Skip to main content

Spain's blackout: Cyber or Not? An unbiased technical analysis

 


Introduction

Yesterday afternoon, I was writing what should have been the regular newsletter when the power suddenly went out. I wasn’t alarmed at all because I live in a mountain area, and power outages like this happen several times a year. It was a slightly windy day, so I assumed that maybe a tree had cracked and hit a low-voltage line or something similar. But, as it turns out, that wasn't the case. Instead, something unprecedented occurred, a 'zero energy' event: the power grid in Spain and Portugal went down completely.

As we can see from the following graph coming from Red Eléctrica Española (transmission system operator responsible for managing the Spanish electricity system), at 12:35pm suddenly 15 GW of generation power went 'missing'. As the prime minister would explain during a press release: "in 5 seconds, 60% of the country's demand disappeared from the system".



The interconnected power system is one of the most complex systems ever built. It is beyond the scope of this article to provide a detailed technical assessment of all possible non-cyber scenarios that could contribute to a 'black swan' event. In fact, investigations into large-scale power outages typically take months to reach reliable conclusions. Therefore, I will leave this task to the experts, who have access to the necessary data to conduct such a complex analysis.

However, there is specific information suggesting that a potential cyber attack could be behind this. For example:

https://www.larazon.es/economia/cni-apunta-ciberataque-como-posible-causa-apagon_20250428680f7e19319ae75da4ba8c32.html

The President of the regional government of Andalusia (Spain) claims that, after consulting with cybersecurity experts, the massive power outage is likely the result of a cyber attack.

https://www.eleconomista.es/energia/noticias/13337515/04/25/juanma-moreno-apunta-a-un-ciberataque-como-posible-causa-del-gran-apagon-en-espana.html

Meanwhile, top European figures such as the European Council president, António Costa or Senior European Commission vice-president Teresa Ribera follow a more cautious approach, stating that currently there is no evidence of 'foul play'.

On the other hand, according to Reuters "Portugal's REN says no sign blackout caused by cyberattack". Instead, sources within REN attributed this event to a 'rare atmospheric phenomenon', the know famous 'Induced Atmospheric Vibration' term everyone repeats but no one can truly elaborate. In fact, according to El Pais, and other experts, it's all a bluff. 

"Reuters reported that REN (Redes Energéticas Nacionais, the equivalent of Red Eléctrica in Spain) had suggested that a strange meteorological phenomenon in Spain could be the origin of the blackout. However, sources from this organization have denied that information, which pointed to a supposed temperature variation in the interior of Spain."

Given this complex context, I believe it's worth examining the facts and plausible explanations to assess whether we might be facing a cyberattack

Motivations

Many of you have probably experienced this behavior: when you're on a plane and notice something unusual, the first thing you do is look at the flight attendants to see if they’re scared.

Well, we have a similar situation here. What your colleagues at NATO are saying? Are they worried? Poker face? If this blackout were the result of a cyberattack, we wouldn’t be talking about just another ransomware operation; we would essentially be describing a de facto act of war against NATO members, with all the corresponding implications.

In this regard, I can’t overlook that Spanish Prime Minister, Pedro Sánchez, said that 'nothing had been ruled out' and he explicitly mentioned having spoken to NATO Secretary General Mark Rutte, without disclosing further details about the conversation.

Every cyberattack has a motive behind it. We will discuss some technical details, but before that, we need to provide some context for this situation. 

First things first: Successfully triggering this massive power outage exclusively through cyber means would require a highly sophisticated actor, massive resources, and a bit of luck. That doesn’t seem to be a problem, as in the current geopolitical context, we have an obvious usual suspect: Russia.

But why on Earth would Russia embark on such an endeavor against Spain (Europe)? Let’s avoid playing the 'because they’re crazy' card. Geopolitical experts can certainly weigh in with all kinds of explanations far more valuable than mine. But let’s remember that, once again, if this were eventually attributed to Russian actors, it would be essentially an act of war. If Russia can get away with it, we’re doomed; if we respond accordingly, things will surely go dark for years not just hours. In any case, it would be a wild, extremely serious scenario, a point of no return for everyone involved.

Attacking the grid

One of the problems with the power grid is that storing electricity at scale is neither easy nor efficient. So, to maintain a reliable and stable electricity system, demand and supply must match. Otherwise, any significant load imbalance can have disastrous consequences, ranging from affecting the grid's frequency to potentially 'frying' power lines.

And that's a really hard problem. 

First, you must predict the demand in order to plan your generation groups (Nuclear, Hydro/Thermal, Gas, Wind, Solar, etc.) accordingly. Assuming the generation is operating smoothly and in sync, the next step is to transport the generated electricity over long distances. Finally, the electricity must be adjusted to fit the consumer's installations, a task handled by the distribution system. Thus, Generation, Transmission, and Distribution are the three main components of a modern, interconnected power grid. 

Therefore, the power grid must be continuously monitored, coordinating a wide array of interconnected systems and devices to control and ensure stability. Energy Management Systems (EMS) enable operators to manage this complex task. As you may guess, these are mainly computerized systems, so, technically, there is always a chance for cyberattacks.

Fourteen years ago, in 2011, I presented a research called "SCADA trojans: attacking the grid" where I outlined the approach, and real-world exploits, to theoretically causing a massive power outage by attacking an EMS with 3 different approaches:

Field devices

Manipulating and/or spoofing data at the RTU/IED level to send false readings or commands.


HMI/SCADA

Exploiting insecure protocols, for instance Advantech/Broadwin RPC vulnerability, for lateral movement across networks.

State Estimator 

Embedding malware into the control center to disrupt operator visibility or decision-making logic.


It's worth mentioning that several years later, Russian threat actors, such as Sandworm, employed similar exploits and approaches (e.g., targeting Advantech/BroadWin systems) against Ukraine, focusing on substation equipment like breakers and HMI software. However, the resulting power outages were always partial, limited to specific areas. This is expected, as the structure of modern interconnected power systems makes it extremely difficult to trigger a successful cascade of failures.

Achieving a complete shutdown of a modern country's power grid requires careful analysis and deep knowledge of the target’s infrastructure, including substations, transmission lines, redundancies, grid islands, contingency plans, devices, and configurations, as well as the capability to compromise critical systems.

This means that, for an attack on Spain's power grid to succeed in the way these events unfolded, 60% of generation capacity lost in just 5 seconds, the attackers would have needed at least one of the following approaches:

A coordinated, simultaneous attack against multiple generation units.

This would have required compromising nuclear power plants, an extremely complex operation (if you're curious, I published a paper on this last year https://www.reversemode.com/2024/10/a-practical-analysis-of-cyber-physical.html), other power plants, and/or a significant number of Solar/Wind farms. 

I deem this approach extremely unlikely.

______UPDATE - May 30_______

Hundreds of systems from privately operated Spanish renewable energy installations, representing hundreds of megawatts of power, are, and have been, exposed to the internet. These include SCADA systems still using default passwords, along with other potentially vulnerable systems that could allow unauthorized access to the installations.  I've reported this situation to the appropriate public authority in Spain.

In view of this information  I must reassess the likelihood of a coordinated, simultaneous attack on renewable energy installations from 'extremely unlikely' to 'unlikely but feasible'. However, such an attack would still require a significant motivating factor. 
______________________________

A targeted attack against key substation(s)


The attackers would have needed to study Spain's power grid configuration (which means access to confidential information), build a simulation model to test the attack, and then proceed to target specific systems at specific times. For instance, an attack on key substations, such as La Mudarra, that could potentially cause widespread damage

Although extremely complicated, this approach could potentially be executed by sophisticated actors.

Persistence into REE's CECOEL

CECOEL is the operational control center that oversees the entire electricity transmission network in Spain. 

As I mentioned earlier, embedding malware into the control center could disrupt operator visibility or decision-making processes when a specific payload is activated. For example, attacking the state estimator to force a malicious convergence of parameters could plausibly trigger a 'zero energy' event. Again, this would require an extremely sophisticated operation, with attackers capable of compromising critical systems, including potentially air-gapped ones.

If this were somehow achieved, it would be better to just set everything on fire and rebuild from scratch.



Conclusions

First of all, I think it’s time to be responsible. Before claiming this is a cyberattack, take a moment to consider the implications of such a scenario, implications that go far beyond a mere sales pitch for yet-another AI-driven startup.

That said, I don't completely rule out the possibility that this could have been a cyberattack, though I would be extremely surprised...and terrified if it were. I sincerely hope that’s not the case.