Poland confirms hackers breached five water treatment plants with access to industrial controls.

Continue reading
Poland's Internal Security Agency — the Agencja Bezpieczenstwa Wewnetrznego (ABW), the country's primary domestic intelligence and counterintelligence service — published a comprehensive threat assessment report covering a two-year operational window from 2024 to 2025.
Among the most alarming disclosures: hackers successfully breached the operational technology (OT) environments of five separate water treatment plants, gaining a level of access that would have allowed them to manipulate the industrial equipment controlling water purification and distribution directly.
This was not a data theft incident. The hackers were inside the systems that run the physical plant — the industrial control systems (ICS) and supervisory control and data acquisition (SCADA) infrastructure that regulate chemical dosing, filtration pressure, flow rates, and safety interlocks. In the most severe scenario, tampering with those controls could have introduced dangerous chemical concentrations into the water supply reaching civilian populations.
The ABW did not formally attribute the water treatment plant intrusions to Russian state-sponsored actors in its published report, stopping short of a direct nation-state designation for this specific cluster of attacks. However, the broader report is unambiguous about the threat landscape: Poland has been the target of a sustained, coordinated campaign of Russian government-backed sabotage and cyber operations targeting military facilities, critical civilian infrastructure, and transportation networks — attacks that the ABW says have, in some cases, resulted in fatalities.
For security professionals tracking state-sponsored attacks on water and energy infrastructure, the Polish disclosure is both a confirmation of a known threat vector and a warning that adversaries are no longer probing these systems from a distance — they are operating inside them.
Water treatment and distribution facilities represent one of the most persistently vulnerable segments of critical infrastructure anywhere in the world, and the reasons are structural rather than incidental.
The core problem is the IT/OT convergence gap. Modern water utilities increasingly rely on internet-connected sensors, remote monitoring systems, and cloud-based SCADA dashboards that allow operators to manage plant operations from centralized control rooms or even remotely. This connectivity improves operational efficiency but dramatically expands the attack surface of facilities that were never designed with network-level threat modeling in mind.
The underlying industrial hardware — programmable logic controllers (PLCs), human-machine interfaces (HMIs), and remote terminal units (RTUs) — often runs legacy firmware with no support for encryption, no authentication enforcement, and no capability for patching in the way that conventional IT systems can be updated. Many of these devices were manufactured and deployed a decade or more ago, during an era when their isolation from public networks was assumed to be a sufficient security control. That assumption is now demonstrably false.
Compounding the hardware problem is the workforce reality at most municipal water utilities: they are understaffed, underfunded, and operate without dedicated cybersecurity personnel. There is no Security Operations Center monitoring SCADA telemetry for anomalous commands. There is no incident response retainer. There is often no network segmentation separating the administrative IT network from the operational technology network controlling plant processes — meaning a phishing email that compromises a billing clerk's workstation can serve as a stepping stone into the systems controlling chemical dosing.
This is the attack surface that Russia and Iran are actively exploiting. Not zero-days against hardened enterprise systems — but decades-old PLCs connected to the public internet, protected by default credentials that were never changed.
The Polish incidents do not exist in geopolitical isolation. The United States has faced strikingly similar intrusions against its own water infrastructure, and the threat is accelerating rather than receding.
In February 2021, a hacker gained unauthorized access to the water treatment systems of Oldsmar, Florida, and attempted to raise sodium hydroxide concentrations in the water supply to 111 times the normal level. Sodium hydroxide — commonly known as lye — is a highly caustic chemical used in water treatment at carefully controlled concentrations.
At the levels the attacker attempted to introduce, it would have caused severe chemical burns to anyone who consumed the water. The attempt was caught in real time by a plant operator who noticed the cursor on a monitoring workstation moving on its own and reversed the change manually. The incident exposed a system that was accessible via TeamViewer remote desktop software, protected by a shared password, on a computer running Windows 7 — an operating system that had been out of mainstream support for over a year.
Two years later, in late 2023, the Iranian-backed threat group known as CyberAv3ngers — operating under the umbrella of Iran's Islamic Revolutionary Guard Corps (IRGC) — compromised digital control panels at multiple water treatment plants in Pennsylvania, specifically targeting Unitronics Vision Series PLCs that were internet-accessible and protected only by default factory credentials.
The group defaced the HMI displays with anti-Israel messaging, but the more significant implication was that they had demonstrated authenticated access to the PLCs themselves — the devices that issue direct commands to physical plant hardware.
As recently as April 2026, a joint advisory from CISA, the FBI, the NSA, and partner agencies reaffirmed that CyberAv3ngers and affiliated Iranian threat actors remain actively engaged in targeting PLCs at U.S. water and energy facilities. The advisory characterized the targeting of programmable logic controllers at water utilities as an ongoing, active campaign — not a historical threat that has been neutralized.
For teams responsible for OT security and critical infrastructure protection, the convergence of Russian operations against European water systems and Iranian operations against American water systems in the same operational window is a geopolitical signal as much as a technical one. Two of the United States' most capable adversaries are simultaneously probing the same category of soft-target infrastructure, and they are succeeding in gaining access.
The ABW's report frames the water treatment plant intrusions within a broader, explicitly stated Russian strategic objective: the systematic destabilization and weakening of Western European nations that Moscow views as adversaries or as supporters of Ukraine.
This doctrine — sometimes characterized in Western intelligence assessments as the "gray zone" warfare model — blends conventional espionage, cyberattacks, physical sabotage, disinformation campaigns, and economic pressure into a continuously applied low-intensity campaign that falls below the threshold of acts of war while achieving strategic disruption effects. Russia has applied this model most aggressively in Poland, the Baltic states, and Germany, all of which border Ukraine's theater of operations or host critical NATO logistics infrastructure.
Poland has been a particularly high-priority target. The ABW report documents Russian intelligence operations against Polish military facilities, transportation hubs, and civilian infrastructure alongside the water treatment plant intrusions. In January 2026, researchers confirmed that Russian government hackers — later attributed to a known GRU-affiliated threat group — attempted to bring down Poland's national energy grid in a coordinated attack that was ultimately thwarted. A subsequent investigation revealed that the attempted intrusion succeeded as far as it did in part because of inadequate security controls at the targeted energy facilities — a recurring pattern across European critical infrastructure.
The deliberate sequencing of these operations — power grid, water treatment, transportation, military logistics — reflects a systematic effort to map, access, and maintain persistent footholds inside the infrastructure that would be most operationally disruptive to degrade or disable during a period of escalating geopolitical tension. The goal is not necessarily to cause immediate civilian harm, though that capability is being built and demonstrated. The goal is to establish leverage, maintain the credible threat of disruption, and impose a continuous security burden on NATO-aligned governments.
The implications for Western critical infrastructure security teams are direct. Understanding Russian state-sponsored ICS intrusion campaigns as a strategic doctrine — not a series of opportunistic attacks — requires a fundamentally different defensive posture than conventional cybersecurity threat modeling.
The Polish and American incidents share a common thread of preventable vulnerability. The following represent the minimum security baseline that every water utility operating internet-connected OT systems should treat as non-negotiable:
Network segmentation between IT and OT environments is the single highest-leverage control available. The administrative network handling billing, email, and business systems must be physically and logically separated from the OT network running PLCs, HMIs, and SCADA systems. A flat network that allows lateral movement from a compromised workstation to a PLC is indefensible.
Elimination of default credentials on all PLCs and HMIs is fundamental. The CyberAv3ngers campaign succeeded against Pennsylvania water utilities specifically because Unitronics PLCs were deployed with factory-default passwords that operators had never changed. Every internet-accessible industrial control device must have unique, strong credentials enforced at deployment.
Removal of direct internet exposure from OT assets — where remote access to SCADA systems is operationally necessary, it must be routed through a properly configured industrial DMZ, not exposed directly via tools like TeamViewer or RDP on public IP addresses.
Continuous monitoring of OT network traffic using industrial-protocol-aware detection tools capable of identifying anomalous commands issued to PLCs — unexpected setpoint changes, unusual polling patterns, or commands issued outside normal operational windows.
CISA's ICS security resources and advisories provide specific, actionable guidance tailored to water sector utilities and should be treated as mandatory reading for every operational technology team in the sector.

Millions of driver's license records were exposed in a massive data breach, raising identity theft risks and highlighting critical data security failures.