Blackout in the Iberian Peninsula: A Call for Systems Thinking and Strategic Cybersecurity

The recent blackout on April 28th, which affected the Iberian Peninsula, highlighted the vulnerability of critical infrastructure to systemic failures, both physical and digital. This event has highlighted the urgent need to adopt systems thinking approaches, implement redundant systems, and strengthen cybersecurity capabilities through tools such as cyber ranges. This article analyzes the event and proposes strategies to improve national resilience to these types of incidents, as well as recommendations for businesses and organizations.

The blackout that affected Spain and Portugal was caused by a combination of technical failures in the electricity distribution grid and an unanticipated surge in energy demand, exacerbated by a minor cyberattack on a control substation in northern Spain. Although the event was not catastrophic, it did expose structural weaknesses in the integrated management of critical infrastructure.

According to the Spanish Electricity System Operator (REE), “the synchronization of unexpected events, both physical and digital, can generate cascading effects that compromise system stability” (REE, 2025). This type of disruption highlights the interdependence of electrical, IT, and logistics systems.

This leads us to evaluate the need to use systems thinking, which allows us to analyze complex problems such as blackouts from a holistic perspective, considering the interrelationships between their components, relationships, and environmental conditions. Rather than treating events as isolated incidents, this approach promotes a deep understanding of root causes, feedback loops, and potential long-term consequences.

As Senge (2006) points out, “today’s problems are the result of past solutions,” which underscores the importance of anticipating unintended impacts. In an interconnected energy and technological environment, adopting this approach allows for the design of more resilient and proactive responses.

One of the main lessons of the blackout is the urgency of having redundant systems in critical infrastructure. Redundancy, understood as the duplication of essential system elements, acts as a backup mechanism that can be activated when the main system fails.

In the words of Perrow (1999), “redundancy is not a luxury, but a necessity in systems where failure can have catastrophic consequences.” This is particularly relevant in electrical grids, transportation systems, and data centers, where even a brief interruption can generate significant economic and social losses.

The blackout also highlighted the digital fragility of infrastructure and the importance of considering cybersecurity as a critical dimension. SCADA (Supervisory Control and Data Acquisition) systems, fundamental to energy management, are increasingly targeted by cyberattacks. Protecting these facilities requires a robust cybersecurity strategy capable of detecting, containing, and mitigating threats in real time.

The European Union Agency for Cybersecurity (ENISA) emphasizes that “the security of critical infrastructure depends as much on its technical architecture as on the preparedness of its operators” (ENISA, 2024). Thus, a combination of technology, procedures, and ongoing training is essential to address these challenges.

A key tool in cyber threat preparedness is the use of cyber ranges, virtual environments that simulate attacks and defenses in realistic scenarios. These platforms allow technical response teams to gain practical experience without compromising real infrastructure.

According to the Spanish National Cybersecurity Institute (INCIBE), “cyber ranges are essential for developing technical and strategic skills in cyber defense, fostering coordination, and improving response times” (INCIBE, 2024). Furthermore, they allow for coordinated exercises with multiple stakeholders, from network operators to government agencies.

Lack of preparedness for cyberattacks or technical failures can have devastating consequences for a highly digitalized modern society. A prolonged power outage not only affects domestic comfort but can also paralyze hospitals, airports, transportation systems, banking networks, and supply chains. Furthermore, in crisis contexts, misinformation and social panic can be amplified through digital networks.

According to the World Economic Forum (2024), “cyberattacks on critical infrastructure represent one of the top five global risks due to their potential to generate large-scale disruptions.” The absence of protocols, redundancies, or adequate training can turn a manageable incident into a national crisis, with far-reaching economic, social, and geopolitical implications.

The blackout on the Iberian Peninsula offers critical lessons for the public and private sectors. One of the most relevant lessons is that no organization is immune to the impact of a disruption to critical infrastructure, even if it is not directly involved in the energy sector. Therefore, it is essential that companies integrate operational resilience and cybersecurity into their strategic plans.

Among the main recommendations for governments, companies, and organizations are: – Develop business continuity and disaster recovery plans, with specific scenarios for power failures or cyberattacks.

– Audit technological infrastructure to identify vulnerabilities, especially in industrial systems, SCADA, and IoT.

– Invest in redundant systems, both in energy (such as generators or alternative sources) and in connectivity and communications.

– Train staff in cybersecurity and crisis management, including simulations based on real-life scenarios using cyber ranges.

– Collaborate with public agencies and other organizations on joint cyber resilience exercises and threat intelligence sharing.

As the Industrial Cybersecurity Center (ICC) emphasizes, “preparedness is not only a technological issue, but also a cultural and organizational one; companies that anticipate risks are those that best survive and adapt” (ICC, 2023).

Soft Systems Methodology (SSM), developed by Peter Checkland in the 1970s, offers a structured yet flexible approach to addressing ill-defined problem situations, such as those arising during mass blackouts or cybercrises in critical infrastructure. Unlike “hard” systems, where the problem is clearly defined and the solution is technical, SSM recognizes the multiplicity of perspectives and tensions between actors with different goals and values.

In contexts such as the blackout in the Iberian Peninsula, this methodology is especially useful for understanding the interaction between technical elements (electrical grid failures or SCADA systems) and human factors (political decisions, institutional coordination, social perception of risk). Checkland (1999) proposes the use of tools such as rich pictures and human activity systems to explore the complexity of these systems and identify desirable and culturally feasible changes.

As Wilson (2001) points out, “SSM enables organizations to manage uncertainty and ambiguity by integrating systems thinking with participatory organizational learning processes.” In this sense, applying SSM contributes not only to a better understanding of the crisis, but also to designing more sustainable and resilient long-term responses.

In conclusion, the blackout in the Iberian Peninsula was not only a technical event, but a manifestation of the complexity and vulnerability of current systems. To avoid future crises, it is necessary to adopt a systems thinking approach, ensure operational redundancy, and strengthen cybersecurity through advanced cyber range training. Smart cities can suffer serious consequences if they do not prevent and prepare for these situations. National, state, regional, or municipal resilience depends on the ability to anticipate, understand, adapt, and learn from these comprehensive challenges, as well as being alert and prepared for these risks and threats at the business and organizational levels.

References

– Industrial Cybersecurity Center (CCI). (2023). *Industrial Cybersecurity Maturity Report in Spain*. https://www.cci-es.org

– Checkland, P. (1999). Systems Thinking, Systems Practice: Includes a 30-Year Retrospective. Wiley.

– ENISA. (2024). Threat Landscape for Critical Infrastructure. European Union Agency for Cybersecurity.

– INCIBE. (2024). Cybersecurity Training and Simulation for Critical Infrastructure. National Institute of Cybersecurity.

– Perrow, C. (1999). Normal Accidents: Living with High-Risk Technologies. Princeton University Press.

– REE. (2025). Preliminary Report on the Power Outage in the Iberian Peninsula. Red Eléctrica de España.

– Senge, P. (2006). The Fifth Discipline: The Art and Practice of the Learning Organization. Doubleday.

– Wilson, B. (2001). Soft Systems Methodology: Conceptual Model Building and Its Contribution. Wiley.

– World Economic Forum. (2024). Global Risks Report 2024. https://www.weforum.org/reports/global-risks-report-2024/