A Comprehensive Case Study on Grid Collapse and Cybersecurity Resilience

Summary

• On April 28, 2025, a cascading power grid failure disconnected Spain and Portugal from the European grid, causing a full blackout.

• The blackout lasted 26 hours and disrupted transport, healthcare, and industry across the Iberian Peninsula.

• Despite early suspicions, no cyberattack was found; the root cause was a self-reinforcing operational collapse.

• Missed controls and weak configurations accelerated the event.

• Implementing standards like IEC 62443, ENISA guidelines, and FERC CIP could have prevented or mitigated the crisis.

Source: Committee for the Analysis of the Circumstances Surrounding the Electricity Crisis of April 28, 2025, Non-Confidential Report (June 2025)

What Happened on April 28, 2025?

At 12:33:30 PM local time, the entire Iberian Peninsula plunged into a complete blackout. For the first time in recorded history, Spain and Portugal were simultaneously disconnected from the European electricity grid. The result: a zero-voltage event that triggered emergency protocols under EU Regulation 2019/941.

The blackout lasted just over 26 hours, with technical recovery completed by 14:36 on April 29. However, the human, industrial, and economic aftermath extended for days.

Timeline of the Grid Collapse

Phase 0: Voltage Warning Signs (April 22–28)

• April 22: Overvoltage events recorded.

• April 24: Undervoltage events occurred.

• April 28, 09:02: Frequency deviation of -148 mHz due to European interconnection instability.

Phase 1: Oscillations Escalate (12:00–12:30)

• 12:03: A 0.6 Hz oscillation hit southern and western Spain.

• 12:19: A second oscillation (0.2 Hz) further destabilized the grid.

Phase 2: Major Generation Losses (12:32:00–12:33:18)

• Granada: 355 MW offline at 12:32:57.

• Badajoz: 730 MW lost at 12:33:16.

• Seville: 550 MW lost at 12:33:17.

• Reversal of power flow with France to +1,510 MW import.

Phase 3: Collapse to Zero Voltage (12:33:18–12:33:30)

• Voltage surged beyond 443.8 kV.

• Full disconnect in less than 5 seconds.

• Total grid separation from France at 12:33:19.620.

Phase 4: Recovery

• 99.95% demand restored by 07:00 on April 29.

• Complete technical restoration by 14:36.

Real-World Impacts

Industrial Shutdowns

• Andalusia: Petrochemical plants and automotive suppliers lost operations. Estimated loss: €200M.

• Catalonia: SEAT plant and refineries halted. Loss: €160M.

• Extremadura: Agro-industrial cold chains collapsed.

Public Transport Chaos

• Madrid & Barcelona Metros: Trains stranded mid-transit. Over 35,000 passengers affected.

• Lisbon & Porto Light Rails: System-wide outages, partial restoration by April 29.

Healthcare Under Pressure

• Hospitals switched to diesel generators.

• One ventilator-related fatality reported in Portugal.

• Non-critical surgeries postponed across Iberia.

Was It a Cyberattack? Digital Forensics Says No

Early public statements ruled out cyberattack prematurely. However, a thorough digital forensic investigation followed best practices:

Data Reviewed:

• 133 GB of log files, SCADA telemetry, and firewall records.

• 1,000+ OT network endpoints reviewed.

IOC Search Included:

• Known ICS malware: Industroyer2, Triton, BlackEnergy.

• TTPs of APTs: APT33, Volt Typhoon, Sandworm.

• Credential theft, C2 beaconing, lateral movement.

Conclusion:

• No anomalies, payloads, or command manipulation found.

• All firmware signatures intact.

• EU CERTs confirmed: no cyber sabotage involved.

Missed Opportunities That Could Have Prevented the Collapse

1. Wide-Area Monitoring Systems (WAMS)

• Could have detected real-time oscillations.

• Might have triggered preventive load shedding or damping.

2. Overly Sensitive Trip Settings

• 105% overvoltage trip threshold too low.

• Adaptive relay logic or raising to 110% could have retained generation.

3. DER Protection Logic

• 525 MW of small-scale DERs tripped.

• Staggered trip delays and ride-through settings would have preserved inertia.

4. System Damping Tools

• Gas turbines and condensers were not fast-start enabled.

• Pre-configured auto-activation could have stabilized swings.

Cybersecurity Standards Could Have Prevented This

Real-World Lessons:

• Logging (CIP-007-6 R2) would have caught early signals.

• Secure configuration (CIP-007-6 R3) prevents unnecessary trips.

• DER logic aligned with IEC 62443 ensures resilience.

• Fast incident response (CIP-009-6) minimizes downtime.

Conclusion: A Global Benchmark Could Have Prevented the Blackout

The Iberian Blackout of April 28, 2025, was not simply a failure of equipment - it was a systemic failure of alignment across operations, engineering, and cybersecurity. Despite the absence of a cyberattack, the collapse revealed deep vulnerabilities in grid coordination, protection logic, and situational awareness.

This was a preventable disaster - and it underscores a critical need:

Such a benchmark must:

• Be complementary to existing national and regional regulations, not a replacement

• Be agreed upon by international regulators to ensure consistency across borders

• Be embedded by vendors directly into device design, firmware, and control logic

• Be operationalized by grid operators and asset owners as a core part of daily procedures

If such a unified benchmark had been in place, anchored in proven frameworks like IEC 62443, FERC CIP, and ENISA ICS guidance, critical controls such as wide-area monitoring, DER ride-through logic, and dynamic protection settings could have acted in concert to avert the collapse.

As grids become more decentralized, digitized, and interdependent:

• The margin for error is shrinking

• Fragmentation is no longer acceptable

• Cybersecurity must evolve into cyber-physical resilience

Only a globally accepted benchmark, implemented end-to-end - from the design lab to the control room - can safeguard the future of critical infrastructure around the world.

For Grid Operators and Cybersecurity Leaders:

Implementing a unified, enforceable framework that aligns cyber and operational resilience is no longer optional. It's essential.

Contact www.maya-security.com to explore how your organization can achieve real-world OT resilience.

Sources:

Ö  Committee Report on the April 28, 2025 Blackout (non-confidential)

Ö  EU Regulation 2019/941 on Risk Preparedness in the Electricity Sector https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32019R0941

Ö  OMIE Electricity Market Data (Spain & Portugal) https://www.omie.es/en

Ö  Red Eléctrica de España (REE) – SCADA & Operations https://www.ree.es/en

Ö  Associated Press (AP) – Spain blackout: Grid failure, not cyberattack https://apnews.com

Ö  Reuters – What caused the Iberian power outage? https://www.reuters.com

Ö  El País – Un apagón eléctrico masivo desata el caos https://elpais.com

Ö  La Vanguardia – Barcelona queda paralizada por el apagón https://www.lavanguardia.com

Ö  Público (Portugal) – Paciente morre durante apagão https://www.publico.pt

Ö  Observador – Metro de Lisboa parou com apagão https://observador.pt

Ö  Diário de Notícias (Portugal) – Hospitais funcionaram com geradores https://www.dn.pt

Ö  El Economista – Impacto industrial del apagón en Andalucía https://www.eleconomista.es

Ö  Hoy.es – Apagón dejó a Extremadura paralizada https://www.hoy.es

Ö  Expansión – Daños industriales en Cataluña tras el apagón https://www.expansion.com

Keywords: Iberian blackout 2025, Spain Portugal power grid failure, IEC 62443, grid cybersecurity, ENISA ICS, FERC CIP standards, distributed energy blackout, SCADA collapse, DER tripping, WAMS monitoring, energy sector incident response.

Source: Committee for the Analysis of the Circumstances Surrounding the Electricity Crisis of April 28, 2025, Non-Confidential Report (June 2025)