Blog

Could the Blackout in Spain be caused by a cyber-attack?

 

On May 28th, 2025, around 12:30h, Spain, Europe’s fourth largest economy, was hit by a massive electricity blackout.

As of today, the causes are still unclear, but what we know is that a yet unknown event affected the Spanish electricity grid causing an imbalance between generation and demand that the grid operator was not able to manage, probably due to the fact that, at that moment, the percentage of energy that could support balancing mechanisms was too low. Consequently, some generation facilities decoupled from the grid to protect themselves from an increase in tension, causing a drop of 15 GW, around 60% of the entire generation at that moment, in less than 5 seconds. The interconnection with France was cut to prevent affecting the neighboring country and the entire electricity system of the Iberian Peninsula went down like a domino.    

Citizens across Spain and Portugal spent between 8 and 24 hours in darkness and isolated. No lights, no Internet and no communications except for old-fashioned radios that transmitted the little available information. There were people stuck in elevators and others left in the middle of nowhere by trains that went suddenly out of operation. Most enterprises had to shut down and critical services, like hospitals and major datacenters, activated their emergency generators and prepared to request additional diesel fuel in case the blackout exceeded their worst-case scenarios. Fortunately, the blackout only lasted a few hours thanks to the exceptional preparedness of the Spanish grid operators and the fact that Spain’s electricity grid is one of the smartest and most modern in the world.

It is not likely that the triggering event was caused by a cyberattack, but it can’t be discarded either. We know that it’s possible; it has happened in the past as we saw with the Russian attacks to Ukrainian substations or other famous attacks to critical infrastructures like Stuxnet, Solarwinds or Triton.  

Anyway, this demonstrates that even one of the world’s most resilient electricity grids can be seriously challenged by a cyber-attack. Imagine if this happened in a country that does not have the robust electricity infrastructure that Spain has. The time to recover would be significantly higher and the consequences could be dramatic, affecting human lives and amounting to millions of dollars in damages that would probably not be covered by any insurance program.

But what is the likelihood of a cyberattack affecting the bulk electricity system? This is the million-dollar question!  

Large, traditional generation facilities are increasingly exposed to the Internet and vulnerabilities are more and more difficult to detect and manage despite the growing investments in cybersecurity by their owners, usually big, regulated companies. Not to mention the situation of the new renewable generation technologies, that are cloud native and operated by smaller companies with tight budgets.

The blackout in Spain has been considered a black swan, an extremely rare event that statistically should only happen once in over 100 years. Yet another one, like the pandemic or the extreme weather events that are becoming increasingly common. Are we really having a lot of bad luck lately or should we think about reviewing our risk models, especially cyber risk models?

Risk quantification is basically the process of measuring the likelihood and impact of a certain event and can be based on scenarios or statistical models. Scenario-based quantification requires a deep understanding of the process and all its interdependencies and the ability to imagine all potential risk situations. Statistical models are based on large amounts of data of past events and the ability to mathematically represent reality.    

In both cases, it is an exercise of trying to understand the future based on what happened in the past. But with the fast evolution of technology our ecosystems are changing rapidly, interdependencies are more and more difficult to grasp, and our risk models and the underlying data become quickly obsolete. Especially with cyber, we need new dynamic risk quantification capabilities that allow us to understand the evolving cyber landscape and risk.

This requires four key aspects:

    1. Up to date Outside-In data that provides an evolving picture of the threat landscape, the threat actors and their tactics and techniques.

    2. Continuous Inside-Out data of existing vulnerabilities based on telemetry connected to our OT technology, including potential cyber-physical events.

    3. Cybersecurity controls implemented to mitigate risk. Some can be inferred from telemetry, reducing subjectivity in the maturity assessment.

    4. A mathematical risk model that is specific to each type of industry, as cyber risk is not the same for a thermal generation facility, a manufacturing plant or a datacenter and certainly not for an IT and an OT environment.

DNX_CloudDeNexus Knowledge Cloud
Continuously updated anonymized aggregated Outside-In & Inside-Out data, cybersecurity controls, Drivers of Risk, Drivers of Loss


Properly understanding cyber risk to the complex electricity ecosystem is not easy, but it is key to identifying critical points of failure and to prioritize investments in cybersecurity. And not only in the electricity sector but in industry in general.

The blackout in Spain has reminded us of how dependent our society is from electricity but also from information and communication systems. We need to enhance our ability to understand and mitigate cyber security risks and strengthen our cyber resilience capabilities to face this increasingly complex challenge.

If you want to learn more, get in touch with our team, or understand how the above is put to use to quantify and manage cyber risks at 250+ industrial sites monitored by DeNexus, you can contact us at https://www.denexus.io/contact.