What the Iberian Blackout Teaches About OT Security

Not all OT downtimes stem from cyberattacks. In a recently published final report on the April 2025 Iberian Blackout, the ENTSO-E (European Network of Transmission System Operators for Electricity) Expert Panel states a combination of interacting factors, including oscillations, control gaps, differing regulation practices, disconnections, and uneven stabilisation capabilities.

While cybersecurity wasn’t the root cause of this incident, its awareness and measures can greatly affect outcomes when system controls are stressed or disrupted. For operators of critical assets, the relevance lies in the system-level lessons around visibility, coordination, and control integrity.

When Complexity Becomes a Risk Factor

Modern power grids operate as tightly interconnected systems balancing generation, transmission, and demand across regions. According to the report’s findings, disturbances can propagate rapidly when systems depend on:

• Continuous real-time data exchange
• Coordinated control actions across multiple domains
• Accurate and timely system state visibility

Under these conditions, failures are rarely isolated. Instead, they emerge from interactions between systems operating within narrow stability margins. From an OT perspective, this reinforces a key principle: Control systems must remain deterministic and trustworthy, even when the surrounding network becomes unstable or unpredictable.

Visibility vs. Control

Power systems rely on constant communication between field devices, SCADA systems, and higher-level energy management platforms. However, not all communication carries equal operational risk.

• Telemetry (upstream data) supports monitoring, forecasting, and coordination
• Control commands (downstream actions) directly affect physical processes

The Iberian incident highlights how tightly coupled systems can become sensitive to unintended interactions. In such environments, unclear or overly permissive control pathways can amplify disturbances rather than contain them. This leads to an important architectural consideration: visibility should expand without expanding control exposure.

Rethinking Segmentation in Critical Infrastructure

Segmentation has long been a foundational principle in industrial cybersecurity. Frameworks such as IEC 62443 define zones and conduits to separate systems based on trust and function.

In practice, this segmentation is often implemented using firewalls and routing policies. As systems scale and interconnect, however, maintaining consistent enforcement across all conditions for these logical controls becomes increasingly complex.

This is where the concept of physical separation has re-emerged in a modern form. Instead of relying solely on policy enforcement, architectures can be designed to eliminate unnecessary communication paths altogether, particularly those that introduce risk without operational benefit.

Applying the Concept in Practice

In real-world power systems, issues can arise internally as well as externally. The challenge is not simply to block threats, but to define how information is allowed to move across operational layers.

Control centers require continuous visibility from substations and field devices to maintain grid stability. At the same time, these field systems must remain insulated from unintended influence, whether caused by human error, system misconfiguration, or malicious attacks. One practical approach is to separate data replication from control communication at the architectural level.

Instead of treating all network traffic as equivalent, systems can be designed so that:

• Operational data is replicated outward through dedicated, constrained pathways
• Control signals are restricted to clearly defined and limited channels
• Monitoring and external interfaces operate without direct interaction with control systems

This reduces system complexity and improves predictability, which is especially important during abnormal conditions, when uncontrolled interactions can lead to cascading effects.

Physical Enforcement and System Stability

In environments such as substations and transmission networks, the benefit of unidirectional architectures is not only cybersecurity, but operational clarity.

When communication paths are physically constrained:

• No command or configuration traffic can traverse upstream through those paths
• Control authority remains confined to explicitly designed channels
• System behavior becomes more predictable under both normal and abnormal conditions

Unidirectional gateways are a simple way to implement this model. By physically limiting certain pathways to data export only, they allow operators to expand visibility without increasing the number of control paths into critical systems. The BIG9000, a FPGA-based unidirectional gateway, takes this a step further by validating industrial protocols in hardware, providing an extra, smart layer of protection against communication risks.

Importantly, this does not eliminate the need for control systems. Instead, it ensures that control is exercised only where it is intended, and through intended network pathways. As Heise Online notes, manual interventions in the grid must be replaced by automation, because seconds count in an emergency.

Implications for Power Infrastructure

The Iberian blackout was not caused by a cyber event. However, it demonstrates how system architecture directly influences how disturbances propagate or are contained. Key takeaways include:

1. Visibility Must Be Decoupled from Control

Expanding data access should not introduce new pathways for influencing critical systems.

2. Segmentation Should Be Deterministic

Logical controls are necessary, but architectures that enforce boundaries physically provide stronger guarantees.

3. Control Paths Must Be Explicit

Reducing and clearly defining control pathways improves both security and operational reliability.

4. Architecture Defines Resilience

The way systems are interconnected determines how they behave under stress. In particular, whether disturbances remain local or cascade across the network.

Looking Ahead

As power grids evolve toward greater digitalization and interconnection, the challenge is not reducing connectivity, but structuring it with intent. Architectures that clearly separate observation from control, enforce boundaries where necessary, and minimize implicit trust are better positioned to support both operational performance and long-term resilience. In this context, unidirectional communication is not just a cybersecurity tool. It is an engineering approach to managing complexity in critical infrastructure. Reach out to the BlackBear team for a dedicated consultation on how a unidirectional gateway reinforces, without complicating, your system.