The Blackout In Spain (& Portugal & France): Implications For Cybersecurity

On this we can all agree: at about 12:15pm local time on Monday, 28 April 2025, there was a blackout throughout Spain that also reached into Portugal and southern France. Power was restored in most areas of Spain by about 6:30pm local time; full internet service returned the next morning.

As someone who was in Sevilla at the time of the blackout, I am quite interested in what happened, why it happened, and what lessons could be drawn in thinking about cybersecuirty as well as managing a power company -- as the lessons are quite clearly parallel.

Numerous possible reasons for the blackout were offered, including the possibility of a cybersecurity incident, "fanatical" use of renewable engery sources, vibrations from an atmospheric inversion, or, um something (in fact the current answer one week later is: we're checking and we'll get back to you).

There is an active investigation into whether this was a cybersecurity incident, and we don't discount that. In the meantime, this summary, by an engineer, strikes the best balance. Here is the part that has implications for cybersecurity (emphasis added):

"A more worrying root cause is the involvement of politics in REE [Spain's electrical company], as its presidency is typically held by former ministers or high-ranking politicians. Its current president is Beatriz Corredor, a lawyer and a former housing minister, and REE is pursuing the somewhat politicised objective of “100% renewables”...

Two days after the blackout, Corredor made public statements for the first time saying that an incident like this would not be repeated, a difficult assertion to make when the causes are still unknown.

It is essential that decisions on energy issues, such as “100% renewables”, have independent technical support that analyses and informs the public with rigour and transparency. A rational analysis should not pit renewables against nuclear, and technical bodies such as REE should be run by people outside of political power structures, preferably with the appropriate technical training. The European Union should also have a coordinated energy policy, and a Europe-wide electricity grid designed to deal with outages or potential external aggression."

Let's summarize the five parallels between this blackout incident and Pythia's warnings about cybersecurity:

1. There was no appropriate governance

2. Managers are not able to speak to technical issues, and do not show interest in learning about the systems they lead.

3. Apparent politicized focus on requiring 100% renewables, driven by politicians and not power engineers, is equivalent to viewing cybersecurity as a box-check compliance activity.

4. Engineers do not have a way to communicate effectively with leaders, who then are not able to communicate effectively with the public.

5. Apparently there was a belief that it was too expensive to disaster-proof the system, which after all spreads across the Iberian penninsula; sounds a lot like a quote cost-benefit analysis unquote.

There is nothing wrong per se about requiring 100% of your country's electricity to come from renewable sources. It's a 'big, hairy, audacious goal' after all. But the five points I list here -- no governance, absentee leaders, inflexibility, poor communication by technical staff, not believing a remote possibility was likely enough -- are going to sink any human enterprise that cannot get out of its own way in any endeavor -- including cybersecurity.

Ask us how Pythia can help you learn the right lessons of this blackout for cybersecurity for your organization. Don't let a 'big, hairy, audacious goal' turn your organization's cybersecurity function into a big, hairy, costly disaster.

(picture by By Jacques Descloitres, MODIS Rapid Response Team, NASA/GSFC - https://visibleearth.nasa.gov/view.php?id=64573, Public Domain, https://commons.wikimedia.org/w/index.php?curid=320758)