A large-scale power outage is currently sweeping across mainly Spain and Portugal, leaving millions without electricity. Authorities and energy companies are working urgently to assess the cause, and so far, the weather has been announced as the most likely culprit. The situation still remains fluid, and more definitive updates are expected in the coming hours.
What We Know So Far
The outage is impacting not just residential areas, but also critical infrastructure, transportation networks, and communication systems. Both Red Eléctrica de España and REN (Portugal’s national energy network) assured the public that investigations are ongoing. Airports, hospitals, and emergency services have reported various degrees of interruption, although many have activated contingency plans and backup systems. Initial government statements emphasize that a full technical analysis is still underway, and the public is urged to await verified updates. Some are reporting anticipated outages lasting up to many hours.
Possible Causes Being Explored
At the beginning, several possibilities were suggested as potential causes of this blackout:
1. Technical Failures
Failures in key transmission lines, transformers, or substations could cause cascading effects across such a tightly interconnected grid. A single point of failure, if not isolated quickly, can under certain circumstances propagate disruption over wide areas.
2. Operational or Human Error
Operational errors, maintenance lapses, or misconfigurations could also trigger large-scale disruptions. These are often the simplest — yet most overlooked — causes of critical failures.
3. Cyberattack on Critical Systems
Hours after the outage, hactivist groups Dark Storm and NoName057(16) claimed responsibility, though these claims so far are unverified. Given the increasing frequency and sophistication of attacks against critical infrastructure globally, a cyberattack could be a potential scenario. Energy grids are particularly vulnerable due to their reliance on complex digital control systems (SCADA and ICS environments). A well-coordinated cyber incident could disrupt grid operations, mislead system monitoring, or even cause physical damage.
If these power outages were the result of a cyberattack, it would mark the most significant incident of its kind since the 2015 BlackEnergy attacks on Ukraine, with potentially far broader implications.
That said, there is currently no confirmed evidence pointing to cyber involvement in today’s outage. National cybersecurity agencies are actively monitoring for indicators of malicious activity as part of the ongoing investigation.
4. Weather or Environmental Factors
While officials say it's still too early to say for sure what caused the blackout, so far, weather (a rare atmospheric phenomenon due to an imbalance in extreme temperatures) has been identified as the most likely cause of this enormous blackout.
What Nozomi Sees in Telemetry
As part of our daily operations, Nozomi Networks constantly receives fully anonymized telemetry from participating customers, allowing us to improve our products and perform research. When the outage occurred, Nozomi Networks Labs noticed a spike in the alerts coming from the Energy sector of our customers located in Spain and Portugal.
We are still investigating if this was just a coincidence, a result of engineers reacting to the outage, or an outcome of a potential cyberattack. We will provide updates as we find something more definitive, and in the meantime, we want to emphasize the importance of mature asset inventory and threat visibility capabilities integrated into modern cybersecurity solutions. Even when outages aren't linked to cyberattacks, swiftly ruling them out is crucial for efficient root-cause analysis, especially when every moment counts.
Broader Lessons: A Wake-Up Call for Infrastructure Resilience
Regardless of the final root cause, today's incident highlights a deeper, systemic issue: our growing dependence on resilient, secure energy grids.
In Florida, for example, the community invests heavily in preventive maintenance activities to enhance their grid resilience— flying drones over power lines, trimming trees year-round — especially in preparation for hurricane season. These efforts are tangible: residents see the work happening and experience the benefits firsthand. When investments are made in physical grid security, communities notice when storms pass, and the lights stay on. Unfortunately, the invisible threats like temperature surges and cyber risks, are harder to appreciate. Unlike a fallen tree across a power line, they leave no obvious mark to the casual observer — until, that is, the power goes out. Comprehensive asset monitoring enables operators to quickly spot issues with failing hardware or software early, regardless of the root cause.
Conclusion: Better Monitoring Always Helps
Events like today's outage are stark reminders of what we may be taking for granted. They underline the urgent need for sustained investment — not just in the physical hardening of infrastructure, but also in the resilience of the systems that underpin our energy security. We must be prepared for risks from natural causes, human error, and deliberate cyberattacks.
More than ever, today's events call for better monitoring for the complex systems that power our daily lives, to make sure the root causes can be discovered promptly and taken into account as early as possible during the remediation phase.
During incidents where a root cause for still unknown, having a wide array of detailed information available, navigable, and pertinent to the environment can make forensic investigation and analysis easier for all those involved. These activities can range from eliminating cyber incidents as a root cause, to using cybersecurity data to support other investigations by identification of anomalies with how fast industrial control systems are sending their messages, to anomalies in operators using the system, to anomalies on the networks or in the wireless space.
Organizations that are well-equipped to handle these situations generally follow the following guidelines:
- Develop a detailed Asset Inventory which includes all technologies, on all network types (wired ethernet to WiFi to other wireless), down to the component level. Within the asset inventory, vulnerabilities are identified, prioritized, and tracked according to real-world data.
- Monitor the networks and assets for threats and anomalies. This includes new assets appearing, assets behaving out of character, and inside the industrial control system data is being sent between the systems and assets. Using a combination of anomaly detection with detection of known behaviors develops a lot of valuable data that’s useful during an incident, as well as for recovery efforts.
- Pre-Plan for the inevitable day when there's an incident and develop playbooks that will serve to guide those responding to the incident, safely, and securely.
- Run tabletop exercises that can help identify opportunities for improving training, process reliability, safety, and resiliency.
We will continue monitoring the situation closely and provide updates as official investigations progress.
