Spain to vet power plants’ cybersecurity for ‘great blackout’ cause

The Spanish government has yet to determine the specific causes of the blackout that left the country without power for an entire day on April 28. Discovering the cause, as Prime Minister Pedro Sánchez announced in an appearance before Congress on May 7, “will take some time,” as approximately 756 million pieces of data from hundreds of facilities needs to be analyzed.

That large volume of data includes every bit of information “generated by the system’s 4,200 plants between 12:15 and 12:35 that day,” Sánchez said.

The Financial Times reported this week that the Spanish government is demanding information from small electricity generators about the state of their cyber defenses as part of an ongoing investigation to determine whether these were a weak link exploited by malicious actors aiming to take down the country’s electricity grid. 

“Senior government officials are ‘concerned’ about the strength of the cyber defenses of small and medium-sized electricity facilities, particularly solar and wind farms,” ​​according to a person familiar with the matter quoted in the report published by the newspaper.

In fact, the government has not yet ruled out the possibility that the cause of the incident was ultimately a cyberattack. “As of today, we are not ruling out any possibility. Everything remains on the table,” according to statements to the Financial Times by sources from the Ministry for the Ecological Transition and the Demographic Challenge (MITECO).

Following the “great blackout,” the largest in Europe in more than two decades, the Spain’s government promoted the creation of a Technical Analysis Committee led by the Third Vice President and Minister for MITECO Sara Aagesen. This committee includes several relevant bodies and consists of two working groups focused on cybersecurity and examining the operation from an electrical perspective.

The report resulting from this committee’s investigation, which will specify the causes of the “zero” electricity incident, must be ready by next August, as required by the European Commission. Additionally, the European Electricity Coordination Group, which reports to the European Commission and independent regulators, will prepare an independent report from Brussels, at the request of the Spanish government.

In parallel, a judge from the Spanish National Court has also opened an investigation to determine whether the incident was a cyberattack. However, Red Eléctrica, the Spanish electricity grid operator, stated the day after the blackout that there was no evidence of a cyberattack against its facilities. Since then, the company has not issued any further statements on the matter.

In 2024, Spain suffered more than 100,000 cyberattacks, and every three days there was one considered “very serious,” according to information provided by the Executive branch a few days ago during the presentation of a set of cybersecurity and cyberdefense measures that complement the measures included in the National Cybersecurity Plan, approved in 2022 and involving an investment of €1.157 billion. Since 2015, cyberattacks have increased by 300% in the country.