On April 28, 2025, a massive and unprecedented power outage swept across Spain, Portugal, and parts of southern France, leaving millions without electricity and causing widespread disruption. The blackout, which began around midday local time, halted public transportation, grounded flights, and disrupted critical services such as hospitals and telecommunications. While the exact cause remains under investigation, authorities have not ruled out the possibility of a cyberattack.
The blackout affected major urban centers, including Madrid, Barcelona, Lisbon, and Seville. Public transport systems, including metros and trains, came to a standstill, and traffic lights ceased functioning, leading to gridlock in many areas. Hospitals operated on emergency generators, and events like the Madrid Open tennis tournament were suspended due to power loss. Airports experienced significant delays and cancellations, with more than 300 flights affected at Madrid Airport alone. Mobile networks and internet services were also disrupted, compounding the challenges faced by residents and emergency services.
Initial reports suggest that the outage may have been triggered by a significant disturbance in the European power grid. Spain's grid operator, Red Eléctrica, reported a sudden drop in energy demand from 27,000 to less than 13,000 megawatts, indicating a rapid and widespread failure.
"While the fragility of critical infrastructure goes on display in these types of situations, whether it is a cyberattack or simply something less sinister, organizations need to be prepared for sudden and unexplained disruptions to their operations," said Derek Fisher, Director of the Cyber Defense and Information Assurance Program at Temple University. "Tabletop exercises and testing of business continuity plans should be baked into how organizations think about preparing for inevitable disruption."
While technical faults are a possible explanation, the scale and suddenness of the Iberian Peninsula blackout have led authorities to consider other causes. Spain's National Cybersecurity Institute (INCIBE) is investigating the possibility of a cyberattack, although no definitive evidence has been found to confirm this theory. Similarly, the European Union Agency for Cybersecurity (ENISA) has suggested that a technical or cable fault is the likely cause but continues to monitor the situation closely.
"This Iberian blackout perfectly illustrates the seldom thought-about intersection of cyber resilience and electrical infrastructure vulnerability. Whether it was caused by a sophisticated cyberattack or an ordinary technical failure, the outcome remains the same: millions disrupted, critical services compromised, and economic damage," said Kip Boyle, Instructor and vCISO at Cyber Risk Opportunities LLC. "This event is another wake-up call that our increasingly interconnected energy systems require comprehensive resilience strategies that anticipate failure. When our power grids go down, the line between technical malfunction and deliberate attack becomes academic. We have to prepare for both."
As Boyle said, the incident underscores the vulnerabilities inherent in interconnected power grids and the potential for cascading failures. If a cyberattack is determined to be the cause, it would represent one of the most significant such events in recent history, highlighting the need for robust cybersecurity measures in critical infrastructure. Even if the cause is ultimately found to be technical, the event serves as a stark reminder of the importance of resilience and rapid response capabilities in the face of large-scale disruptions.
"In our connected world, there are benefits to remote management of systems, but critical systems like these need to be isolated," said Justin Armstrong, vCISO and Founder, Armstrong Risk Management, LLC. "I am always relieved when I hear that local water or electric utilities do not rely on connected systems for management and have manual overrides."
Wolfgang Rohde, Executive Partner of Innovation at AiSuNe, has a more skeptical view of the outage, namely because of not-so-great power infrastructure in the region.
"The cause of this incident remains unidentified at present. This event affected only two of Europe's 44 states, positioning it as a regional disruption rather than a continent-wide crisis," Rohde said. "The Iberian Peninsula represents what energy specialists term an 'energy island' due to its poorly developed connections with Europe's broader power network."
Rhode continued, "This structural isolation makes it highly improbable that a disturbance in the European grid triggered the incident. The vulnerability in this scenario stems from insufficient integration rather than excessive interconnection. This situation parallels Texas, which has recorded more power outages than any other U.S. state over the past five years, primarily because it keeps its electrical grid isolated from the rest of the United States."
"There is a little country between Spain and France named Andorra. Andorra has connections to the French and Spanish power grids. It switched automatically from the Spanish to the French grid and recovered immediately. This means the problem was the isolated Spanish grid, not the interconnected European grid."
Col. Cedric Leighton, CNN Military Analyst; U.S. Air Force (Ret.); and Chairman, Cedric Leighton Associates, LLC, had this to say: "Even if the cause of this unprecedented power outage turns out not to be a cyberattack, cybersecurity and other emergency services professionals should still take a very close look at how this outage impacted Spain, Portugal and, to a lesser extent, France. The cascading effects are similar to what would be experienced during a major cyberattack. Additionally, responses by authorities and citizens alike should be studied to see if there are any lessons learned that could make those responses quicker and more efficient."
Col. Leighton added, "While some authorities in Spain and Portugal are saying this is not the result of a cyberattack, we've noted an increase in malicious cyber activity over the past 60 days, with France seemingly being a target of interest. The interconnected nature of the Spanish, Portuguese, and parts of the French electricity grids clearly helps with capacity and power distribution issues, but it also showcases the vulnerabilities of such interconnected systems. Spain, Portugal, and France need to invest in power system redundancies if they want to keep their societies functioning at a high level. The fact that everything from air, rail, and road transport to hospitals and schools has ceased to function is a massive wakeup call to those governments."
"Going from high-speed to no-speed on one of Spain's fast trains is certainly a jarring experience for passengers—and it's a metaphor for how much of an impact such a major outage can have on advanced, interconnected economies and societies. Disaster response, or the lack thereof, has been a major issue for the Spanish government recently, and this situation is another test of its capabilities."
Here's what some experts from cybersecurity vendors had to say.
Dave Gerry, CEO at Bugcrowd:
"While we don't yet know the cause of the outage impacting the broader Iberian Peninsula, it highlights a growing concern that critical infrastructure is a soft target for cyber criminals. Whether nation-state actors looking to influence national interests or a criminal organization looking to cause mass panic and chaos, disruptions to services leveraged by millions represent a growing threat.
"In today's ultra-connected world, reliability and safety of the grid must be a key priority for local and federal authorities, and, must be addressed in conjunction with the private sector."
Aditi Gupta, Senior Manager, Professional Services Consulting, at Black Duck:
"While the exact cause of the power outage remains under investigation, the possibility of a cyberattack should not be ruled out. This large-scale infrastructure failure exposes a lack of preparedness on a national level. At the core of any incident, cyber or otherwise, preparedness and response times become key pillars for any nation or organization's operating system.
"This will be a crucial time for the affected countries to stay vigilant for any opportunistic threat actors looking to get access and exploit the nation's security systems and the common public alike. Phishing scams, money transfer requests, and the use of fake travel tickets may also increase during this time."
