Spain blackout: uncovering unknowns with Hypothesis Competition Analysis

Written by the Cybersecurity and Privacy Protection Research Group (GiCP)

Last April 28, 2025, a general blackout affected the Iberian Peninsula, leaving Spain and Portugal without electricity for hours. Taking advantage of this event, the GiCP has carried out a practical exercise on structured intelligence analysis techniques, with the aim of learning about them, and trying to clear incognitas about this event.

Structured intelligence analysis techniques constitute a set of systematic methodologies designed to assist analysts in the rigorous evaluation of complex, ambiguous or incomplete information. Their fundamental purpose is to improve the quality of analytical reasoning by reducing cognitive biases, promoting critical thinking and formally structuring inferential processes. These techniques originated as a response to the deficiencies observed in intuitive or non-systematized analysis, particularly in the field of strategic and operational intelligence, where the consequences of erroneous interpretations can be serious.

Among the most representative techniques is the Analysis of Competing Hypotheses (ACH), which allows the analyst to compare alternative explanations of a given phenomenon on the basis of their relative consistency with the available evidence. This technique, developed by CIA analyst Richard Heuer, seeks to reverse the burden of proof and force the falsification of hypotheses rather than their confirmation, thus reducing the risk of confirmation bias.

In the case of the national blackout in Spain, so far, it is only known what happened, but not how or why. In order to clarify the unknowns of this event, an ACH analysis can be used. For this, a list of possible hypotheses has been listed, and a compilation of evidence published between April 28 and April 30 has been compiled. Subsequently, these hypotheses and evidences are transferred to a matrix in which the different elements are crossed to give rise to the diagnosticity between each hypothesis and evidence.

At GiCP we have performed the following competing hypothesis analysis:

Most refuted hypotheses

• Rare atmospheric phenomenon (H3): AEMET’s official denial counters REN’s initial assertion; in ACH, the meteorological authority’s denial weighs more heavily.
• Fire in southern France (H6): RTE points out that there were no fires and no lines affected, leaving the hypothesis with direct refutation and no support.

Less refuted hypotheses (as of 30 Apr 2025)

• Lack of synchrony (H5) and Sudden disconnection of power plants (H7): The account of two almost simultaneous disconnections and subsequent frequency drop points to stability and automatic protection problems.
• Human failure (H2) and Sabotage (H4): They lack direct evidence in one direction or the other. Their status depends on additional information.
• Renewable overload (H8): Refuted by statements, but several media point out wind/solar injection peaks just before the failure, so it is “weakly refuted”.
• Cyberattack (H1): There is a judicial investigation, but Red Eléctrica rules it out; technical evidence from the authority contradicts the hypothesis, but movements are observed that will require additional information.

Structured analysis using intelligence techniques, such as Analysis of Competing Hypotheses (ACH), has proven to be an effective tool for dealing with complex and unclear phenomena, such as the general blackout that affected the Iberian Peninsula on April 28, 2025. This methodology allows us to systematically organize plausible hypotheses, evaluate them against the available evidence and reduce the impact of cognitive biases in the analytical process. This type of methodologies are studied and used in our participation in the SafeHorizon project, where we obtain intelligence from various sources and by integrating these data streams with machine learning technologies, the project seeks to extract actionable evidence for legal use.

Of the hypotheses considered, some have been solidly refuted with direct evidence. This is the case of the atmospheric phenomenon, initially proposed by REN, but later discarded by AEMET, the competent meteorological authority. The possibility of a fire in the south of France as the cause of the blackout has also been ruled out, following confirmation by RTE that there were no fires or lines affected in that region.

Other hypotheses, however, remain open or have been only weakly refuted. These include renewable energy overload, sudden disconnection of plants, lack of synchrony in the grid, human error, sabotage and cyber-attack. The limited evidence available in these areas does not allow us to completely rule out any of these explanations, leaving room for different interpretations depending on new information that may emerge.

The cyber-attack hypothesis deserves particular attention. Although Red Eléctrica has publicly ruled it out, the fact that the Audiencia Nacional has opened proceedings to investigate this possibility indicates that there are still elements that require clarification. This ambiguity highlights the importance of having detailed technical and forensic reports before making conclusive judgments.

This analysis should be seen as a practical exercise, where an event such as the one analyzed is a good example to apply structured intelligence techniques. A diagnostic result requires more technical evidence that has not been made available to the general public.