Skip to main content

Spain's blackout: Cyber or Not? An unbiased technical analysis

 


Introduction

Yesterday afternoon, I was writing what should have been the regular newsletter when the power suddenly went out. I wasn’t alarmed at all because I live in a mountain area, and power outages like this happen several times a year. It was a slightly windy day, so I assumed that maybe a tree had cracked and hit a low-voltage line or something similar. But, as it turns out, that wasn't the case. Instead, something unprecedented occurred, a 'zero energy' event: the power grid in Spain and Portugal went down completely.

As we can see from the following graph coming from Red Eléctrica Española (transmission system operator responsible for managing the Spanish electricity system), at 12:35pm suddenly 15 GW of generation power went 'missing'. As the prime minister would explain during a press release: "in 5 seconds, 60% of the country's demand disappeared from the system".



The interconnected power system is one of the most complex systems ever built. It is beyond the scope of this article to provide a detailed technical assessment of all possible non-cyber scenarios that could contribute to a 'black swan' event. In fact, investigations into large-scale power outages typically take months to reach reliable conclusions. Therefore, I will leave this task to the experts, who have access to the necessary data to conduct such a complex analysis.

However, there is specific information suggesting that a potential cyber attack could be behind this. For example:

https://www.larazon.es/economia/cni-apunta-ciberataque-como-posible-causa-apagon_20250428680f7e19319ae75da4ba8c32.html

The President of the regional government of Andalusia (Spain) claims that, after consulting with cybersecurity experts, the massive power outage is likely the result of a cyber attack.

https://www.eleconomista.es/energia/noticias/13337515/04/25/juanma-moreno-apunta-a-un-ciberataque-como-posible-causa-del-gran-apagon-en-espana.html

Meanwhile, top European figures such as the European Council president, António Costa or Senior European Commission vice-president Teresa Ribera follow a more cautious approach, stating that currently there is no evidence of 'foul play'.

On the other hand, according to Reuters "Portugal's REN says no sign blackout caused by cyberattack". Instead, sources within REN attributed this event to a 'rare atmospheric phenomenon', the know famous 'Induced Atmospheric Vibration' term everyone repeats but no one can truly elaborate. In fact, according to El Pais, and other experts, it's all a bluff. 

"Reuters reported that REN (Redes Energéticas Nacionais, the equivalent of Red Eléctrica in Spain) had suggested that a strange meteorological phenomenon in Spain could be the origin of the blackout. However, sources from this organization have denied that information, which pointed to a supposed temperature variation in the interior of Spain."

Given this complex context, I believe it's worth examining the facts and plausible explanations to assess whether we might be facing a cyberattack

Motivations

Many of you have probably experienced this behavior: when you're on a plane and notice something unusual, the first thing you do is look at the flight attendants to see if they’re scared.

Well, we have a similar situation here. What your colleagues at NATO are saying? Are they worried? Poker face? If this blackout were the result of a cyberattack, we wouldn’t be talking about just another ransomware operation; we would essentially be describing a de facto act of war against NATO members, with all the corresponding implications.

In this regard, I can’t overlook that Spanish Prime Minister, Pedro Sánchez, said that 'nothing had been ruled out' and he explicitly mentioned having spoken to NATO Secretary General Mark Rutte, without disclosing further details about the conversation.

Every cyberattack has a motive behind it. We will discuss some technical details, but before that, we need to provide some context for this situation. 

First things first: Successfully triggering this massive power outage exclusively through cyber means would require a highly sophisticated actor, massive resources, and a bit of luck. That doesn’t seem to be a problem, as in the current geopolitical context, we have an obvious usual suspect: Russia.

But why on Earth would Russia embark on such an endeavor against Spain (Europe)? Let’s avoid playing the 'because they’re crazy' card. Geopolitical experts can certainly weigh in with all kinds of explanations far more valuable than mine. But let’s remember that, once again, if this were eventually attributed to Russian actors, it would be essentially an act of war. If Russia can get away with it, we’re doomed; if we respond accordingly, things will surely go dark for years not just hours. In any case, it would be a wild, extremely serious scenario, a point of no return for everyone involved.

Attacking the grid

One of the problems with the power grid is that storing electricity at scale is neither easy nor efficient. So, to maintain a reliable and stable electricity system, demand and supply must match. Otherwise, any significant load imbalance can have disastrous consequences, ranging from affecting the grid's frequency to potentially 'frying' power lines.

And that's a really hard problem. 

First, you must predict the demand in order to plan your generation groups (Nuclear, Hydro/Thermal, Gas, Wind, Solar, etc.) accordingly. Assuming the generation is operating smoothly and in sync, the next step is to transport the generated electricity over long distances. Finally, the electricity must be adjusted to fit the consumer's installations, a task handled by the distribution system. Thus, Generation, Transmission, and Distribution are the three main components of a modern, interconnected power grid. 

Therefore, the power grid must be continuously monitored, coordinating a wide array of interconnected systems and devices to control and ensure stability. Energy Management Systems (EMS) enable operators to manage this complex task. As you may guess, these are mainly computerized systems, so, technically, there is always a chance for cyberattacks.

Fourteen years ago, in 2011, I presented a research called "SCADA trojans: attacking the grid" where I outlined the approach, and real-world exploits, to theoretically causing a massive power outage by attacking an EMS with 3 different approaches:

Field devices

Manipulating and/or spoofing data at the RTU/IED level to send false readings or commands.


HMI/SCADA

Exploiting insecure protocols, for instance Advantech/Broadwin RPC vulnerability, for lateral movement across networks.

State Estimator 

Embedding malware into the control center to disrupt operator visibility or decision-making logic.


It's worth mentioning that several years later, Russian threat actors, such as Sandworm, employed similar exploits and approaches (e.g., targeting Advantech/BroadWin systems) against Ukraine, focusing on substation equipment like breakers and HMI software. However, the resulting power outages were always partial, limited to specific areas. This is expected, as the structure of modern interconnected power systems makes it extremely difficult to trigger a successful cascade of failures.

Achieving a complete shutdown of a modern country's power grid requires careful analysis and deep knowledge of the target’s infrastructure, including substations, transmission lines, redundancies, grid islands, contingency plans, devices, and configurations, as well as the capability to compromise critical systems.

This means that, for an attack on Spain's power grid to succeed in the way these events unfolded, 60% of generation capacity lost in just 5 seconds, the attackers would have needed at least one of the following approaches:

A coordinated, simultaneous attack against multiple generation units.

This would have required compromising nuclear power plants, an extremely complex operation (if you're curious, I published a paper on this last year https://www.reversemode.com/2024/10/a-practical-analysis-of-cyber-physical.html), other power plants, and/or a significant number of Solar/Wind farms. 

I deem this approach extremely unlikely.

______UPDATE - May 30_______

Hundreds of systems from privately operated Spanish renewable energy installations, representing hundreds of megawatts of power, are, and have been, exposed to the internet. These include SCADA systems still using default passwords, along with other potentially vulnerable systems that could allow unauthorized access to the installations.  I've reported this situation to the appropriate public authority in Spain.

In view of this information  I must reassess the likelihood of a coordinated, simultaneous attack on renewable energy installations from 'extremely unlikely' to 'unlikely but feasible'. However, such an attack would still require a significant motivating factor. 
______________________________

A targeted attack against key substation(s)


The attackers would have needed to study Spain's power grid configuration (which means access to confidential information), build a simulation model to test the attack, and then proceed to target specific systems at specific times. For instance, an attack on key substations, such as La Mudarra, that could potentially cause widespread damage

Although extremely complicated, this approach could potentially be executed by sophisticated actors.

Persistence into REE's CECOEL

CECOEL is the operational control center that oversees the entire electricity transmission network in Spain. 

As I mentioned earlier, embedding malware into the control center could disrupt operator visibility or decision-making processes when a specific payload is activated. For example, attacking the state estimator to force a malicious convergence of parameters could plausibly trigger a 'zero energy' event. Again, this would require an extremely sophisticated operation, with attackers capable of compromising critical systems, including potentially air-gapped ones.

If this were somehow achieved, it would be better to just set everything on fire and rebuild from scratch.



Conclusions

First of all, I think it’s time to be responsible. Before claiming this is a cyberattack, take a moment to consider the implications of such a scenario, implications that go far beyond a mere sales pitch for yet-another AI-driven startup.

That said, I don't completely rule out the possibility that this could have been a cyberattack, though I would be extremely surprised...and terrified if it were. I sincerely hope that’s not the case.

Popular posts from this blog

What Really Happened in Chernobyl During the Beginning of the Russian Invasion?

This blog post contains the web version of my research paper: " Seeing Through the Invisible: Radiation Spikes Detected in Chernobyl During the Russian Invasion Show Possible Evidence of Fabrication ", which was unveiled at BlackHat USA 2023 . It is intended to ease the indexing and dissemination of the information collected during this research.  In a few days, I'll be in Brussels presenting this research.  The original paper (PDF) can be downloaded here . Additional references: https://www.wired.com/story/chernobyl-radiation-spike-mystery/  (Kim Zetter) https://www.zetter-zeroday.com/p/radiation-spikes-at-chernobyl-a-mystery  (Kim Zetter) https://medium.com/war-notes/chornobyl-3-92216d21b223  (Olegh Bondarenko) INDEX Foreword Executive summary Introduction 1. Physical      1986      Resuspension      Transport      Humidity      Traffic 2. Cyber    ...

De-Anonymization attacks against Proton services

  In November 2021 YesWeHack invited me to participate in a private bug bounty program organized by  Bug Bounty Switzerland on behalf of Proton AG.  The scope of the program was quite interesting and heterogeneous, as it covered most of the applications and services offered by Proton, such as ProtonMail and ProtonVPN. As a result, multiple technologies and codebases were in scope, ranging from typescript, in the open-source part of Protonmail, to .NET/Swift used by ProtonVPN apps for Windows and macOS respectively. Proton is well-known for its privacy-driven services offer, so they are based on Switzerland where the legislation seems to match Proton's requirements to provide that kind of services: thus maximizing the privacy of their communications, minimizing the amount of data they log from their users while keeping a law-abiding status.  It wouldn't be realistic to think of Proton users as an homogenous group; you may be using Proton because you're genuinely w...

Finding vulnerabilities in Swiss Post's e-voting system: part 3

Exactly two years ago I brought my blog back to life, after many years of hiatus, with " Finding vulnerabilities in Swiss Post’s future e-voting system - Part 1 ". That was the first of a series of blog posts covering that system. During these two years I've been periodically assessing the security posture of this e-voting solution, as part of their Bug Bounty program , which I personally recommend.   Since the first time I reviewed their codebase a lot of things have changed, for good, as many areas have been dramatically improved. To be honest, from a security perspective the codebase back then was kind of a mess.   When the first Swiss Post e-voting platform was published, back in 2019, it faced some public scrutiny, mostly from the academic community.  As a result, some significant issues were uncovered , so eventually Swiss Post decided to suspend the deployment of the system. That first version had been developed by Scytl , Spanish company specializ...

Beware of Java's String.getBytes

Sometimes there are subtle bugs whose origin can be found in some quirks from the underlying language used to build the software. This blog post describes one of those cases in order to let both fellow security researchers and developers, who didn't know about it, become aware of this potential vulnerable pattern. In fact, I'm pretty sure that similar bugs to the one herein described likely affect a bunch of products/codebases out there. In previous posts , I've already described some bugs in the Swiss Post's future E-voting system. While reading their  Crypto-Primitives specification , which among other things describes the custom Hashing algorithm Swiss Post implemented, I noticed something potentially interesting. Basically, there are 4 different types that are supported: byte arrays, strings, integers and vectors. Before being hashed, strings are converted to a byte array via the ' StringToByteArray ' algorithm. However, by comparing ' StringToByteArray...

Losing control over Schneider's EcoStruxure Control Expert

  During Q2 2022, in view of the geopolitical situation that unfolded after the Russian invasion of Ukraine, I decided that it wouldn't do any harm to kill some bugs in some of the main players within the ICS arena. I focused in those software frameworks that are running on the engineering workstations so, if compromised, attackers would be in a privileged position to manipulate controllers logic, thus enabling sophisticated attacks with a potential physical impact (i.e triton). I responsibly reported a bunch a unauthenticated remotely exploitable bugs to the corresponding vendors. In one case, after being ignored for months, I had to resort to the 'twitter, do your magic' approach and tweeted that I would be disclosing the issues if the situation persisted. It took just few hours for the vendor to get back to me. The positive side is that they found the bugs interesting and all that mess ended up in paid work.   This blog post covers a similar scenario in a different ven...