As the intensity of global geopolitics increases in what is fast becoming a multipolar world, different risks within an energy system have to be taken into account that were previously not envisaged. For example, in the past, it might have seemed entirely far-fetched that South Africa’s electricity system could be the subject of a malicious attack by other States or by non-State actors.
The lesson from all this is that complacency is one’s enemy; a country’s entire economy may be at risk because of complacency. Malicious attacks such as cyberattacks or what is referred to as distributed denial of service attacks have taken place in some parts of the world. A recent book by Andy Greenberg, Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin’s Most Dangerous Hackers, documents the incidents that have taken place around the world.
The rise of cyberattacks and cyberwarfare as forms of asymmetric warfare involving weaker countries and great powers, which can cripple critical infrastructure, has forced many advanced economies to establish specialised cyberintelligence agencies or departments within existing intelligence agencies. The more the world moves towards the Internet of Things and reliance on Big Data, the more these threats become real. It is only naïve governments that assume attacks on network and other critical infrastructure will not happen.
Attackers can avoid detection by covering cyberattack tracks, using non-State attackers or impersonating other governments to misdirect blame through false flags.
Big powers that may not like a foreign government’s policy decisions or believe that democratic elections in another country will likely lead to the continued reign of a political party that may be against the interests of the big powers could precipitate a crisis that aims to bring the incumbent government down through malicious attacks or other forms of disruption to normal forms of life. In 2015, when Ukrainian politics did not go in the geopolitical direction it should have taken, its grid was disabled by a cyberattack, albeit momentarily. Russia was blamed for the incident, but it denied responsibility.
South Africa’s Integrated Resource Plan (IRP) 2019 has one glaring weakness: it lacks a rigorous security framework that helps us think about what the future energy services system architecture should look like.
It is not clear to citizens how electricity system risks, other than those linked to power shortages, are dealt with by the State’s intelligence and other agencies. Who monitors cyberattacks, hacking or other malicious activities aimed at bringing power plants or the entire grid down?
What is particularly worrying is that South Africa’s grid is like an island, wholly dependent on itself. It would be unable to draw power from sources outside South Africa if a part of, or the whole grid, came down.
The IRP should also be set within an energy security framework, as most countries are beginning to move towards this model, owing to the fact that most network technologies are subject to diverse threats. A security framework takes into account three things: vulnerability, risks and offset mechanisms. Such a systems shifts from a least-cost technology approach to a least-cost system approach (even if the system may cost more to establish in the short term), because its aim is to take into account the potential for disruptions and the costs that such disruptions may directly cause to electricity infrastructure and the economy as a whole in the future.
Perhaps it is not the place of the IRP to also serve as a system risk tool. It will have to be complemented with other planning and risk assessment tools. Energy security and economic security are intertwined. A weak or damaged economy becomes a cause for concern, as it impinges on the capacity of the State to protect its sovereignty from both market predation and foreign State capture.
Vulnerability speaks to system dependencies – in our case, a high dependence on coal, the smooth operation of the coal supply chain and high performance from very dysfunctional croaking, old coal plants. Power plants can also be hacked if one considers how much of information technology capability goes into new plants, such as State-owned electricity utility Eskom’s Medupi and Kusile power stations.
Greenberg notes that, for example, a water treatment plant’s industrial control system can come under the control of a remote operator, who may create a malfunction in the plant that affects a town or city’s water system, placing the health of residents at risk.
Risks to electricity systems include disruption of supply as a result of sabotage, bad or extreme weather events (which will become common in the future), conveyer belts breaking down or unplanned maintenance of coal plants. In the South African context, one could add the corrupt manipulation of procurement processes as a risk.
Offsets are a way of mitigating dependencies by having recourse to measures like alternative sources of energy supply instead of total reliance on a single dependency. In the case of the South African grid system, offsets involve a strategy of negative offsets – such as recourse to load-shedding. It may help to have a grid system that is interconnected but fragmented to ensure that systemic risks do not prevail.
Any form of attack on a grid is not just an issue of disruption of power supply and the inconvenience or harm it can cause to the economy; it can also shape the entire political fate of a country. This is evidenced by how load-shedding is being used as a political football in South Africa as part of party political factionalism as one group tries to take the other out.