers look for.”

South Africa’s geopolitical and economic role in the Southern African Development Community may further raise the country’s threat profile.

“If you want to send a message or disrupt a region, targeting South Africa’s systems — power, water, or logistics — achieves impact,” said Smadja.

And not all attackers are foreign. Local ransomware gangs are increasingly mimicking the tactics of Advanced-Persistent-Threats, including delayed payloads, supply chain infiltration, and backup disabling.

What this means for you If a substation is hacked, your power could be cut without explanation. If a water system is tampered with, your supply could change without warning — and you’d never know if it was a cyberattack.

Even when no data is stolen, critical services can be disrupted, with no public communication or accountability.

Infrastructure on the edge

“If you’re going to run an industrial system, you should segment the network so that operational tech is not accessible through the corporate side. That’s not always happening,” warned Anscombe.

Municipal water systems show similar gaps. Check Point has recorded targeted scans and login attempts.

“We’ve seen reconnaissance scans and access attempts directed at water systems, power grids, logistics. These aren’t random — they’re calculated,” said Smadja.

South Africa’s current attack surface: large targets, small defences

Despite solid detection capability, South Africa lacks a mandatory breach reporting regime for infrastructure.

“There needs to be an obligation to report. If an entity suffers a cyberattack, there should be a legal requirement to notify a central authority,” said Anscombe.

Under the Protection of Personal Information Act (Popia), only personal data breaches must be disclosed. If a water pump is hacked, or a substation disabled, there’s no legal requirement to inform the public.

“When systems go dark, people assume it is load shedding. But there is a real risk of an invisible trigger. The threats we track in Africa show real intent,” said Smadja.

The law vs the reality

South Africa’s cyber governance remains fragmented. The Critical Infrastructure Protection Act (Cipa) addresses fences and guards, but not firewalls.



The Protection of Personal Information Act protects personal data but offers little for industrial control systems that govern our infrastructure, and despite escalating cyber threats, no dedicated critical information infrastructure law exists.

Oversight is split with the State Security Agency (SSA) running the cybersecurity hub without legal enforcement powers, while the Department of Communications and Digital Technologies sets policy but lacks operational control.



Experts say this siloed architecture leads to regulatory paralysis.

Professor Sizwe Snail ka Mtuze, adjunct professor of cyberlaw at Nelson Mandela University and a key drafter of the Cybercrimes Act, told Daily Maverick that South Africa is struggling with "a lack of centralised legal authority on cybersecurity." He notes, “Right now, you’ve got POPIA looking at data breaches, SSA managing the hub, and DCDT working on policy, but no one really able to enforce infrastructure-specific protections.”

The Information Regulator confirmed this in response to Daily Maverick’s queries, warning of systemic non-compliance in the public sector. “Public entities do not invest in compliance with POPIA as compared to private entities,” the regulator stated. “In some instances mitigation measures are not implemented, leading to repeat compromises of identified vulnerabilities.”

Notably, none of South Africa’s major infrastructure operators - including Eskom, Rand Water, or Transnet - reported a single high-risk data breach in the past two years, despite ongoing cyberattacks. This, combined with the Regulator’s statements and the data showing cyberattacks in South Africa suggests a worrying culture of under-reporting or non-compliance.

In her 15 July Budget vote speech, Minister in the Presidency Khumbudzo Ntshavheni noted: “We are finalising consultation on the draft cybersecurity strategy” and emphasised a state investment push into advanced interception, AI, and analytics capabilities. But without a unified legal regime or enforcement authority, implementation remains uncertain.

The Department of Communications and Digital Technologies and the Information Regulator of South Africa had not responded to Daily Maverick’s queries by the time of publication.

IoT: innovation or open door?

South Africa’s infrastructure future hinges on Internet of Things (IoT) — but it is being rolled out without minimum standards.

Devices like smart meters and programmable logic controllers, which govern a lot of industrial processes in factories and utilities, are often installed without firmware update paths or password security.

“The problem with IoT is two-fold: there’s no update mechanism, and many of these devices are built without even basic password protections,” warned Anscombe.

Many were foreign-made and integrated via local vendors — increasing supply chain exposure.

What must be done, and urgently

Establish a national computer security incident response team with enforcement powers.

Mandate disclosure of infrastructure-related cyber breaches.

Pass legislation to govern Critical Information Infrastructure.

Enforce cybersecurity procurement standards for public infrastructure.

“The adversary only needs one entry point. And if it’s your power grid or water supply, the consequences go far beyond business disruption,” said Anscombe. DM