A Spanish court has ruled that the cause of the outage that cut off power to Spain, Portugal, and parts of France will remain unknown. State secrecy, national security, ongoing investigation—take your pick of the reasons, whichever sounds most credible, or at least mysterious enough. One fact remains: something went very wrong. And that alone is reason enough to ask here in Poland—are we prepared for a similar scenario?
Photos: Polish Power Grid (Polskie Sieci Elektroenergetyczne)
A similar question has likely crossed the minds not only of energy and security experts, but also of those who’ve marked the date of a potential Polish blackout in their calendars—right after the long weekend and the next elections. Because the question isn’t if such a blackout might happen, but when, and how painful it will be.
So, what happened in Spain? All we really know is that power was cut off from consumers. The court classified the investigation, which can only mean one thing: a serious suspicion of sabotage, a cyberattack, or a systemic failure that reveals too much about the weaknesses in critical infrastructure. No one puts a secrecy stamp on a report about a burnt-out cable.
Such decisions are usually made when the consequences of knowing are more dangerous than not knowing. If it turned out that a few hackers with Internet access and more determination than the operator’s security systems managed to shut off power in three EU countries, public trust would collapse faster than Barcelona’s defense in a match against Inter.
What About Poland?
Despite numerous investments and upgrades, Poland’s power grid is still operating at the edge of its capacity. Many of the power lines were designed at a time when no one had heard of heat pumps, and the pinnacle of household luxury was a Goldstar television sitting next to a Blaupunkt or Technics Hi-Fi tower. Today, we have tens of thousands of heat pumps, millions of air conditioners, and devices that demand electricity as relentlessly as a tax office clerk chasing two złoty in unpaid taxes.
On top of that, Poland’s power balance is already tight. During peak demand in winter and summer, the country imports electricity from Germany, the Czech Republic, or Lithuania. But imports have one major drawback—they don’t work if neighboring countries are in trouble too. And in a crisis, every country thinks of itself first. Rightfully so—and Poland should do the same.
Is Poland safe? No. Is it better protected than Ukraine was in 2015, when the Russians shut off power to 200,000 people? Yes. But there’s a vast gap between better protected and secure—a gap you can fall into with just one click on a malicious email attachment.
Polish Power Grid Operator (PSE) is indeed investing in cybersecurity.
Construction of the 400 kV Choczewo substation
Weakest element
We have the Military Cyber Operations Center, CERT teams, and critical infrastructure protection programs. The problem is, hackers don’t wait for new strategies—they wait for new opportunities. And the Polish system offers plenty of those, most often due to human error.
In 2021, hackers breached the servers of the Digital Poland Projects Centre (CPPC), an institution managing billions of złoty. Cybercriminals impersonated the CPPC director in an attempt to fraudulently request a wire transfer via email. Additionally, one of the servers was running outdated software, which allowed the attackers to hack it and potentially gain access to confidential documents.
According to the Internal Security Agency (ABW), in 2022, Russian APT groups carried out phishing campaigns targeting government officials, soldiers, journalists, and public institutions. The attacks involved sending manipulated documents or links that installed spyware.
Not enough? In the first quarter of 2023, the Lazarus cybercriminal group, linked to North Korea, targeted a Polish defense industry supplier. Employees at the company received fake job offers containing infected attachments. Once opened, a trojan was installed on their computers, allowing remote control of the system. The goal of the attack was industrial espionage and the acquisition of sensitive data.
In October 2024, cybercriminals sent out emails impersonating the Ministry of Finance, claiming the recipients had outstanding tax payments. The messages contained an attachment with an infected file which, once opened, installed the LokiBot malware. This malware was designed to steal authentication data—such as usernames and passwords—from web browsers and other applications.
Could similar methods be used to attack systems that manage parts of the power grid? Absolutely. A single mistake by a regular employee could trigger a domino effect, potentially paralyzing a large region of the country. And how many so-called digital creators that have popped up on Facebook in recent months might be based somewhere near Moscow? Quite a few. Just as many men might be tempted by their photos, offered for download from the cloud. Silly? Maybe. But also true.
Similar methods have been used in other phishing campaigns, where cybercriminals posed as attractive individuals and promised to send intimate photos or videos. After opening attachments or clicking on links, victims’ devices were infected with malware that enabled data theft or user surveillance.
In 2020, researchers from IBM X-Force Threat Intelligence uncovered a phishing campaign in which attackers sent emails claiming to possess nude photos of a recipient’s acquaintance. The message stated that the images had been obtained by hacking into the acquaintance’s email account and demanded a ransom in return.
If the recipient clicked on the attachment, it opened a Word document containing a blurred image and instructions to “enable content.” Once activated, the malware was installed on the computer, stealing login credentials, credit card information, and other sensitive data.
Simple and effective—and its success depends on the weakest link: the person who decides to click a link, open a file, or pursue a romance with an alluring woman who might, in reality, be Ivan, typing away in Cyrillic.
Hybrid Warfare
The question today is no longer if a blackout will happen, but whether we’re prepared for when it does. Do we have supplies? Do government institutions have contingency plans? Do local authorities know what to do when the lights go out and gas stations stop working? Do households have generators? Does the military have a plan to secure critical infrastructure? And most importantly—does anyone in the government treat energy security as seriously as they treat election strategy?
For 90 percent of these questions, the answer is simple: no. Just as people once mocked Minister Władysław Kosiniak-Kamysz’s emergency backpack, now social media commenters laugh about blackouts, joking that at least the birth rate will go up. The first group stopped laughing when the floods came. The second may stop when they spend a week without electricity—like residents of parts of Spain and Portugal recently did.
The Spanish blackout is a warning. The fact that its cause was classified is a red flag. And we’re sitting on an energy powder keg, hoping the spark won’t hit today. Or tomorrow. Or in November. Maybe after the first snowfall. But the security of a state cannot be built on maybe.