Iberian blackout raises fears of growing cyber-attack risks

Techday NZ

29-04-2025

The recent widespread blackout affecting Spain and Portugal has sparked discussion over whether a cyber-attack could have been responsible, despite initial reports pointing to a technical fault.
Large areas of both countries were left without electricity, disrupting transportation, communications, and daily routines.
The power failure started when a key international power line was disconnected, causing cascading disturbances across regional energy grids.
This blackout, which persisted for hours in certain regions, was traced to a fault in the high-voltage transmission network managed by Spain's Red Eléctrica de España (REE).
Speculation about the possibility of a cyberattack arose swiftly after the incident, driven in part by recent high-profile cyber incidents globally.
Early reports cited a 'rare atmospheric phenomenon' as a likely cause, but suspicions of malicious activity persisted, underscoring the heightened concern surrounding cyber threats to critical infrastructure.
Comparisons were drawn with previous cyberattacks, such as the Colonial Pipelines ransomware incident in the United States in 2021.
Nevertheless, both REE and Portugal's grid operator Redes Energéticas Nacionais (REN) ruled out signs of unauthorised access after reviewing SCADA (Supervisory Control and Data Acquisition) logs, telemetry, and firewall data.
Despite these assertions, the cause remains under investigation by Spain's National Cybersecurity Institute, and a cyberattack has yet to be definitively discounted by all parties.
Certain factors led to the initial suspicion of a cyber-attack. These included simultaneous failures at multiple points, which was reminiscent of coordinated cyber-induced grid events observed in Ukraine in 2015 and 2016.
Moreover, the collapse of mobile and internet services, coinciding with the blackout—and the failure of some backup systems—encouraged further speculation.
The situation unfolded during a period of elevated cybersecurity alertness in Europe, amid ongoing geopolitical tension. The absence of immediate, clear communication from grid operators allowed conjecture to fill the resulting information gap.
Specops Software explored these questions, highlighting the broader context in which such concerns arise. Their analysis stated, "The suspicion around malicious activity shows how wary people around the globe are of cyber-attacks and the devastating impacts they could have."
"Nation-state actors often probe or attack energy grids to gain leverage in broader conflicts. Disabling power generation or transmission can undermine civilian morale, disrupt military logistics, and signal coercive intent without immediate kinetic engagement."
n the Russo-Ukrainian context, the 2015–16 attacks on Ukraine's grid by the Sandworm group demonstrated how precision outages (tripping substations via malware like BlackEnergy) can be used as a tool of statecraft." the analysis also outlined the motivations that hackers may have for targeting a national energy grid, noting.
Financial motives are also a consideration, as highlighted in the analysis: "Financially motivated cybercriminals view energy companies (often large, highly automated, and reliant on digital controls) as lucrative ransomware targets. Encrypting SCADA backups or operator workstations can halt operations swiftly, pressuring victims to pay ransoms to restore power. Groups like BlackCat/ALPHV and LockBit 3.0 have increasingly targeted energy and critical-infrastructure firms."
Beyond immediate disruptions, adversaries may use access to grid networks to understand the control system's architecture, harvest valuable data, or develop custom malware. The blog noted, "The Chinese group RedEcho have been accused of infiltrating India's power grids in recent years."
Security specialists look for several indicators to determine if a power grid outage may be the work of cyber attackers.
According to Specops Software, these include unexplained network reconnaissance, unauthorised access attempts, anomalous commands within control systems, discrepancies between physical measurements and logged data, the discovery of malware, and disruptions in monitoring and alerting systems.
They noted, "Coordinated multi-vector anomalies—simultaneous disruptions in power and ICT (telecom networks, NMS servers) that outpace what one physical fault could explain," are a particular cause for concern.
Passwords and credential management routinely contribute to the vulnerability of both IT and operational networks.
Specops Software highlighted, "Weak or default passwords are one of the simplest and most common footholds an attacker can use to break into both IT and OT (SCADA/ICS) environments in a power-grid operator."
They explained how remote access points protected by weak credentials, reused passwords, or insufficient multi-factor authentication can provide an entry route for attackers. The risk is multiplied if such vulnerabilities exist across both office and control-system environments, as happened during Ukraine's blackout in 2015.
The incident in the Iberian Peninsula is still being examined, but the debate it triggered reflects a growing awareness of the risks facing critical infrastructure operators worldwide.
Specops Software commented, "Ultimately, the Iberian blackout served as a powerful reminder of the potential risks of infrastructure being targeted by a cyber-attack. In the midst of a sudden grid collapse, it was all too easy to leap to the cyber-attack hypothesis, fueled by recent headlines and geopolitical anxiety. Even if the true cause was natural phenomena as the current evidence points to, the very real threat of a targeted intrusion demands vigilance."
The analysis concluded, "Operators must treat every incident as an opportunity to harden their defenses, from enforcing airtight password policies and multifactor authentication to rigorous network segmentation and 24/7 anomaly monitoring. If nothing else, this episode underscores that preparation (not panic) is the best antidote to both technical failures and malicious assaults."