Africa's water utilities are not prepared for the attack Canada just disclosed. That is not a prediction. It is a structural assessment.
Russian-backed hackers gained access to pumps, chlorine dosing systems, and pressure controls at a Quebec municipality water utility — an intrusion only recently disclosed by Canada's Communications Security Establishment in a refreshed warning to the country's water sector Source: Bank Info Security. The attack vector: operational technology (OT) systems — the industrial control and SCADA infrastructure that governs physical processes. Canada disclosed it. African utilities almost certainly would not.
The core tension is this: water authorities in Lagos, Nairobi, Cairo, Accra, and Johannesburg operate ageing OT infrastructure with minimal cybersecurity investment, while threat actors have now demonstrated both the capability and the intent to target water systems for maximum societal disruption. No continental hardening framework exists. No coordinated incident-response protocol exists. And critically, no disclosure obligation forces African utilities to surface breaches if they detect them at all.
The asymmetry is dangerous. Canada's CSE issued a sector-wide advisory — an act of institutional transparency that allowed utilities nationwide to interrogate their own exposure. African regulators have no equivalent mechanism. Nigeria's National Information Technology Development Agency and Kenya's Communications Authority both carry cybersecurity mandates, but neither has issued OT-specific guidance for water utilities. Egypt's National Telecom Regulatory Authority and South Africa's CSIRT operate primarily in the IT domain. The gap between IT security governance and OT security reality is continent-wide.
Industry pen testers have documented what this gap means in practice: OT environments are routinely found with default credentials, flat network architectures that allow lateral movement from IT to operational systems, and remote access pathways that were installed for maintenance convenience and never hardened Source: NCSC. These are not exotic weaknesses. They are the baseline condition of most African municipal water infrastructure. The same tradecraft that accessed Quebec's chlorine dosing system requires no modification to work in Kampala, Dar es Salaam, or Abidjan.
The downstream consequences extend far beyond public health — though those alone are severe. A successful attack on chlorine dosing systems in a major African city serving populations already under water stress would trigger a humanitarian crisis with immediate cascading effects. Hospitals dependent on municipal supply in Kinshasa or Lusaka lose sterile water capacity. Food processing facilities in Casablanca or Durban halt operations. The digital economy's physical substrate — data centres, telecoms exchanges, commercial buildings — all require reliable water for cooling and sanitation. Water infrastructure is not a standalone sector; it is the physical foundation on which urban digital economies operate.
The question African policymakers must now answer honestly is whether similar attacks have already occurred and gone undetected — or detected but undisclosed. The absence of mandatory OT breach reporting frameworks across most African jurisdictions means the silence is not evidence of safety. It is evidence of blindness.
The African Union's Malabo Convention remains the continent's most ambitious cybersecurity framework, but its implementation is uneven and its scope does not extend to sector-specific OT hardening requirements for critical national infrastructure. The continent has no equivalent of Canada's critical infrastructure advisory ecosystem, no shared threat intelligence platform for water sector OT, and no mechanism to translate a disclosed attack in Quebec into an urgent remediation directive in Nairobi or Accra.
African governments must treat this Canadian disclosure as the sector-specific threat intelligence it is — and act on it now. The AU Cybersecurity Expert Group, national CERTs, and water sector regulators need to convene urgently around a common OT security baseline: mandatory network segmentation between IT and OT environments, elimination of default credentials on industrial control systems, and a disclosure obligation that surfaces incidents before they compound. The threat actor that probed Quebec's water systems does not distinguish between OECD utilities and African municipalities. African policymakers cannot afford that luxury either.