East Africa · EAC Region · IEC 62443 · Kenya DPA 2019 · EPRA-Aligned

World-Class OT/ICS Cybersecurity Exercisesfor East African Critical Infrastructure

47 ready-to-run tabletop exercises aligned to global standards — IEC 62443, NIST SP 800-82, NIS2, ISO 27001 — and layered with East African regulatory context (Kenya DPA 2019, EPRA, EAC frameworks). Purpose-built for Telecoms, Energy, Fintech, Water, and Ports sectors.

Start Free — 3 Exercises Request Enterprise Demo View Full Platform

✓ IEC 62443 ✓ NIST SP 800-82 ✓ CISA CTEP-Aligned ✓ NIS2 & DORA ✓ Kenya DPA 2019 ✓ EPRA (Energy) ✓ EAC Framework

Global Standards — Included in Every Exercise

The International Frameworks Your Organization Already Answers To

From Nairobi to Kampala to Addis Ababa — these are the global standards governing OT/ICS cybersecurity best practice. Every exercise maps to them, ensuring East African operations meet the same bar as global counterparts and satisfy corporate audit requirements.

IEC 62443

Industrial Cybersecurity Standard

The global benchmark for IACS security — referenced by East African energy, telecoms, and water sector operators. Scenarios map to security levels and control domains.

NIST SP 800-82

ICS Security Guide (Rev. 3)

NIST's definitive OT security guide — widely adopted by East African fintech and telecoms multinationals. Threat scenarios reference Rev. 3 controls across all sectors.

CISA CTEP

Cyber Tabletop Exercise Program

All 47 exercises align to CISA CTEP objectives with CPG 2.0 framework mapping and structured After Action Report export for regulatory defensibility.

ISO 27001

Information Security Management

Widely required by East African banking regulators and international investors. Scenarios support Annex A controls for risk assessment and incident response.

NIS2

EU Network & Information Security Directive

European multinationals with East African operations must comply with NIS2 globally. Pro plan includes NIS2 compliance filters for essential and important entities.

DORA

Digital Operational Resilience Act

Pan-African banks and fintech firms with EU exposure apply DORA globally. Scenarios address ICT risk management and resilience testing requirements.

NERC CIP

Critical Infrastructure Protection

Energy sector multinationals with East African geothermal, hydro, and power generation assets apply NERC CIP across all sites globally.

NIST CSF 2.0

Cybersecurity Framework

Exercises cover all CSF 2.0 functions: Govern, Identify, Protect, Detect, Respond, Recover — the universal baseline applied across the EAC region.

East African Regulatory Context

Layered with Local Regulatory Alignment

Global standards form the foundation — East African regulations add the regional layer. Your teams exercise in context of both, producing evidence defensible to every regulator from Nairobi to Kampala.

Kenya DPA 2019

Kenya Data Protection Act 2019 & CA Cybersecurity Directives

Kenya's comprehensive data protection law and the Communications Authority's cybersecurity directives govern incident notification and data handling for critical infrastructure operators across the EAC hub.

EPRA

Energy & Petroleum Regulatory Authority (Kenya)

EPRA regulates cybersecurity requirements for electricity, petroleum, and renewable energy sectors in Kenya. Energy sector exercises reference EPRA reporting obligations and operational continuity requirements.

EAC Framework

East African Community Cybersecurity Framework & Regional Standards

The EAC provides the regional coordination framework for cross-border incident response across Kenya, Tanzania, Uganda, Rwanda, Burundi, and South Sudan — exercises reflect cross-border notification complexity.

UCC / TCRA

Uganda Communications Commission & Tanzania Communications Regulatory Authority

Telecoms and internet infrastructure operators in Uganda and Tanzania are subject to UCC and TCRA cybersecurity regulations — exercises address incident reporting obligations for regional telecoms operators.

For Multinationals with East African Operations

Global HQ. East African Sites. One Platform.

The Challenge

Your Nairobi, Kampala, or Dar es Salaam facility must meet both: corporate global standards AND Kenya DPA / EAC obligations

Telecoms multinationals, energy developers, and pan-African banks with EAC operations don't choose between IEC 62443 and Kenya DPA 2019 — they answer to both simultaneously. Generic exercises address neither properly.

HQ mandates IEC 62443, ISO 27001, and NIST compliance globally
Kenya DPA 2019 and CA directives apply to Nairobi operations
EAC cross-border incident notification adds regional coordination complexity
Geothermal, hydro, and solar energy assets bring EPRA obligations

The Skyhigh Solution

One exercise library. Global standards built in. East African regulatory context layered on top.

Every scenario maps to IEC 62443, NIST SP 800-82, ISO 27001, and DORA. East African teams run the same quality exercises as European and US counterparts — with Kenya DPA, EPRA, and EAC regulatory framing included.

Global compliance evidence for corporate audit and international investors
Local context for Kenya DPA 2019, EPRA, UCC, and EAC frameworks
After Action Reports defensible to both HQ and East African regulators
English support across all EAC member states

Key East African Sectors

Built for Your Industry's OT Environment

Scenarios designed for the threat actors, control systems, and regulatory obligations facing East African critical infrastructure operators.

Telecoms & Internet Infrastructure

Geothermal & Hydro Power (Kenya, Ethiopia)

Fintech & Mobile Money (M-Pesa scale)

Water Treatment & Distribution

Ports & Maritime Logistics (Mombasa)

Oil & Gas (Uganda, Tanzania)

Aviation & Transport Infrastructure

Banking & Financial Services

📁

47 Ready-to-Run Scenarios

From Mombasa port SCADA attacks to mobile money infrastructure disruptions — scenarios grounded in the real threat landscape facing East African OT operators.

📄

EAC & Kenya DPA Framing

Exercises explicitly reference Kenya DPA 2019 notification timelines, EPRA reporting obligations, and EAC cross-border coordination — alongside global IEC 62443 controls.

🌐

English & French Support

Full support in English for EAC Anglophone members and French for Rwanda's bilingual environment — covering the full East African operational landscape.

Scenario Examples — EAC Relevant

Exercises Built for the East African Threat Environment

From geothermal power control system attacks to mobile money infrastructure compromise — exercises reflecting the actual threat landscape and regulatory obligations of East Africa.

OT / ICS

Geothermal Power Station SCADA Attack

A threat actor targets turbine control systems at a major geothermal facility. EPRA reporting obligations and EAC cross-border grid coordination are tested alongside IEC 62443 incident response.

ICS/SCADA IEC 62443 EPRA Notification

⏳ 3–4 Hours 👥 8–15 Players Advanced

Cross-Sector

Mobile Money Infrastructure Compromise

A ransomware attack disrupts mobile money clearing systems, cascading to affect utility bill payments and critical service disbursements across multiple EAC member states.

Ransomware NIST CSF 2.0 Kenya DPA 2019

⏳ 3–4 Hours 👥 10–20 Players Advanced

Executive

Board Crisis: Port Disruption & Multi-Regulator Response

A cyberattack disrupts Mombasa port SCADA systems, triggering simultaneous obligations to Kenya DPA, EPRA, EAC protocols, and parent company NIS2/ISO 27001 reporting requirements.

Executive EAC / Kenya DPA ISO 27001

⏳ 2–3 Hours 👥 5–10 Players Intermediate

Unlock All 47 Scenarios →

Enterprise Inquiry

Request an East Africa Demo

Tell us about your organization. We'll map the platform to your Kenya DPA, EPRA, EAC, and global compliance requirements for your specific sector.

Full Name *

Job Title

Organization *

Work Email *

Team Size

Primary Sector

What are your primary compliance drivers or exercise objectives?