IT Brief UK - Technology news for CIOs & IT decision-makers
United Kingdom
Guides
#
artificial intelligence
#
digital transformation
#
disaster recovery
#
hybrid & remote work
#
internet of things
Search
Story image
#
Malware
#
Ransomware
#
MFA

Iberian blackout raises fears of growing cyber-attack risks

Today
Author image
By Jed Nykolle Harme, Editor

The recent widespread blackout affecting Spain and Portugal has sparked discussion over whether a cyber-attack could have been responsible, despite initial reports pointing to a technical fault.

Large areas of both countries were left without electricity, disrupting transportation, communications, and daily routines.

The power failure started when a key international power line was disconnected, causing cascading disturbances across regional energy grids.

This blackout, which persisted for hours in certain regions, was traced to a fault in the high-voltage transmission network managed by Spain's Red Eléctrica de España (REE).

Speculation about the possibility of a cyberattack arose swiftly after the incident, driven in part by recent high-profile cyber incidents globally.

Early reports cited a 'rare atmospheric phenomenon' as a likely cause, but suspicions of malicious activity persisted, underscoring the heightened concern surrounding cyber threats to critical infrastructure.

Comparisons were drawn with previous cyberattacks, such as the Colonial Pipelines ransomware incident in the United States in 2021.

Nevertheless, both REE and Portugal's grid operator Redes Energéticas Nacionais (REN) ruled out signs of unauthorised access after reviewing SCADA (Supervisory Control and Data Acquisition) logs, telemetry, and firewall data.

Despite these assertions, the cause remains under investigation by Spain's National Cybersecurity Institute, and a cyberattack has yet to be definitively discounted by all parties.

Certain factors led to the initial suspicion of a cyber-attack. These included simultaneous failures at multiple points, which was reminiscent of coordinated cyber-induced grid events observed in Ukraine in 2015 and 2016.

Moreover, the collapse of mobile and internet services, coinciding with the blackout—and the failure of some backup systems—encouraged further speculation.

The situation unfolded during a period of elevated cybersecurity alertness in Europe, amid ongoing geopolitical tension. The absence of immediate, clear communication from grid operators allowed conjecture to fill the resulting information gap.

Specops Software explored these questions, highlighting the broader context in which such concerns arise. Their analysis stated, "The suspicion around malicious activity shows how wary people around the globe are of cyber-attacks and the devastating impacts they could have."

"Nation-state actors often probe or attack energy grids to gain leverage in broader conflicts. Disabling power generation or transmission can undermine civilian morale, disrupt military logistics, and signal coercive intent without immediate kinetic engagement."

n the Russo-Ukrainian context, the 2015–16 attacks on Ukraine's grid by the Sandworm group demonstrated how precision outages (tripping substations via malware like BlackEnergy) can be used as a tool of statecraft." the analysis also outlined the motivations that hackers may have for targeting a national energy grid, noting.

Financial motives are also a consideration, as highlighted in the analysis: "Financially motivated cybercriminals view energy companies (often large, highly automated, and reliant on digital controls) as lucrative ransomware targets. Encrypting SCADA backups or operator workstations can halt operations swiftly, pressuring victims to pay ransoms to restore power. Groups like BlackCat/ALPHV and LockBit 3.0 have increasingly targeted energy and critical-infrastructure firms."

Beyond immediate disruptions, adversaries may use access to grid networks to understand the control system's architecture, harvest valuable data, or develop custom malware. The blog noted, "The Chinese group RedEcho have been accused of infiltrating India's power grids in recent years."

Security specialists look for several indicators to determine if a power grid outage may be the work of cyber attackers.

According to Specops Software, these include unexplained network reconnaissance, unauthorised access attempts, anomalous commands within control systems, discrepancies between physical measurements and logged data, the discovery of malware, and disruptions in monitoring and alerting systems.

They noted, "Coordinated multi-vector anomalies—simultaneous disruptions in power and ICT (telecom networks, NMS servers) that outpace what one physical fault could explain," are a particular cause for concern.

Passwords and credential management routinely contribute to the vulnerability of both IT and operational networks.

Specops Software highlighted, "Weak or default passwords are one of the simplest and most common footholds an attacker can use to break into both IT and OT (SCADA/ICS) environments in a power-grid operator."

They explained how remote access points protected by weak credentials, reused passwords, or insufficient multi-factor authentication can provide an entry route for attackers. The risk is multiplied if such vulnerabilities exist across both office and control-system environments, as happened during Ukraine's blackout in 2015.

The incident in the Iberian Peninsula is still being examined, but the debate it triggered reflects a growing awareness of the risks facing critical infrastructure operators worldwide.

Specops Software commented, "Ultimately, the Iberian blackout served as a powerful reminder of the potential risks of infrastructure being targeted by a cyber-attack. In the midst of a sudden grid collapse, it was all too easy to leap to the cyber-attack hypothesis, fueled by recent headlines and geopolitical anxiety. Even if the true cause was natural phenomena as the current evidence points to, the very real threat of a targeted intrusion demands vigilance."

The analysis concluded, "Operators must treat every incident as an opportunity to harden their defenses, from enforcing airtight password policies and multifactor authentication to rigorous network segmentation and 24/7 anomaly monitoring. If nothing else, this episode underscores that preparation (not panic) is the best antidote to both technical failures and malicious assaults."

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Qualys expands TotalAI to boost AI security from development onwards
UK firms face rising cyber incidents from unknown IT assets
Arctic Wolf & Anthropic to develop autonomous AI cyber SOCs
Arctic Wolf launches Cipher, AI-powered security assistant beta
European IT leaders fear quantum risks amid slow preparation
Top stories
Customer support leads global adoption of enterprise generative AI
Backbase unveils AI platform to boost bank efficiency & growth
Elastic unveils AI-powered migration tool for legacy SIEM users
SentinelOne launches Purple AI Athena to boost SOC automation
Exclusive: CommScope’s Russell Julius dives into GigaReach XL