After blackout, Spain investigates cyber vulnerabilities at small power plants

Editor’s Digest: Unlock it for Free

In this weekly newsletter, Roula Khalaf, Editor of FT, chooses her favorite stories.

Investigators looking into the blackout that occurred last month are trying to determine if small generators were exploited as a weak point by bad actors in order to bring down Spain’s electricity grid.

The questions from Spain’s National Cybersecurity Institute (Incibe) will intensify the debate about whether the country’s dependence on renewable energy was to blame for the power outage, a contention dismissed by Prime Minister Pedro Sánchez, a champion of decarbonisation.

One person with knowledge of the issue said that senior government officials are “concerned” about the strength of cyber defenses in small and medium-sized facilities. This includes the wind and solar farms, which have become more common as Spain has become a leader in renewable energy.

Spain is still trying to determine the cause of the failure of the Iberian grid on 28 April. It hasn’t ruled out a cyber-attack. “As it stands, we do not rule out any possibility.” The Spanish energy and environment minister said that “everything is still on the table”.

Separately, the judge of Spain’s National High Court opened an investigation to determine if a cyberattack was responsible.

Spanish grid operator Red Eléctrica said on the day after the outage that there was no evidence of a cyber attack on its own facilities, but has not commented since then.

The government said last week that Spain suffered 100,000 cyber attacks across all sectors last year, with 70 per cent of them targeting companies or other organisations, as it announced a €1.1bn investment to reinforce cyber security.

As part of the official investigation into what happened, three companies that own or run renewable power plants have told the Financial Times that they received an avalanche of questions from Incibe or their own defenses.

Questions included: “Is there a way to remotely control the plant?The questions included “Had any anomalies been detected before the 28 April incident?” Have you installed the latest security patches and updates?

An official in the government said that there were multiple lines to the investigation, and Incibe’s questioning was not an indication that Incibe had given more importance to one hypothesis than another.

Spain’s boom in renewable energies has changed its traditional model, where electricity was generated by only a few large, highly regulated nuclear and fossil fuel plants.

Spain instead has switched to a system with thousands of smaller generators. This has made it easier for hackers to cause havoc, either by injecting malicious software or disrupting the power flow.

The internet is a potential entry point into the system. This includes firmware-run devices which convert electricity into safe currents, as well as communication channels between the generating units, and the control centres.

Red Eléctrica says it receives live data from 4,000 renewable installations that have a generation capacity of at least 1 megawatt. It can send real-time instructions to modify production for those installations that are at least 5MW.

But in its latest annual report Red Eléctrica’s parent company identified as a risk having “insufficient information for the real-time operation of the system due to an increase in renewable generation facilities with outputs below 1MW”.

Anpier is a trade association that estimates Spain has around 54,000 solar systems connected to the grid. This includes small rooftop arrays in factories, homes, and offices.

Several Spanish electricity executives said they doubted that a cyber attack caused the blackout — in part because of the difficulty of executing one with such a dramatic impact. They did admit that a cyber attack in a new form could not be excluded.

Miguel López, regional sales director in southern Europe for cyber security group Barracuda, said: “With the information that we have available at the moment, a cyber attack doesn’t seem to be the most plausible hypothesis, because there would have needed to be several very well co-ordinated attacks on several different agents.”

If hackers had succeeded in “breaking” something it would have taken much longer than the 16 hours Spain needed to fully restore grid functioning, López added.

Anpier said: “In general . . . Small photovoltaic systems do not have the ability to be remotely attacked or cause electrical problems. It is also impossible that a single disturbance can have an impact on a system of this size.

The blackout occurred after Spain lost 15 gigawatts of electricity — 60 per cent of its supply — in just five seconds, destabilising the grid and causing multiple other power stations to disconnect. Before the outage, renewable sources accounted for 70% of Spain’s electrical supply.