Hello Cyber-Builders đ
In 2017, I published a paper with NATO experts on what had happened to the Ukrainian power infrastructure during early cyberattacks (see doc at the end). At that time, only a few cybersecurity companies were truly exploring the risks tied to power grids and generation plants.
But this April, while visiting Spain, I lived through one of those âsomedayâ moments.
This post starts a three-part series on why blackouts today are no longer random technical failures â they are becoming tools of hybrid warfare and systemic risk.
In Part 1, Iâll share my personal experience from the April 2025 Spanish blackout.
In Part 2, weâll explore the geopolitics of power grid targeting â why nation-states increasingly view energy infrastructure as a weapon.
In Part 3, weâll examine how modern grids became fragile and what cyber-builders need to know about protecting them.
April 28th, Sevilla.
I was there with family for a few days’ break, enjoying a warm spring day and the beautiful city of Sevilla with its downtown streets, fortress, and lovely gardens.
Then, out of nowhere:
No more power â across Spain and Portugal.
At first, we thought it was local. It felt almost funny. Some joked:
âPoor Spanish â unreliable traffic lights.â
We crossed a six-lane boulevard near the Sevilla canal with 20 other pedestrians, unaware of the scale.
Then came the strange moments. We tried ordering drinks, and the waiters hesitated. The Wi-Fi was down, and payment terminals stopped working.
We got the news: âUn gran apagĂłnâ â a massive blackout.
At first, phones still worked, and we could read the news. Then, slowly, the network faded. We waited. We returned to our apartment, stopping at a small open shop selling cans, water, and snacks.
Around us:
-
No more trains.
-
No more planes.
-
No phone or internet.
-
No traffic lights.
-
Massive traffic jams.
Authorities urged people to stop using cars. Hospitals ran on diesel generators, barely sustaining lifelines for the critically ill. People waited in long lines. We caught ourselves checking our phones constantly. Out of habit, we even tried switching off the bathroom light.
Thatâs when the realization hit: we are utterly dependent on electricity.
You shop? You pay with power-based systems. You have cash? Barely. Maybe a few bills to buy a drink or a sandwich. Thatâs it.
We later learnt the truth. In late April 2025, a massive power blackout struck the Iberian Peninsula, leaving most mainland Spain and Portugal without electricity for about ten hours.
The outage on April 28 cascaded across the Spanish grid and even caused minor disturbances in neighboring regions (Andorra and parts of France).
With an estimated 15 GW of power generation (60% of the Spanish production) disconnected from the grid in just 5 seconds, it would have been hard to recover from such a massive disconnect. The disconnect was too massive to recover, even with European solidarity (like power from the French network). Consequently, the automated system disconnected Spain from the rest of Europe to ensure the rest of the EU Grid. For a good overview of the EU Power Grid resilience, see this document.
Millions of people were impacted, and the blackout paralyzed transportation:
-
Closed metro lines
-
Failed traffic lights
-
Air traffic disruptions
-
Commerce largely halted
Tragically, several indirect fatalities were later reported â from fires and generator accidents â underscoring the eventâs severity.
From the outset, authorities suspected a possible cyberattack might have triggered the collapse.
Spainâs National Court announced an investigation into a potential âact of cyber sabotage against critical infrastructure.â Prime Minister Pedro SĂĄnchez stated that âno hypothesis [was] being ruled outâ â including a coordinated cyber assault â pending complete forensic analysis.
This concern was fueled by:
-
The sudden, systemic nature of the failure
-
Rising awareness of cyber threats to power grids globally
-
Some media reports speculated that the outage bore âthe hallmarks of a sophisticated cyberattack.â
For the moment, the results of all these investigations are still uncertain and will take time.
Spainâs grid operator Red ElĂ©ctrica de España (REE) reported no signs of unauthorized intrusion. On April 29, REE publicly attributed the blackout to an internal grid disturbance â a disconnection in the southwest â and ruled out a cyberattack as the cause.
By mid-May, the Energy Minister confirmed that investigators had found âno indication of a cyberattack.â
But on May 26, a judge at the Audiencia Nacional extended a case to determine whether this was deliberate sabotage (which would legally qualify as terrorism). The investigations are continuing. The judge decided to extend the secrecy of the inquiry for one more month. The main question is whether to classify specific actions as acts of terror (or not).
I guess we will know more in the coming months.
To my surprise, people stayed calm. There was no panic, crying, or chaos. People sat outside, waiting. It helped that it was springâsunny and warm. The power returned around 8 p.m., just before nightfall.
But imagine the same thing in winter. Freezing weather. 2°C. No heating. No food. No light. No way to charge phones or contact loved ones. After just a few days, it would become a humanitarian crisis. Something you remember for a lifetime, like COVID.
And yes, our infrastructure is fragile. And yes, it is being targeted. It reminded me of what I learned (see doc below) while analyzing the Ukrainian grid’s cyberattacks of 2015. There were a few hours of blackout during winter. It was cold. The Russians also prevented people from calling for help by saturating the landlines with a DoS attack.
We later understood, in 2022, that these cyberwarfare operations were an early signal of a full-scale warâone that would cost millions of lives. Russian officers knew exactly what they were doing. They targeted power infrastructure on December 23rdâjust before Christmas, a time when families gather, wrap gifts, and prepare for warmth and peace.
The blackout lasted only a few hours and affected fewer than 500,000 citizens. But I now realize I had underestimated the psychological power of plunging a population into darkness.
The incident triggered urgent cybersecurity reviews. Authorities broadened their focus to examine the cyber defenses of smaller power producers:
-
Many renewable energy sites (solar farms, wind parks) operate semi-autonomously.
-
These smaller operators could represent âweak linksâ that attackers might target, even if the national grid operator is well-protected.
In early May, Spainâs government cybersecurity agency (INCIBE) demanded security audits from small and mid-sized generators. These inquiries are intensifying the scrutiny surrounding the root cause of the blackout. Some suspect a defect (or an attack) in the control systems (or IoT software) of renewable energy providers.Â
Weâll dive into this scenario, which has been well-known for over eight years, in an upcoming post!Â
Iâd love to hear your thoughts. What would you do if the lights went out tonightâand didnât come back?
Leave a comment below.
Laurent đ
đ Part 2 â âThe Geopolitics of Power Gridsâ
How and why nation-states target energy infrastructure as a strategic weapon in modern hybrid warfare.
đ Part 3 â âHow Modern Grids Became Fragile â and What Cyber Builders Must Knowâ
An inside look at todayâs grid vulnerabilities: IoT-driven renewables, outdated industrial systems, and what defenders can do.