The safety and reliability of a nation’s critical infrastructure, particularly its water supply, are paramount. Recent revelations from Poland’s Internal Security Agency (ABW) paint a concerning picture, detailing a significant escalation in cyberattacks targeting industrial control systems (ICS) and other operational technology (OT) infrastructure. These attacks, particularly observed throughout 2024 and 2025, indicate a worrying shift by state-sponsored threat actors towards the direct physical disruption of essential services, putting public health and safety at direct risk.
A chilling incident, initially alluded to by a Polish official in August 2025, suggested a potential catastrophic loss of water supply to a city due to a thwarted cyberattack. While specific technical details were withheld at the time, the ABW’s new report, though written in Polish, now sheds critical light on the nature and severity of these intrusions within the country’s vital water sector.
The Alarming Reality: Direct Threats to Public Water Supply
According to the ABW, the most significant incidents involved direct intrusions into the highly sensitive ICS environments of water treatment facilities across multiple Polish municipalities. In 2025 alone, the agency recorded security breaches at no less than five distinct water treatment stations. These facilities, crucial for providing clean and safe drinking water, were located in:
- Jabłonna Lacka
- Szczytno
- Małdyty
- Tolkmicko
- Sierakowo
In certain alarming cases, the attackers successfully gained deep access to the ICS, achieving the perilous ability to modify the operational parameters of critical equipment. This level of control presents an immediate and profound risk to operational continuity, water quality, and ultimately, the public water supply itself. Such capabilities could lead to disruptions ranging from altered chemical dosages, affecting water purification, to outright cessation of supply, posing a severe public health crisis.
Affected Water Treatment Plants and Risk Assessment
| Facility Location | Year of Breach | Nature of Breach | Potential Impact |
|---|---|---|---|
| Jabłonna Lacka | 2025 | ICS Intrusion, Operational Parameter Modification | Direct risk to water quality and supply continuity |
| Szczytno | 2025 | ICS Intrusion, Operational Parameter Modification | Direct risk to water quality and supply continuity |
| Małdyty | 2025 | ICS Intrusion, Operational Parameter Modification | Direct risk to water quality and supply continuity |
| Tolkmicko | 2025 | ICS Intrusion, Operational Parameter Modification | Direct risk to water quality and supply continuity |
| Sierakowo | 2025 | ICS Intrusion, Operational Parameter Modification | Direct risk to water quality and supply continuity |
Escalation of Cyber Warfare: 2024-2025 Trends
The incidents within the water sector are not isolated events but rather indicative of a broader and more aggressive cyber campaign against Poland. The ABW’s report underscores a significant increase in attacks targeting critical infrastructure across the board, with state-sponsored actors demonstrating a clear intent to move beyond espionage and data theft towards active physical disruption. This strategic shift represents a worrying evolution in geopolitical cyber warfare, where digital intrusions are directly translated into real-world consequences.
This trend aligns with a wider regional and international pattern where critical infrastructure, particularly OT environments, has become a prime target for nation-state adversaries. The unique vulnerabilities of OT systems, often designed for reliability and longevity rather than robust cybersecurity, make them attractive targets for those seeking to exert influence or cause widespread destabilization.
Understanding the Attack Vectors: Exploiting Fundamental Vulnerabilities
Investigators from the ABW pinpointed two primary, yet alarmingly common, attack vectors that enabled these critical ICS intrusions:
- Weak Password Policies: A perennial cybersecurity failure, the use of weak, easily guessable, or default passwords provides an open door for sophisticated adversaries.
- Systems Exposed Directly to the Internet: Critical OT systems, which should be isolated from public networks, were found to be directly accessible from the internet, bypassing layers of conventional network security.
These are not novel vulnerabilities; they represent long-standing failures in OT security hygiene. Disturbingly, these same basic security lapses were recently exploited in a Russia-linked attack on Polish energy facilities, highlighting a recurring pattern of exploitation of known weaknesses. The persistence of these vulnerabilities in critical infrastructure environments underscores a severe gap between threat awareness and practical security implementation.
Common OT Vulnerabilities and Essential Mitigation Strategies
| Vulnerability Type | Description of Risk | Key Mitigation Strategies |
|---|---|---|
| Weak Password Policies | Easy unauthorized access to systems, privilege escalation, lateral movement within networks. | Mandatory strong, unique passwords; Multi-Factor Authentication (MFA); Regular password rotation; Password managers; Least privilege access. |
| Systems Exposed to Internet | Direct attacker access to critical OT/ICS devices; Bypass of perimeter defenses; Increased attack surface. | Strict network segmentation (air-gapping where possible); Firewalls with strict rules; Secure remote access (VPN, Zero Trust); Remove public IP addresses from OT devices. |
| Unpatched Software/Firmware | Known exploits can be leveraged to gain control or disrupt operations. | Regular vulnerability scanning; Timely patching schedule; Virtual patching; Risk-based prioritization. |
| Lack of Network Segmentation | Compromise of one IT system can quickly spread to critical OT assets. | Isolation of OT networks from IT; Micro-segmentation; Unidirectional gateways; Industrial DMZ. |
| Insufficient Monitoring | Attacks go undetected for extended periods, allowing greater damage. | Implement OT-specific Intrusion Detection Systems (IDS); Comprehensive logging; Security Information and Event Management (SIEM) for OT; Anomaly detection. |
The Shadowy Hand of State-Sponsored Actors
While the ABW initially attributed primary responsibility for some of these attacks to ‘hacktivist groups,’ the report clarifies a critical distinction: these groups often serve as proxies or personas used by foreign governments. Specifically, the report points fingers at Russian intelligence services, long known for their aggressive cyber operations, and Belarusian-linked entities.
The report specifically names several notorious Russian Advanced Persistent Threat (APT) groups, including APT28 (also known as Fancy Bear or Strontium) and APT29 (also known as Cozy Bear or Nobelium), as actively operating against Polish targets. Additionally, UNC1151, a group often associated with Belarusian intelligence, was also identified as a significant threat actor. These groups are characterized by their sophisticated tactics, long-term persistence, and clear alignment with nation-state objectives, ranging from espionage to disruptive attacks.
The involvement of such high-level, state-sponsored entities underscores the strategic importance of Poland’s critical infrastructure in the current geopolitical landscape and highlights the scale of resources dedicated to these cyber campaigns.
Beyond Water: A Broader Attack on Polish Critical Infrastructure
The ABW’s findings extend beyond just water systems, revealing a more comprehensive campaign targeting various facets of Poland’s critical infrastructure. The agency documented a worrying increase in attacks aimed at supply chains, other municipal utilities, including wastewater treatment plants, and waste incineration facilities. This broad targeting indicates a strategic effort to destabilize multiple sectors simultaneously or to gain pervasive access across interconnected systems.
Investigators determined that attackers targeting supply chains specifically sought sensitive contract data, crucial project documentation, and, most critically, authentication credentials. These credentials are invaluable as they enable downstream access to systems belonging to other entities within the supply chain, creating a ripple effect of potential compromise and facilitating further intrusions into more sensitive OT environments.
The Grave Consequences of Water Sector Breaches
The implications of successful cyberattacks on water treatment plants are far-reaching and potentially catastrophic. Beyond the immediate economic costs of downtime and remediation, these breaches can:
- Endanger Public Health: Malicious modification of water treatment parameters (e.g., chemical levels, filtration rates) can lead to unsafe drinking water, causing widespread illness or even fatalities.
- Cause Economic Disruption: A prolonged loss of water supply can cripple businesses, disrupt industries, and lead to significant financial losses for municipalities and residents.
- Erode Public Trust: Incidents that compromise essential services severely damage public confidence in government and infrastructure providers, leading to social unrest.
- Create National Security Risks: Widespread disruption of critical services can weaken a nation’s resilience and create vulnerabilities that adversaries can exploit for broader strategic goals.
The ability of attackers to modify operational parameters in Poland’s water facilities is a stark reminder that cyberattacks are no longer confined to the digital realm but have tangible, physical consequences.
Fortifying the Defenses: Comprehensive Strategies for OT Security
In the face of escalating and increasingly sophisticated threats, a robust and multi-layered cybersecurity strategy for OT environments is no longer optional—it is imperative. Organizations managing critical infrastructure, particularly water utilities, must adopt a proactive and comprehensive approach.
1. Robust Access Controls and Authentication
- Multi-Factor Authentication (MFA): Implement MFA for all remote access and privileged accounts, making it significantly harder for attackers to use stolen credentials.
- Strong Password Policies: Enforce complex, unique passwords that are regularly changed, and avoid default or easily guessable credentials.
- Least Privilege Access: Ensure users and systems only have the minimum necessary permissions to perform their functions, limiting potential damage from a compromise.
2. Network Segmentation and Zero Trust Architecture
- Strict OT-IT Segregation: Isolate OT networks from enterprise IT networks, often using a ‘demilitarized zone’ (DMZ) or unidirectional gateways to control traffic.
- Micro-segmentation: Further divide OT networks into smaller, isolated zones to limit lateral movement if one segment is breached.
- Zero Trust Network Access (ZTNA): Adopt a ‘never trust, always verify’ approach, requiring strict authentication and authorization for every access attempt, regardless of location.
3. Continuous Monitoring and Threat Detection
- OT-Specific IDS/IPS: Deploy Intrusion Detection/Prevention Systems tailored to recognize ICS protocols and common attack patterns.
- Comprehensive Logging and SIEM: Collect and analyze logs from all OT and IT systems in a Security Information and Event Management (SIEM) solution, enabling real-time anomaly detection.
- Behavioral Analytics: Monitor network traffic and system behavior for deviations from normal operational baselines, indicative of malicious activity.
4. Vulnerability Management and Patching
- Regular Assessments: Conduct frequent vulnerability assessments and penetration tests specific to OT environments.
- Strategic Patch Management: Develop a risk-based patching strategy, understanding the unique challenges of patching live OT systems. Utilize compensating controls or virtual patching where direct patching is not feasible.
5. Incident Response and Recovery Planning
- Detailed IR Plans: Develop, test, and regularly update comprehensive incident response plans specifically for OT breaches.
- Backup and Restoration: Implement robust backup strategies for critical data and system configurations, ensuring rapid recovery capabilities.
- Tabletop Exercises: Conduct regular simulations with key stakeholders to practice incident response scenarios.
6. Employee Training and Awareness
- Cybersecurity Education: Train all personnel, from operators to IT staff, on cybersecurity best practices, social engineering tactics, and the importance of reporting suspicious activities.
7. Collaboration and Intelligence Sharing
- Government and Industry Partnerships: Engage with government agencies (like ABW) and industry peers to share threat intelligence, best practices, and collaborate on defense strategies.
The Polish Government’s Stance and Future Outlook
The ABW’s detailed report signifies a clear recognition by the Polish government of the heightened cyber threat landscape. Such transparency is crucial for fostering awareness and galvanizing action across both public and private sectors. The commitment to securing critical infrastructure against state-sponsored aggression will likely necessitate increased investment in cybersecurity technologies, skilled personnel, and tighter regulatory frameworks to enforce stronger security postures.
As cyber capabilities continue to evolve, with nation-states investing heavily in tools designed for physical disruption, the defense of essential services like water supply will remain a top priority. The incidents in Poland serve as a critical reminder to all nations that cybersecurity in OT environments is not merely an IT concern but a matter of national security and public safety.
Conclusion: A Call for Unwavering Vigilance
The breaches at Poland’s water treatment plants are a stark warning sign of the escalating and dangerous nature of modern cyber warfare. State-sponsored actors are not just looking to steal data; they are actively seeking to undermine the foundational services that societies rely upon. The exploitation of basic vulnerabilities like weak passwords and internet-exposed systems highlights that while threats are advanced, the entry points often remain remarkably simple.
For critical infrastructure operators worldwide, the lessons from Poland are clear: the time for incremental security improvements is over. A paradigm shift towards proactive, comprehensive, and rigorously enforced OT cybersecurity strategies is essential to safeguard public well-being and national resilience against an increasingly hostile cyber landscape.
Leave a Reply