Johannesburg, 12 Nov 2019
The resumption of load-shedding by Eskom recently has made organisations double-check that their business continuity plans are updated, and that their arrangements for power backups are in good shape. But it would be a mistake to think that load-shedding is the only issue relating to power, says Nadia Veeran-Patel, Manager: Cyber Resilience, ContinuitySA.
“The recent cyber attack on City of Johannesburg (COJ) systems should be ringing alarm bells in every boardroom — it was a vivid demonstration of the fact that cyber risk threatens other important systems, like power,” she warns. “We have to start thinking about, and laying plans for, the real possibility that the whole grid is somehow compromised. Load-shedding is a controlled process; this is something quite different, and the consequences are unpredictable at best.”
The COJ cyber attack meant that prepaid users could not purchase power, but its impact was limited to the financial systems. But what if the hackers had targeted the operational systems that control the grid, and showed their control by shutting it down? This is no fantasy: In September this year, hackers seem to have penetrated the US power grid.[1] There was no blackout, but given the extent to which Russian hackers are probing the US power grid, [2] and the growing emphasis on cyber-terrorism and –warfare, it could happen anytime. Security experts warn that power grids are seen as a prime target for hackers.
Another important consideration is that while the US grid may prove to be a hard nut to crack, the fact that COJ was also hacked in July this year implies that the utility does not take cyber security too seriously.
In addition, considering the state of Eskom’s network, if the economy does begin growing again, we will again face the spectre of the grid collapsing if anything goes wrong with the management of the load-shedding schedule.
“Companies should assess the risk of a more prolonged and pervasive power blackouts, and what their response should be,” Veeran-Patel believes. “The infamous New York blackouts in 1977 and again in 2019, as well as the repeated blackouts in Venezuela, led to outbreaks of looting and the spectre of civic collapse,” she says. “A long blackout over a wide area will almost certainly result in unrest of some kind. The question is whether your organisation has prepared a plan to deal with this eventuality, and assessed the likelihood of its happening.”
Of course, this assessment would include internal plans for dealing with an extended power outage — extra generators, bigger fuel storage facilities and so on — but it also needs to take into account the state’s emergency response plans. As Veeran-Patel points out, we know they exist, but how, exactly, do we rate their efficacy? It will also be necessary to look at the impact on the organisation, paying particular attention to the domino effect: business partners, suppliers and customers will also be affected. So, too, will other utilities on which everybody depends, most notably water. No power means that reservoirs will run dry, as has already happened.
“As the Internet of things takes off, not just power grids will get smarter, so will the water and transport grids. Greater use of IT will mean artificial intelligence can be deployed to make management of these resources more effective, but ironically will also make them more vulnerable to cyber criminals, especially as the proliferating number of sensors are unlikely to be well-protected,” she concludes. “Just how resilient is your organisation, really?”
[1] Brian Barrett, “Security news this week: An unprecedented cyberattack hit US power utilities”, Wired (7 September 2019), available at https://www.wired.com/story/power-grid-cyberattack-facebook-phone-numbers-security-news/.
[2] Lily May Newman, “Russian hackers haven’t stopped probing the US power grid”, Wired (28 November 2018), available at https://www.wired.com/story/russian-hackers-us-power-grid-attacks/.
Share
ContinuitySA
ContinuitySA is Africa’s leading provider of business continuity management (BCM) and resilience services and has been helping the continent’s public and private organisations become more resilient for more than 30 years. Delivered by highly skilled experts, its fully managed services include ICT and cyber resilience, enterprise risk management, work area recovery and BCM advisory—all designed to enhance business resilience in an age of escalating threat. By helping clients understand their risk profile, and then develop an appropriate risk-mitigation strategy, including the ability to recover swiftly from a disaster, ContinuitySA provides peace of mind for all stakeholders.
ContinuitySA operates the continent’s biggest network of recovery centres, with more than 20 000mof space in Gauteng (Midrand and Randburg), the Western Cape (Tyger Valley), in Kwa-Zulu Natal (Mount Edgecombe) as well in Botswana, Mozambique, Kenya and Mauritius.
ContinuitySA is a Gold Partner of the Business Continuity Institute (BCI) and was inducted into the prestigious BCI Hall of Fame in 2016. It is also a Gold Partner of Veeam, a leading global provider ofsoftware enabling Disaster Recovery as a Service and Backup as a Service.
ContinuitySA. Our business is keeping you in business.
Additional information about ContinuitySA can be found at www.continuitysa.com. Network with ContinuitySA on Google+, LinkedIn, Twitter and Facebook.