The ENTSO-E expert panel published its 472-page final report on the April 28, 2025 Iberian blackout on March 20, four days ago. The coverage landed exactly as expected: renewables cleared, voltage control blamed, twenty-two recommendations issued, everybody go home. And look, the report is genuinely important for grid engineers and energy regulators and the technical debate about inverter-based generation and grid inertia. That debate matters. But I’ve been reading the coverage and I’m watching an entire industry miss the more urgent point: the ENTSO-E report just handed every offensive cyber team on earth a 472-page engineering manual for how to bring down the Iberian grid in eight seconds without touching a single piece of malware. You don’t attack the renewable energy. You attack the voltage control. You just needed the report to tell you exactly where the gaps were.

What’s Actually Happening

On April 28, 2025, the Spanish and Portuguese power grids collapsed completely in under thirty seconds. Tens of millions of people lost power. Spain’s airports operated on emergency power. Hospitals activated backup generators. Telecommunications networks dropped to seventeen percent of normal traffic. The entire Iberian railway system stopped. Some areas were without power for eighteen hours. It was Europe’s most severe grid incident in over two decades.

The immediate theories — cyberattack, renewable energy overload, Russian sabotage, nuclear phase-out “experiment” — all turned out to be wrong. Both REE (Spain’s grid operator) and REN (Portugal’s) reviewed SCADA logs, telemetry, and firewall records and found no evidence of malicious intrusion. ENTSO-E confirmed this in its factual report in October 2025. The final root cause report, published March 20, 2026 after an eleven-month investigation, concludes the cause was a combination of voltage control failures, reactive power management gaps, inadequate protection settings, and a regulatory framework that had not kept pace with the speed of renewable energy integration.

Per the final report, per pv magazine’s analysis published yesterday, the sequence unfolded as follows. Between 12:32:00 and 12:32:48, output from large renewable plants in Spain fell by approximately 500 MW. By 12:33:16, disconnections in the Badajoz region had eliminated 727 MW of solar and CSP generation. A further 928 MW disconnected across five provinces within two seconds. Voltages exceeded 435 kV. At 12:33:19, the Spanish and Portuguese systems lost synchronism with the European grid. The entire collapse from initial disturbance to total blackout took approximately thirty seconds. In a critical detail, the report found that “a substantial reactive power capacity from shunt reactors was available but not activated during the voltage rise” — the equipment to respond existed, but it wasn’t activated because the activation was manual, not automatic.

The investigation, per the ENTSO-E report, was also “hampered by incomplete data.” Distribution system operators didn’t have access to actual production data from generators below 1 MW — primarily rooftop solar. Several generation unit owners cited “a lack of fault records” as the reason they couldn’t provide data. For an event that took down a continent’s power supply in eight seconds, the post-incident forensic data quality was, to use a technical term, not great.

The 22 recommendations focus on voltage stability monitoring, automatic reactive power management, protection setting standardisation, and grid-forming inverter requirements. Spain updated Operational Procedure 7.4 in June 2025 to allow renewables to contribute to voltage control, and full implementation was completed on March 17, 2026 — three days before the report published. As the SolarPower Europe joint statement puts it, the regulatory framework had simply not kept pace with the speed of grid transformation.

The Cyber Layer Nobody Is Writing About

Here is the sentence from the ENTSO-E report that every offensive cyber team on earth should have flagged when it was published on March 20: the entire grid collapse was precipitated by a series of generation trips in southern Spain — the first near Granada, the second near Badajoz, the third near Seville — within a twenty-second window, causing 2.5 GW of generation to disconnect through a positive-feedback voltage loop that the available defence mechanisms couldn’t stop.

The ENTSO-E report confirms that the defensive failure was specifically: manual activation of reactive power assets that were available but weren’t triggered automatically, and protection settings on individual generation units that weren’t standardised to European operating ranges. The grid had the equipment to respond. The equipment wasn’t deployed in time because the automation to deploy it automatically didn’t exist.

Now. Think about what a targeted cyber operation against that specific architecture looks like. You don’t need to deploy custom OT malware. You don’t need a Stuxnet-grade development programme. You need to trigger a coordinated disconnection of generation units in southern Spain during a period of high solar output and low conventional plant inertia — precisely the conditions that existed on April 28 — and then do nothing except wait for the positive-feedback voltage cascade to complete the job. The ICS/SCADA interfaces for those generation units are your attack surface. The protection relay settings that the ENTSO-E report identifies as inadequately standardised are your target. You trip enough generation in the right geography at the right moment, and the grid does the rest.

This is not speculation. Dragos has documented this exact attack pattern as a theoretically available technique against high-renewable-penetration grids since their 2022 research. The 2015 and 2016 Ukraine grid attacks — Sandworm’s BlackEnergy and Industroyer operations — established the proof of concept for OT-targeted grid disruption using native functionality abuse. As a cybersecurity expert interviewed by pv magazine for their post-report analysis noted, the specific vulnerability profile the ENTSO-E report identifies — decentralised reactive power control, incomplete real-time visibility of sub-1MW distributed generation, manual rather than automatic defence activation — is precisely the attack surface that a sophisticated ICS-capable adversary would exploit.

The data quality gap the report identifies is an OT visibility gap with direct security implications. If ENTSO-E’s eleven-month investigation couldn’t get complete fault records from generation units because “owners cited a lack of fault records,” that’s not just an inconvenience for the accident investigation. That’s an admission that the grid operator cannot definitively determine what those units were doing at the moment of the event. An attacker who exploits ICS firmware on sub-1MW distributed generation units — inverters on rooftop solar systems, small wind aggregations — and then covers their tracks can operate in exactly that visibility gap. The forensic ambiguity the report documents is operationally useful to an adversary.

My research on protecting submarine cable and satellite infrastructure through AI surveillance makes the parallel argument for maritime infrastructure that applies equally here: the combination of high-value targets, legacy architecture, incomplete telemetry, and manual-activation defence mechanisms is the attack surface definition. The Iberian blackout was not a cyberattack. But the ENTSO-E final report is an inadvertent engineering brief for what a cyberattack on this architecture would require — and the barriers are lower than most grid operators want to acknowledge.

The Fourth Turning geopolitical context matters here too. Europe is simultaneously managing Russian pressure from the east, a destabilised Middle East to the south, and a rapid energy transition that has changed its grid architecture faster than its security architecture has adapted. The Iberian blackout happened during a period of relative geopolitical stability. The same grid architecture, under geopolitical stress, with an adversary operating the OT attack chain the ENTSO-E report has now publicly documented — that’s not a scenario to be dismissed as theoretical.

As I wrote in my post on INC Ransom’s eighteen-month campaign through Australian healthcare, the pattern of critical infrastructure compromise is consistent: attackers understand the target architecture better than the defenders understand their own attack surface. The ENTSO-E report just gave the attackers a 472-page curriculum.

Why It Matters Beyond the Conflict Zone

The enterprise translation here operates at two levels.

First, direct supply chain risk. If your operations depend on the Iberian energy market, the ENTSO-E report’s 22 recommendations are a list of things that are not yet fixed. Automatic reactive power management is not yet deployed. Protection setting standardisation across all generation units is not yet complete. The regulatory framework for rooftop solar participation in grid stability has been mandated but not uniformly implemented. The grid is more resilient than it was on April 28, 2025, but it has not reached the state described by the recommendations. During the gap, the architecture remains exploitable by the mechanism the report describes.

Second, the general lesson for any organisation that depends on grid infrastructure in a high-renewable-penetration environment. The countries moving fastest in renewable energy transition — Spain, Portugal, Germany, Denmark, increasingly the UK and Benelux — are the countries whose grid architectures most closely resemble the conditions that produced the Iberian event. The transition is necessary and largely positive. The security architecture catching up with the grid architecture is urgent and largely not happening.

The specific point about forensic data quality — grid operators not having visibility into sub-threshold generation units — has a direct enterprise parallel. Organisations that don’t have telemetry from every networked device in their OT environment cannot determine after an incident whether anomalous device behaviour was the cause or a coincidence. The ENTSO-E investigation’s data quality problems are the grid-scale version of an OT visibility gap that most industrial organisations also have.

What Went Wrong

Two structural failures, both documented explicitly by ENTSO-E.

The first is regulatory lag. The grid architecture changed — sixty percent solar during peak spring conditions, high inverter-based generation share, low conventional plant inertia — faster than the operational procedures, protection settings, and voltage control frameworks kept pace. The specific provision that would have allowed solar plants to contribute to voltage stabilisation during the crisis wasn’t legally in effect yet. The framework to prevent the event existed, but it hadn’t been implemented. Regulatory lag killed the lights for eighteen million people.

The second is the manual-versus-automatic defence problem. The shunt reactor capacity that could have arrested the voltage rise was available. It wasn’t activated automatically. When the cascade started, it moved in seconds. Human operators cannot respond in seconds to a voltage event across a geographically distributed grid. The design assumption that manual intervention could arrest a cascade in a high-renewable-penetration environment was wrong. That same assumption — that a human is in the loop for critical responses — exists in the OT architecture of most industrial environments. Cyber attackers who understand OT target environments specifically choose to execute operations faster than human response time allows.

The Fix — Fixer’s Advice

For energy sector operators and OT security practitioners: the ENTSO-E recommendations are your checklist. All 22 of them. The grid-level ones are for TSOs, but the generation-unit-level ones apply directly to any organisation operating renewable generation assets connected to the grid.

Specifically: review your inverter protection settings against the ENTSO-E guidance on voltage operating range. Inverters configured to trip outside a narrow voltage range contributed to the cascade in April 2025. ENTSO-E recommends that all generation units’ protection settings be validated against the harmonised European operating voltage range. If you operate grid-connected generation assets in Spain, Portugal, or any European jurisdiction, this is an action item with a deadline.

Review the configuration management and patching posture for your inverter control systems and smart meter infrastructure. Inverter firmware is updatable remotely. It is routinely under-patched. ICS-capable adversaries who want to exploit the voltage cascade vector described in the ENTSO-E report need only compromise the update mechanism or the remote management interface for inverter fleets to stage the conditions described in the report. Treat inverter firmware like production server firmware.

For enterprises depending on grid-connected critical infrastructure: build the incident data quality into your OT architecture now. The ENTSO-E investigation was hampered by missing fault records from generation units. That’s the ICS equivalent of not having endpoint logs when your SIEM fires an alert. You cannot do root cause analysis on a grid event — or an OT security event — without telemetry from the devices involved in the event. Deploy monitoring that captures device state, protection relay status, and communications at the granularity that forensics requires.

Business continuity scenario for the grid lesson: the Iberian blackout lasted up to eighteen hours in some areas. Your UPS runtime is measured in minutes. Your generator fuel supply is measured in hours. Identify the gap. Map your critical operational dependencies against realistic outage durations, not best-case scenarios. For organisations in high-renewable-penetration geographies, the ENTSO-E report is evidence that the gap between “unlikely” and “happened” closed on April 28, 2025. Plan accordingly.

The disinformation dimension is also operationally relevant and the report documents it explicitly. Within minutes of the April 28 event, social media was attributing the outage to Russia, Morocco, North Korea, cyberattack, and solar energy conspiracy simultaneously. A fake post impersonating European Commission President von der Leyen claiming a Russian cyberattack went viral. Spanish polling found that seven months later, seventy percent of respondents still believed at least one false narrative about the cause. In a real cyber-triggered grid event, the disinformation layer is part of the operation: keeping defenders focused on the wrong cause delays the correct forensic response. Your incident response plan for a grid disruption event should include a disinformation assessment step.

Final Call-Out

The Iberian blackout was not a cyberattack. The ENTSO-E final report confirms that clearly. What the ENTSO-E final report also does, inadvertently, is provide a 472-page engineering analysis of exactly where the grid’s defensive mechanisms failed, which manual processes weren’t automated, and what architecture conditions allowed eight seconds to become eighteen hours of darkness for tens of millions of people. That document is now public. Every adversary with ICS capability and a targeting interest in European energy infrastructure can read it. The defensive response — automating what’s currently manual, standardising what’s currently inconsistent, building visibility into what’s currently opaque — is what ENTSO-E’s 22 recommendations address. The question is whether European grid operators will close those gaps faster than adversaries can exploit them. Given the timeline from April 2025 to March 2026 to publish a 472-page final report, I would describe the race as close.