Introduction
Yesterday afternoon, I was writing what should have been the regular newsletter when the power suddenly went out. I wasn’t alarmed at all because I live in a mountain area, and power outages like this happen several times a year. It was a slightly windy day, so I assumed that maybe a tree had cracked and hit a low-voltage line or something similar. But, as it turns out, that wasn't the case. Instead, something unprecedented occurred, a 'zero energy' event: the power grid in Spain and Portugal went down completely.
As we can see from the following graph coming from Red Eléctrica Española (transmission system operator responsible for managing the Spanish electricity system), at 12:35pm suddenly 15 GW of generation power went 'missing'. As the prime minister would explain during a press release: "in 5 seconds, 60% of the country's demand disappeared from the system".
The interconnected power system is one of the most complex systems ever built. It is beyond the scope of this article to provide a detailed technical assessment of all possible non-cyber scenarios that could contribute to a 'black swan' event. In fact, investigations into large-scale power outages typically take months to reach reliable conclusions. Therefore, I will leave this task to the experts, who have access to the necessary data to conduct such a complex analysis.
However, there is specific information suggesting that a potential cyber attack could be behind this. For example:
The President of the regional government of Andalusia (Spain) claims that, after consulting with cybersecurity experts, the massive power outage is likely the result of a cyber attack.
Meanwhile, top European figures such as the European Council president, António Costa or Senior European Commission vice-president Teresa Ribera follow a more cautious approach, stating that currently there is no evidence of 'foul play'.
On the other hand, according to Reuters "Portugal's REN says no sign blackout caused by cyberattack". Instead, sources within REN attributed this event to a 'rare atmospheric phenomenon', the know famous 'Induced Atmospheric Vibration' term everyone repeats but no one can truly elaborate. In fact, according to El Pais, and other experts, it's all a bluff.
"Reuters reported that REN (Redes Energéticas Nacionais, the equivalent of Red Eléctrica in Spain) had suggested that a strange meteorological phenomenon in Spain could be the origin of the blackout. However, sources from this organization have denied that information, which pointed to a supposed temperature variation in the interior of Spain."
Given this complex context, I believe it's worth examining the facts and plausible explanations to assess whether we might be facing a cyberattack
Motivations
Many of you have probably experienced this behavior: when you're on a plane and notice something unusual, the first thing you do is look at the flight attendants to see if they’re scared.
Well, we have a similar situation here. What your colleagues at NATO are saying? Are they worried? Poker face? If this blackout were the result of a cyberattack, we wouldn’t be talking about just another ransomware operation; we would essentially be describing a de facto act of war against NATO members, with all the corresponding implications.
In this regard, I can’t overlook that Spanish Prime Minister, Pedro Sánchez, said that 'nothing had been ruled out' and he explicitly mentioned having spoken to NATO Secretary General Mark Rutte, without disclosing further details about the conversation.
Every cyberattack has a motive behind it. We will discuss some technical details, but before that, we need to provide some context for this situation.
First things first: Successfully triggering this massive power outage exclusively through cyber means would require a highly sophisticated actor, massive resources, and a bit of luck. That doesn’t seem to be a problem, as in the current geopolitical context, we have an obvious usual suspect: Russia.
But why on Earth would Russia embark on such an endeavor against Spain (Europe)? Let’s avoid playing the 'because they’re crazy' card. Geopolitical experts can certainly weigh in with all kinds of explanations far more valuable than mine. But let’s remember that, once again, if this were eventually attributed to Russian actors, it would be essentially an act of war. If Russia can get away with it, we’re doomed; if we respond accordingly, things will surely go dark for years not just hours. In any case, it would be a wild, extremely serious scenario, a point of no return for everyone involved.
Attacking the grid
One of the problems with the power grid is that storing electricity at scale is neither easy nor efficient. So, to maintain a reliable and stable electricity system, demand and supply must match. Otherwise, any significant load imbalance can have disastrous consequences, ranging from affecting the grid's frequency to potentially 'frying' power lines.
And that's a really hard problem.
First, you must predict the demand in order to plan your generation groups (Nuclear, Hydro/Thermal, Gas, Wind, Solar, etc.) accordingly. Assuming the generation is operating smoothly and in sync, the next step is to transport the generated electricity over long distances. Finally, the electricity must be adjusted to fit the consumer's installations, a task handled by the distribution system. Thus, Generation, Transmission, and Distribution are the three main components of a modern, interconnected power grid.
Therefore, the power grid must be continuously monitored, coordinating a wide array of interconnected systems and devices to control and ensure stability. Energy Management Systems (EMS) enable operators to manage this complex task. As you may guess, these are mainly computerized systems, so, technically, there is always a chance for cyberattacks.
Fourteen years ago, in 2011, I presented a research called "SCADA trojans: attacking the grid" where I outlined the approach, and real-world exploits, to theoretically causing a massive power outage by attacking an EMS with 3 different approaches:
Field devices
HMI/SCADA
State Estimator
A coordinated, simultaneous attack against multiple generation units.
A targeted attack against key substation(s)
Persistence into REE's CECOEL
