Unlock the Editor’s Digest for free
Roula Khalaf, Editor of the FT, selects her favourite stories in this weekly newsletter.
Spain is demanding information from small electricity generators on their cyber defences as investigators probing last month’s blackout seek to determine whether they were a weak link exploited by bad actors to bring down the country’s power grid.
The questions from Spain’s National Cybersecurity Institute (Incibe) will intensify the debate about whether the country’s dependence on renewable energy was to blame for the power outage, a contention dismissed by Prime Minister Pedro Sánchez, a champion of decarbonisation.
Senior government officials have “concerns” about the robustness of cyber defences at small and medium-sized power facilities, notably the solar and wind farms that have proliferated as Spain became a global renewables leader, said one person familiar with the matter.
Spain has yet to identify the root cause of the collapse of the Iberian power grid on April 28 and has not discounted a cyber attack. “As of today, we are not ruling out any possibilities. Everything remains on the table,” said Spain’s energy and environment ministry.
Separately, a judge at Spain’s National High Court has opened an investigation into whether a cyber attack was behind it.
Spanish grid operator Red Eléctrica said on the day after the outage that there was no evidence of a cyber attack on its own facilities, but has not commented since then.
The government said last week that Spain suffered 100,000 cyber attacks across all sectors last year, with 70 per cent of them targeting companies or other organisations, as it announced a €1.1bn investment to reinforce cyber security.
Three companies that own or operate renewable power plants told the Financial Times they had received a barrage of questions about the blackout and their own defences from or Incibe, as part of official inquiries into what happened.
The questions included “Is it possible to control the power plant remotely?”, “Were any anomalies detected prior to the 28 April incident?” and “Have you installed any recent security patches or updates?”
One government official said the authorities were pursuing multiple lines of inquiry and that Incibe’s questions were not a sign that one hypothesis about the blackout was being given more weight than others.
Spain’s renewable energy boom has ended the country’s traditional model in which electricity generation was concentrated in a few big, highly-regulated fossil fuel or nuclear power plants.
Instead Spain has shifted to a system of thousands of smaller generators, which has created more targets for hackers wanting to wreak havoc by injecting malware or disrupting power flows.
Potential entry points into the system, all linked to the internet, include firmware-run devices that convert electricity into a safe current, and communication channels between generating units and control centres.
Red Eléctrica says it receives live data from 4,000 renewable installations that have a generation capacity of at least 1 megawatt. It can send instructions in real time to modify the production of those that are 5MW or larger.
But in its latest annual report Red Eléctrica’s parent company identified as a risk having “insufficient information for the real-time operation of the system due to an increase in renewable generation facilities with outputs below 1MW”.
Anpier, a trade group, estimates that Spain has about 54,000 solar installations connected to the grid, including small-scale rooftop arrays at factories, offices and homes.
Several Spanish electricity executives said they doubted that a cyber attack caused the blackout — in part because of the difficulty of executing one with such a dramatic impact. But they conceded that an assault in a form not previously conceived could not be ruled out.
Miguel López, regional sales director in southern Europe for cyber security group Barracuda, said: “With the information that we have available at the moment, a cyber attack doesn’t seem to be the most plausible hypothesis, because there would have needed to be several very well co-ordinated attacks on several different agents.”
If hackers had succeeded in “breaking” something it would have taken much longer than the 16 hours Spain needed to fully restore grid functioning, López added.
Anpier said: “In general . . . small photovoltaic installations do not have systems that can be attacked and that can cause electrical problems remotely. Moreover, it is impossible for a one-off disturbance in installations of this size to have an influence on the system.”
The blackout occurred after Spain lost 15 gigawatts of electricity — 60 per cent of its supply — in just five seconds, destabilising the grid and causing multiple other power stations to disconnect. Before the outage renewables were contributing 70 per cent of Spain’s electricity.