Poland Energy Cyberattack Exposes Critical OT and ICS Security Gaps, Warns CISA

A major cyberattack that struck Poland’s energy infrastructure late last year has drawn urgent warnings from cybersecurity authorities, including the U.S. Cybersecurity and Infrastructure Security Agency (CISA), underscoring significant gaps in operational technology (OT) and industrial control systems (ICS) defenses used to manage critical infrastructure.

On December 29, 2025, a coordinated cyberattack targeted over 30 sites in Poland’s energy network, including wind and photovoltaic farms as well as a large combined heat and power (CHP) plant. The campaign did not trigger major blackouts or power outages — largely due to system redundancies — but it caused loss of visibility and control at affected facilities. In some cases, attackers damaged firmware and erased critical data on human-machine interfaces (HMIs), disrupting operators’ ability to monitor and control equipment.

According to CERT Polska, the nation’s computer emergency response team, the attackers gained access through vulnerable network devices and used destructive tactics comparable to “deliberate arson” in cyberspace. The malicious activity was aimed at degrading OT systems, rather than merely stealing information — a shift that highlights a growing trend toward operational disruption over simple data breaches.

How the Attack Unfolded

Investigations show the intrusion began with low-barrier access to internet-facing OT components. Threat actors exploited default credentials and unprotected network devices to move into control systems that manage remote terminal units (RTUs) and other field devices. Once inside, they deployed wiper-style malware and executed firmware corruption, which deprived distribution system operators of visibility and control over affected assets.

The compromised systems included devices from multiple vendors, and in many instances, basic cyber hygiene failures — such as unchanged default passwords — were a key factor in the breach. CISA’s alert stresses that such weaknesses remain a prime entry point for attackers seeking access to OT environments.

Attribution and Threat Landscape

While Poland’s CERT report stopped short of publicly naming a perpetrator, technical analysis by independent security researchers has linked the attack infrastructure to tools and techniques associated with Russia-aligned threat groups, including clusters tracked under names like Berserk Bear and Dragonfly. These groups have been previously connected with industrial targeting and espionage.

This incident is part of a wider pattern of attacks that increasingly target critical infrastructure sectors during periods of geopolitical tension. Beyond Poland, global observers note that OT and ICS environments are frequently exposed to internet-based threats — often with inadequate segmentation or protective controls.

Lessons for Critical Infrastructure Operators

In alerting U.S. infrastructure owners and operators, CISA emphasized several key takeaways:

Secure network edge devices: Internet-facing devices such as firewalls and VPN gateways must be hardened, updated, and protected with multifactor authentication.
Eliminate default credentials: Systems should enforce unique, robust passwords, and integrators should be required to configure them before deployment.
Enable firmware verification: Where possible, OT devices should support firmware validation to detect unauthorized modifications.
Improve OT visibility and incident response: Operators should strengthen monitoring of OT networks and integrate incident playbooks capable of handling destructive attacks, not just intrusion detection.

Authorities in other countries, including the United Kingdom’s National Cyber Security Centre (NCSC), have echoed similar calls for vigilance, noting that attacks on energy and other critical sectors pose serious risks if left unaddressed.

A Warning, Not a One-Off

Although this attack did not result in system-wide outages, its destructive nature and the cyber hygiene failures it exploited serve as a stark warning for energy operators worldwide. As infrastructure continues to modernize and incorporate distributed renewable resources, the attack surface expands — making robust OT and ICS security practices essential rather than optional.

In an era where cyber threats can have physical consequences, the lessons from Poland’s energy incident are clear: protect the edge, secure the core, and prepare for disruptions that go beyond data theft to directly threaten operations.