By Abdallah Toutoungi Founder and CEO, Cybershield Consulting Company.
Within a period of 9 days, two significant technical systemic faults took down the thermal and hydro power generation capacity of Ghana. The first was at the Ghana National Gas Company (Ghana Gas), where a Burner Management System (BMS) controller for the Heat Medium System failed completely. The second was a fire and an explosion at the Ghana Grid Company Limited (GRIDCo) switchyard at Akosombo.
Neither incident has been attributed to cyber. Cybershield is not suggesting that either was. The uncomfortable truth is that the national system tolerated two non-adversarial, single-point of failure events of consequential magnitude within those nine days. If the system is that exposed to ordinary equipment failure, the question of whether its exposure to deliberate and a capable adversary is one no responsible operator, regulator, or board member should ignore.
If a single controller failure and a single substation fire can do this to the country, what does our posture against a deliberate, capable adversary actually look like?
The question of cyber resilience is what I would like to tackle here even if there is no indication of cyber cause and the incident has not been named as such. All information gathered here has been from the media, press releases and official updates.
Before I delve into the three observations that drew my attention, allow me to take you on the IT vs OT journey. Information Technology (IT) is the software and hardware that runs the applications we use in our offices to get email, finance, and customer records. Failure of IT systems causes data loss. Operational Technology (OT) on the other hand is the software and hardware that runs our mining operations, power plants, water treatment plants, gas processing plants, steel mills, airports and harbor. Failure in OT systems causes physical world changes and damage – and can lead to loss of life.
Now that we know the difference between IT and OT, let’s list the three observations:
First, the failure modes of the controller at Atuabo Gas Processing Plant is indistinguishable from a cyber attack. A burner management controller can fail due to a capacitor on its mainboard as it ages out. It can also fail from a malicious firmware loaded during a vendor service visit. A DC panel can ignite because of a long-running insulation defect. It can also ignite because a protection setting was deliberately altered in the engineering workstation that programs it.
Second, the dependency structure has now been made public. Print and digital media has made sure of this. A motivated adversary does not need to discover where the system is fragile. The dependency exposed that although the thermal plants themselves were online and ready to generate electricity, the lack of gas in the pipeline due to the gas processing plant being taken down due to the controller fault made those thermal plants inconsequential. We can say the same about the hydro turbines being online and their availability to produce but the switchyard and the primary control room was ablaze so it didn’t really matter what the turbine condition was.
Third, recovery capacity is the resilience metric that matters most, and it is overwhelmingly determined by the preparation before the incident, not by heroics during it. The Atuabo team were able to recover the same evening and had a manual bypass in their sleeves that they were able to pull off. That says something about their training and thinking about disaster recovery. At Akosomnbo you can’t improvise a switchover room that controls the dam hundreds of meters away. The lesson is not about operators being better or worse than others. The lesson is that resilience is a habit, built in advance, measured in recovery under realistic conditions, and visible on a board’s quarterly report – or it is a story the organization tells itself.
Food for thought during those board room meetings and you don’t have to tell your colleagues you heard those questions here – you can claim them for yourself.
- Do we know what we own completely, both in IT or OT?
- Where are our single-point of failures?
- Are our IT and OT networks genuinely segmented in practice?
- Could we tell the difference between a fault and an attack in hours?
- How long can we operate manually? Have we rehearsed?
- If we were the next headline, who do we call?
None of this requires a multi-year transformation programme. It requires a board that decides resilience is its responsibility, and an executive team that treats the operational technology environment with the same seriousness it brings to financial reporting.
The Cybersecurity Act, 2020 (Act 1038) and the Cyber Security Authority's directives on Critical Information Infrastructure already place obligations on designated operators. The events of April 2026 are, in effect, a real-world tabletop exercise the country has handed every CII board free of charge.
Ghana's engineers responded to both April incidents with skill and visible commitment. Firefighters from five stations contained the Akosombo blaze without loss of life. Operators worked through the night at Atuabo. Ministers and regulators communicated with the public more openly than is the regional norm. None of what I have written is a criticism of those efforts.
It is, instead, an invitation to the country's boards to use this moment well. The harder test, the one that does not announce itself, is still ahead. The work to prepare for it is neither exotic nor unaffordable. It is, however, work that has to be started before it is needed — and the present moment is the cheapest moment it will ever be to start.
Abdallah Toutoungi is Founder and CEO of Cybershield Consulting Company, Ghana's specialist emergency cyber incident response provider for industrial operations and critical infrastructure. He holds the CISSP and previously served as a Program Manager at Microsoft. Cybershield aligns its practice with NIST and CREST standards and is based in Accra.
Comments