Poland Energy Sector Cyber Incident Highlights OT and ICS Security Gaps

• Vulnerable edge devices remain a prime target for threat actors.
  • As indicated by CISA’s Binding Operational Directive (BOD) 26-02: Mitigating Risk From End-of-Support Edge Devices, end-of-support edge devices pose significant risks.
• OT devices without firmware verification can be permanently damaged.
  • Operators should prioritize updates that allow firmware verification when available; if updates are not immediately feasible, ensure that cyber incident response plans account for inoperative OT devices to mitigate prolonged outages.
• Threat actors leveraged default credentials, a vulnerability not limited to specific vendors, to pivot onto the HMI and RTUs.
  • Operators should immediately change default passwords and establish requirements for integrators or OT suppliers to enforce password changes in the future.

CISA and the Department of Energy’s Office of Cybersecurity, Energy Security, and Emergency Response (DOE CESER) urge OT asset owners and operators to review the following resources for more information about the malicious activity and mitigations:

• CERT Polska’s Energy Sector Incident Report – 29 December 2025.
• CISA’s joint fact sheet with FBI, EPA, and DOE Primary Mitigations to Reduce Cyber Threats to Operational Technology.
• DOE’s Energy Threat Analysis Center’s threat advisories.

Acknowledgements

DOE CESER and CERT Polska contributed to this Alert.