Blackout or breach? Spain and Portugal’s grid collapse fuels cyberattack fears
‘Cyber-attack’ was the phrase on many people’s minds when large parts of Spain and Portugal were recently plunged into a blackout. Authorities are investigating the root cause, with early reports suggesting a technical malfunction caused by a ‘rare atmospheric phenomenon’. However, there has been speculation (yet to be ruled out) that a cyberattack could be to blame.
The widespread power outage disrupted transportation, communications, and daily life across the Iberian Peninsula. It began with a disconnection of a key international power line, causing cascading disruptions across regional grids. The blackout, which lasted several hours in some areas, was triggered by a fault in the high-voltage transmission network operated by Red Eléctrica de España (REE).
But why did so many immediately jump to the conclusion of a cyber-attack? The suspicion around malicious activity goes to show how wary people across the globe are of cyber-attacks and the devastating impacts they could have.
Why was a cyber-attack initially suspected in the blackout in Spain and Portugal?
Early news of the attack brought to mind the Colonial Pipelines ransomware hack in 2021 on the East Coast of the USA. But both REE and Portugal’s Redes Energéticas Nacionais (REN) have ruled out malicious intrusion after reviewing SCADA logs, telemetry, and firewall records. Despite this, in the immediate aftermath, several indicators led authorities and observers to consider the possibility of a cyberattack:
- Simultaneous multi-point failures: System shutdowns' sudden and coordinated nature across geographically dispersed substations mimicked characteristics of cyber-induced grid events, such as those seen in Ukraine in 2015 and 2016.
- Communication disruptions: The temporary collapse of mobile and internet services fed public speculation about a systemic attack, particularly since backup systems failed in some zones.
- Timing and geopolitical tension: The blackout occurred amid heightened cybersecurity alerts across Europe tied to ongoing geopolitical instability, prompting heightened vigilance.
- Digital forensics lag: Grid operators' lack of immediate clarity led to speculation filling the information vacuum before REE and ENTSO-E (European Network of Transmission System Operators for Electricity) could complete their initial diagnostics.
A cyber-attack has still not been entirely ruled out by all parties, with the cause still being investigated by Spain’s National Cybersecurity Institute.
Why would hackers target a country’s energy grid?
Nation-state actors often probe or attack energy grids to gain leverage in broader conflicts. Disabling power generation or transmission can undermine civilian morale, disrupt military logistics, and signal coercive intent without immediate kinetic engagement. In the Russo-Ukrainian context, the 2015–16 attacks on Ukraine’s grid by the Sandworm group demonstrated how precision outages (tripping substations via malware like BlackEnergy) can be used as a tool of statecraft.
Financially motivated cybercriminals view energy companies (often large, highly automated, and reliant on digital controls) as lucrative ransomware targets. Encrypting SCADA backups or operator workstations can halt operations swiftly, pressuring victims to pay ransoms to restore power. Groups like BlackCat/ALPHV and LockBit 3.0 have increasingly targeted energy and critical-infrastructure firms.
Beyond immediate disruption, adversaries can also use grid intrusions to map control-system architectures, harvest proprietary process data, and develop bespoke malware. In recent years the Chinese group RedEcho has been accused of infiltrating India’s power grids.
What are the signs of a cyber-attack on a power grid?
Grid operators and security teams look for a constellation of anomalies in both IT (office networks) and OT (operational/SCADA) environments when assessing a potential intrusion. Typical warning indicators include:
-
- Unexplained network reconnaissance
-
-
- Sudden port-scanning or probing of ICS/SCADA protocols (e.g., IEC 60870-5-104, DNP3) from external IPs or unusual internal segments.
- Early “test-run” malware deployments on non-critical assets to validate access before a full attack.
- Unauthorized access and credential abuse
- Repeated failed or anomalous log-ins to RTUs or HMIs outside normal maintenance windows.
- Usage of service accounts or credentials that have previously accessed grid-control systems.
- Anomalous ICS command sequences
- Remote trip or bypass commands issued to breakers or protection relays without a corresponding valid alarm or sensor trigger.
- Rapid toggling of circuit breakers or reclosers in patterns not matching grid operator actions.
- Data-integrity discrepancies
- Mismatches between real-time sensor measurements and what SCADA logs record (e.g., frequency or voltage constantly reported at nominal values, despite clear swings on physical buses).
- GPS/time-stamp mismatches that suggest log tampering or “time-shifting” of events.
- Malware artifacts and file-system changes
- Discovery of known ICS-specific malware frameworks (e.g., Industroyer/CrashOverride) or related backdoors on control-system hosts.
- New executables, altered firmware images, or unexpected services running on PLCs/RTUs.
- Disruption of monitoring and alerting
- Loss or corruption of event logs in both IT and OT environments (e.g., missing log files or overwritten audit trails).
- Failure of redundant communication channels (e.g., satellite or out-of-band links) coinciding suspiciously with primary link outages.
- Coordinated multi-vector anomalies
- Simultaneous disruptions in power and ICT (telecom networks, NMS servers) that outpace what one physical fault could explain.
- Evidence of a “kill chain” progressing from IT compromise (e.g., phishing, workstation infection) into the OT domain.
-
Could weak passwords play a role in power grid attacks?
Weak or default passwords are one of the simplest and most common footholds an attacker can use to break into both IT and OT (SCADA/ICS) environments in a power grid operator. Here’s how they could factor into a potential grid compromise:
- Initial remote-access breach
- Many utilities expose VPNs, RDP gateways or web-based management panels for remote monitoring and maintenance. If these are protected by weak, guessable, or unchanged default credentials, an attacker can simply brute-force or credential-stuff their way in. The risk is multiplied if effective MFA isn’t being enforced.
- Lateral movement
- Once inside the corporate LAN, attackers look for “stepping-stone” accounts to jump into the operational zone. The compromise propagates rapidly if service accounts or HMI/PLC administrator logins still use weak passwords.
- Credential theft and reuse
- Even if the grid network is well segmented, users often reuse passwords across office and control-system VPNs. Phishing or keylogging against an engineer’s corporate mailbox can yield credentials that work unchanged on OT gateways. In Ukraine’s 2015 blackout, attackers first harvested legitimate account credentials before issuing destructive commands to breakers.
Cyber-attack or cautionary tale?
Ultimately, the Iberian blackout served as a powerful reminder of the potential risks of infrastructure being targeted by a cyberattack. Amid a sudden grid collapse, it was too easy to leap to the cyberattack hypothesis, fueled by recent headlines and geopolitical anxiety. Even if the true cause was a natural phenomenon, as the current evidence points out, the real threat of a targeted intrusion demands vigilance.
Operators must treat every incident as an opportunity to harden their defenses, from enforcing airtight password policies and multifactor authentication to rigorous network segmentation and 24/7 anomaly monitoring. If nothing else, this episode underscores that preparation (not panic) is the best antidote to both technical failures and malicious assaults.
Note: This originally appeared as a blog on the Specops website
