1. Forum
  2. Mailing Lists
  3. Cybersecurity & Infrastru

  • Poland Energy Sector Cyber Incident Highlights OT and ICS Security Gaps

    From CISA@cisa@messages.cisa.gov to cisa@toolazy.synchro.net on Tue Feb 10 14:24:54 2026
    --===============8438190812885946360==
    Content-Type: multipart/alternative; boundary="===============6837763037633139026=="
    MIME-Version: 1.0

    --===============6837763037633139026==
    Content-Type: text/plain; charset="utf-8"
    MIME-Version: 1.0
    Content-Transfer-Encoding: quoted-printable

    Cybersecurity and Infrastructure Security Agency (CISA)

    You are subscribed to Cybersecurity Advisories for Cybersecurity and Infras= tructure Security Agency. This information has recently been updated and is=
    now available.

    Poland Energy Sector Cyber Incident Highlights OT and ICS Security Gaps [ h= ttps://www.cisa.gov/news-events/alerts/2026/02/10/poland-energy-sector-cybe= r-incident-highlights-ot-and-ics-security-gaps ] 02/10/2026 9:15 AM EST=20

    "The purpose of this Alert is to amplify Poland's Computer Emergency Respon=
    se Team (CERT Polska's) Energy Sector Incident Report published on Jan. 30,=
    2026, and highlight key mitigations for Energy Sector stakeholders".=C2=A0

    In December 2025, a malicious cyber actor(s) targeted and compromised opera= tional technology (OT) and industrial control systems (ICS) in Poland=E2=80= =99s Energy Sector=E2=80=94specifically renewable energy plants, a combined=
    heat and power plant, and a manufacturing sector company=E2=80=94in a cybe=
    r incident. The malicious cyber activity highlights the need for critical i= nfrastructure entities with vulnerable edge devices to act now to strengthe=
    n their cybersecurity posture against cyber threat activities targeting OT = and ICS.

    A malicious cyber actor(s) gained initial access in this incident through v= ulnerable internet-facing edge devices, subsequently deploying wiper malwar=
    e and causing damage to remote terminal units (RTUs). The malicious cyber a= ctivity caused loss of view and control between facilities and distribution=
    system operators, destroyed data on human machine interfaces (HMIs), and c= orrupted system firmware on OT devices. While the affected renewable energy=
    systems continued production, the system operator could not control or mon= itor them according to their intended design.[i] [ #_edn1 ]

    CERT Polska=E2=80=99s incident report highlights:


    * Vulnerable edge devices remain a prime target for threat actors.=20
    * As indicated by CISA=E2=80=99s=C2=A0Binding Operational Directive (BOD)=
    26-02: Mitigating Risk From End-of-Support Edge Devices [ https://www.cisa= .gov/news-events/directives/bod-26-02-mitigating-risk-end-support-edge-devi= ces ], end-of-support edge devices pose significant risks.=20

    * OT devices without firmware verification can be permanently damaged.=20
    * Operators should prioritize updates that allow firmware verification wh=
    en available; if updates are not immediately feasible, ensure that cyber in= cident response plans account for inoperative OT devices to mitigate prolon= ged outages.=20

    * Threat actors leveraged default credentials, a vulnerability not limite=
    d to specific vendors, to pivot onto the HMI and RTUs.=20
    * Operators should immediately change default passwords and establish req= uirements for integrators or OT suppliers to enforce password changes in th=
    e future.=20

    CISA and the Department of Energy=E2=80=99s Office of Cybersecurity, Energy=
    Security, and Emergency Response (DOE CESER) urge OT asset owners and oper= ators to review the following resources for more information about the mali= cious activity and mitigations:


    * CERT Polska=E2=80=99s Energy Sector Incident Report - 29 December 2025 =
    [ https://cert.pl/en/posts/2026/01/incident-report-energy-sector-2025/ ].=20
    * CISA=E2=80=99s joint fact sheet with FBI, EPA, and DOE Primary Mitigati= ons to Reduce Cyber Threats to Operational Technology [ https://www.cisa.go= v/resources-tools/resources/primary-mitigations-reduce-cyber-threats-operat= ional-technology ].=20
    * DOE=E2=80=99s Energy Threat Analysis Center=E2=80=99s threat advisories= .=20

    *Acknowledgement*

    DOE CESER and CERT Polska contributed to this alert.

    *Disclaimer*

    The information in this report is being provided =E2=80=9Cas is=E2=80=9D fo=
    r informational purposes only. CISA does not endorse any commercial entity,=
    product, company, or service, including any entities, products, or service=
    s linked within this document. Any reference to specific commercial entitie=
    s, products, processes, or services by service mark, trademark, manufacture=
    r, or otherwise, does not constitute or imply endorsement, recommendation, =
    or favoring by CISA.=E2=80=AF

    *Notes*

    [i] [ #_ednref1 ] CERT Polska, =E2=80=9CEnergy Sector Incident Report - 29 = December 2025,=E2=80=9D =C2=A0Naukowa i Akademicka Sie=C4=87 Komputerowa Po= land"," last modified January 30, 2026, https://cert.pl/en/posts/2026/01/in= cident-report-energy-sector-2025/.

    Please share your thoughts with us through this anonymous survey [ https://= cisasurvey.gov1.qualtrics.com/jfe/form/SV_9n4TtB8uttUPaM6?Source=3DGovDeliv= eryhttps://www.cisa.gov/news-events/alerts/2026/02/10/poland-energy-sector-= cyber-incident-highlights-ot-and-ics-security-gaps ]. We appreciate your fe= edback!

    This product is provided subject to this=C2=A0Notification [ https://www.ci= sa.gov/notification ]=C2=A0and this=C2=A0Privacy & Use [ https://www.cisa.g= ov/privacy-policy ]=C2=A0policy.

    body { font-size: 1em; font-family: Arial, Verdana, sans-serif; font-weight=
    : normal; font-style: normal; color: #333333; }=20

    Having trouble viewing this message?=C2=A0View it as a webpage [ https://co= ntent.govdelivery.com/accounts/USDHSCISA/bulletins/4090aec ].=C2=A0 [ https= ://content.govdelivery.com/accounts/USDHS/bulletins/292141e ]

    You are subscribed to updates from the Cybersecurity and Infrastructure Sec= urity Agency [ https://www.cisa.gov ] (CISA)
    Manage Subscriptions [ https://public.govdelivery.com/accounts/USDHSCISA/su= bscriber/edit?preferences=3Dtrue#tab1 ]=C2=A0=C2=A0|=C2=A0=C2=A0Privacy Pol= icy [ https://www.cisa.gov/privacy-policy ]=C2=A0=C2=A0|=C2=A0 Help [ https= ://subscriberhelp.granicus.com/s/article/Subscriber-Help-Center ] [ https:/= /insights.govdelivery.com/Communications/Subscriber_Help_Center ]

    Connect with CISA:=20
    Facebook [ https://www.facebook.com/CISA ]=C2=A0 |=C2=A0 Twitter [ https://= twitter.com/CISAgov ]=C2=A0 |=C2=A0 Instagram [ https://Instagram.com/cisag=
    ov ]=C2=A0 |=C2=A0 LinkedIn [ https://www.linkedin.com/company/cybersecurit= y-and-infrastructure-security-agency ]=C2=A0 |=C2=A0=C2=A0 YouTube [ https:= //www.youtube.com/channel/UCxyq9roe-npgzrVwbpoAy0A ]

    ________________________________________________________________________

    This email was sent to cisa@toolazy.synchro.net using GovDelivery Communica= tions Cloud, on behalf of: Cybersecurity and Infrastructure Security Agency=
    =C2=B7 707 17th St, Suite 4000 =C2=B7 Denver, CO 80202 GovDelivery logo [ = https://subscriberhelp.granicus.com/ ]=20
    body .abe-column-block { min-height: 5px; } table.gd_combo_table img {margi= n-left:10px; margin-right:10px;} table.gd_combo_table div.govd_image_displa=
    y img, table.gd_combo_table td.gd_combo_image_cell img {margin-left:0px; ma= rgin-right:0px;}

    --===============6837763037633139026==
    Content-Type: text/html; charset="utf-8"
    MIME-Version: 1.0
    Content-Transfer-Encoding: quoted-printable

    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <html xmlns=3D"http://www.w3.org/1999/xhtml" xml:lang=3D"en" lang=3D"en"> <head>
    <title> Poland Energy Sector Cyber Incident Highlights OT and ICS Securi=
    ty Gaps
    </title>


    </head>
    <body style=3D"">

    <table width=3D"700" border=3D"0" cellspacing=3D"0" cellpadding=3D"0"=
    align=3D"center">
    <tr>
    <td>

    <!--[if (gte mso 9)|(IE)]>
    <table style=3D"display:none"><tr><td><a name=3D"gd_top" id=3D"gd_top"></= a></td></tr></table>
    <![endif]-->
    <a name=3D"gd_top" id=3D"gd_top"></a>

    =20



    <p><img src=3D"https://content.govdelivery.com/attachments/fancy_images/U= SDHSCISA/2020/06/3486054/05152023-gov-delivery-banner-copy_original.png" al= t=3D"Cybersecurity and Infrastructure Security Agency (CISA)" title=3D"" wi= dth=3D"600" height=3D"100"></p>
    <p>You are subscribed to Cybersecurity Advisories for Cybersecurity and I= nfrastructure Security Agency. This information has recently been updated a=
    nd is now available.</p>
    <div class=3D"rss_item" style=3D"margin-bottom: 2em;">
    <div class=3D"rss_title" style=3D"font-weight: bold; font-size: 120%; margi=
    n: 0 0 0.3em; padding: 0;"><a href=3D"https://www.cisa.gov/news-events/aler= ts/2026/02/10/poland-energy-sector-cyber-incident-highlights-ot-and-ics-sec= urity-gaps" target=3D"_blank" title=3D"Poland Energy Sector Cyber Incident = Highlights OT and ICS Security Gaps" rel=3D"noopener">Poland Energy Sector = Cyber Incident Highlights OT and ICS Security Gaps</a></div>
    <div class=3D"rss_pub_date" style=3D"font-size: 90%; font-style: italic; co= lor: #666666; margin: 0 0 0.3em; padding: 0;">02/10/2026 9:15 AM EST</div>
    <div class=3D"l-page-section l-page-section--rich-text csaf-imported">
    <div class=3D"l-constrain">
    <div class=3D"l-page-section__content">
    <p><em>The purpose of this Alert is to amplify Poland's Computer Emergency = Response Team (CERT Polska's) Energy Sector Incident Report published on Ja=
    n. 30, 2026, and highlight key mitigations for Energy Sector stakeholders</= em>.=C2=A0</p>
    <p>In December 2025, a malicious cyber actor(s) targeted and compromised op= erational technology (OT) and industrial control systems (ICS) in Poland=E2= =80=99s Energy Sector=E2=80=94specifically renewable energy plants, a combi= ned heat and power plant, and a manufacturing sector company=E2=80=94in a c= yber incident. The malicious cyber activity highlights the need for critica=
    l infrastructure entities with vulnerable edge devices to act now to streng= then their cybersecurity posture against cyber threat activities targeting =
    OT and ICS.</p>
    <p>A malicious cyber actor(s) gained initial access in this incident throug=
    h vulnerable internet-facing edge devices, subsequently deploying wiper mal= ware and causing damage to remote terminal units (RTUs). The malicious cybe=
    r activity caused loss of view and control between facilities and distribut= ion system operators, destroyed data on human machine interfaces (HMIs), an=
    d corrupted system firmware on OT devices. While the affected renewable ene= rgy systems continued production, the system operator could not control or = monitor them according to their intended design.<a name=3D"_ednref1" href= =3D"#_edn1" title=3D""><span><span style=3D"font-size: 11.0pt; font-family:=
    'Franklin Gothic Book',sans-serif;">[i]</span></span></a></p>
    <p>CERT Polska=E2=80=99s incident report highlights:</p>

    <li>Vulnerable edge devices remain a prime target for threat actors.

    <li>As indicated by CISA=E2=80=99s<span>=C2=A0</span><a href=3D"https://www= .cisa.gov/news-events/directives/bod-26-02-mitigating-risk-end-support-edge= -devices">Binding Operational Directive (BOD) 26-02: Mitigating Risk From E= nd-of-Support Edge Devices</a>, end-of-support edge devices pose significan=
    t risks.</li>
    </ul>
    </li>
    <li>OT devices without firmware verification can be permanently damaged.

    <li>Operators should prioritize updates that allow firmware verification wh=
    en available; if updates are not immediately feasible, ensure that cyber in= cident response plans account for inoperative OT devices to mitigate prolon= ged outages.</li>
    </ul>
    </li>
    <li>Threat actors leveraged default credentials, a vulnerability not limite=
    d to specific vendors, to pivot onto the HMI and RTUs.

    <li>Operators should immediately change default passwords and establish req= uirements for integrators or OT suppliers to enforce password changes in th=
    e future.</li>
    </ul>
    </li>
    </ul>
    <p>CISA and the Department of Energy=E2=80=99s Office of Cybersecurity, Ene= rgy Security, and Emergency Response (DOE CESER) urge OT asset owners and o= perators to review the following resources for more information about the m= alicious activity and mitigations:</p>


    <span style=3D"font-family: Wingdings; color: #005288;"> </span>CERT Polska= =E2=80=99s <a href=3D"https://cert.pl/en/posts/2026/01/incident-report-ener= gy-sector-2025/">Energy Sector Incident Report - 29 December 2025</a>.</li>

    <span style=3D"font-family: Wingdings; color: #005288;"> </span>CISA=E2=80= =99s joint fact sheet with FBI, EPA, and DOE <a href=3D"https://www.cisa.go= v/resources-tools/resources/primary-mitigations-reduce-cyber-threats-operat= ional-technology">Primary Mitigations to Reduce Cyber Threats to Operationa=
    l Technology</a>.</li>

    <span style=3D"font-family: Wingdings; color: #005288;"> </span>DOE=E2=80=
    =99s Energy Threat Analysis Center=E2=80=99s threat advisories.</li>
    </ul>
    <p><strong>Acknowledgement</strong></p>
    <p>DOE CESER and CERT Polska contributed to this alert.</p> <p><strong>Disclaimer</strong></p>
    <p>The information in this report is being provided =E2=80=9Cas is=E2=80=9D=
    for informational purposes only. CISA does not endorse any commercial enti= ty, product, company, or service, including any entities, products, or serv= ices linked within this document. Any reference to specific commercial enti= ties, products, processes, or services by service mark, trademark, manufact= urer, or otherwise, does not constitute or imply endorsement, recommendatio=
    n, or favoring by CISA.=E2=80=AF</p>
    <p><strong>Notes</strong></p>
    <p><a name=3D"_edn1" href=3D"#_ednref1" title=3D""><span><span style=3D"fon= t-size: 10.0pt; font-family: 'Franklin Gothic Book',sans-serif;">[i]</span>= </span></a> CERT Polska, =E2=80=9CEnergy Sector Incident Report - 29 Decemb=
    er 2025,=E2=80=9D =C2=A0Naukowa i Akademicka Sie=C4=87 Komputerowa Poland<e= m>,</em> last modified January 30, 2026, <a href=3D"https://cert.pl/en/post= s/2026/01/incident-report-energy-sector-2025/">https://cert.pl/en/posts/202= 6/01/incident-report-energy-sector-2025/</a>.</p>
    <p>Please share your thoughts with us through this <a href=3D"https://cisas= urvey.gov1.qualtrics.com/jfe/form/SV_9n4TtB8uttUPaM6?Source=3DGovDeliveryht= tps://www.cisa.gov/news-events/alerts/2026/02/10/poland-energy-sector-cyber= -incident-highlights-ot-and-ics-security-gaps" target=3D"_blank" title=3D"a= nonymous survey" rel=3D"noopener">anonymous survey</a>. We appreciate your = feedback!</p>
    </div>
    </div>
    </div>
    <div class=3D"l-constrain l-page-section--rich-text">
    <div class=3D"l-page-section__content">
    <div class=3D"c-field c-field--name-body c-field--type-text-with-summary c-= field--label-hidden">
    <div class=3D"c-field__content">
    <p>This product is provided subject to this=C2=A0<a href=3D"https://www.cis= a.gov/notification" target=3D"_blank" title=3D"Follow link" rel=3D"noopener= ">Notification</a>=C2=A0and this=C2=A0<a href=3D"https://www.cisa.gov/priva= cy-policy" target=3D"_blank" title=3D"Follow link" rel=3D"noopener">Privacy=
    &amp; Use</a>=C2=A0policy.</p>
    </div>
    </div>
    </div>
    </div>
    </div>
    <style>body {
    font-size: 1em; font-family: Arial, Verdana, sans-serif; font-weight: norma=
    l; font-style: normal; color: #333333;
    }
    </style>
    =20


    <div id=3D"mail_footer">
    <p style=3D"text-align: center;"><span style=3D"font-size: 10.0pt; colo=
    r: #757575;">Having trouble viewing this message?=C2=A0</span><a href=3D"ht= tps://content.govdelivery.com/accounts/USDHSCISA/bulletins/4090aec" target= =3D"_blank" rel=3D"noopener">View it as a webpage</a>.=C2=A0<a href=3D"http= s://content.govdelivery.com/accounts/USDHS/bulletins/292141e" target=3D"_bl= ank" rel=3D"noopener"></a><span style=3D"font-size: 10.0pt; color: #757575;= "></span></p>
    <p style=3D"text-align: center;"><span style=3D"font-size: 10.0pt; color: #= 757575;">You are subscribed to updates from the </span><a href=3D"https://w= ww.cisa.gov"><span style=3D"font-size: 10.0pt;">Cybersecurity and Infrastru= cture Security Agency</span></a><span style=3D"font-size: 10.0pt; color: #7= 57575;"> (CISA)<br></span><a href=3D"https://public.govdelivery.com/account= s/USDHSCISA/subscriber/edit?preferences=3Dtrue#tab1" target=3D"_blank" rel= =3D"noopener"><span style=3D"font-size: 10.0pt; color: #00568c;">Manage Sub= scriptions</span></a>=C2=A0=C2=A0<span style=3D"font-size: 10.0pt; color: #= 757575;">|=C2=A0=C2=A0</span><a href=3D"https://www.cisa.gov/privacy-policy=
    " target=3D"_blank" rel=3D"noopener"><span style=3D"font-size: 10.0pt; colo=
    r: #00568c;">Privacy Policy</span></a><span style=3D"font-size: 10.0pt; col= or: #757575;">=C2=A0=C2=A0|=C2=A0 <a href=3D"https://subscriberhelp.granicu= s.com/s/article/Subscriber-Help-Center" target=3D"_blank" rel=3D"noopener">= Help</a><a href=3D"https://insights.govdelivery.com/Communications/Subscrib= er_Help_Center" target=3D"_blank" rel=3D"noopener"></a></span><span style= =3D"font-size: 10.0pt; color: #757575;"></span></p>
    <p style=3D"text-align: center;"><span style=3D"font-size: 10.0pt; color: #= 757575;">Connect with CISA: <br></span><a href=3D"https://www.facebook.com/= CISA" target=3D"_blank" rel=3D"noopener"><span style=3D"font-size: 10.0pt; = color: #00568c;">Facebook</span></a><span style=3D"font-size: 10.0pt; color=
    : #757575;">=C2=A0 |=C2=A0 </span><a href=3D"https://twitter.com/CISAgov" t= arget=3D"_blank" rel=3D"noopener"><span style=3D"font-size: 10.0pt; color: = #00568c;">Twitter</span></a><span style=3D"font-size: 10.0pt; color: #75757= 5;">=C2=A0 |=C2=A0 </span><a href=3D"https://Instagram.com/cisagov" target= =3D"_blank" rel=3D"noopener"><span style=3D"font-size: 10.0pt; color: #0056= 8c;">Instagram</span></a><span style=3D"font-size: 10.0pt; color: #757575;"= >=C2=A0 |=C2=A0 </span><a href=3D"https://www.linkedin.com/company/cybersec= urity-and-infrastructure-security-agency" target=3D"_blank" rel=3D"noopener= "><span style=3D"font-size: 10.0pt; color: #00568c;">LinkedIn</span></a><sp=
    an style=3D"font-size: 10.0pt; color: #757575;">=C2=A0 |=C2=A0=C2=A0 </span= ><a href=3D"https://www.youtube.com/channel/UCxyq9roe-npgzrVwbpoAy0A" targe= t=3D"_self"><span style=3D"font-size: 10.0pt; color: #00568c;">YouTube</spa= n></a><span style=3D"font-size: 10.0pt; color: #757575;"></span></p>

    </div>
    <div id=3D"tagline">
    <hr>
    <table style=3D"width: 100%;" border=3D"0" cellspacing=3D"0" cellpadding=3D=

    <tbody>

    <td style=3D"color: #757575; font-size: 10px; font-family: Arial;" width=3D= "89%">This email was sent to cisa@toolazy.synchro.net using GovDelivery Com= munications Cloud, on behalf of: Cybersecurity and Infrastructure Security = Agency =C2=B7 707 17th St, Suite 4000 =C2=B7 Denver, CO 80202</td>
    <td align=3D"right" width=3D"11%"><a href=3D"https://subscriberhelp.granicu= s.com/" target=3D"_blank" rel=3D"noopener"><img src=3D"https://content.govd= elivery.com/images/govd-logo-dark.png" border=3D"0" alt=3D"GovDelivery logo=
    " width=3D"115"></a></td>
    </tr>
    </tbody>
    </table>
    <style type=3D"text/css">body .abe-column-block { min-height: 5px; } table.= gd_combo_table img {margin-left:10px; margin-right:10px;} table.gd_combo_ta= ble div.govd_image_display img, table.gd_combo_table td.gd_combo_image_cell=
    img {margin-left:0px; margin-right:0px;}</style>

    </div>
    </td>
    </tr>
    </table>

    <img alt=3D"" src=3D"https://links-2.govdelivery.com/CI0/0101019c47f0df64-1= e6241f6-f629-4d51-a71e-99ad61b3637d-000000/uuoDja2FzjoXZ7dncBC8WXaMHCHc8maM= I2dPCTr3RUY=3D443" style=3D"display: none; width: 1px; height: 1px;">
    </body>
    </html>

    --===============6837763037633139026==--

    --===============8438190812885946360==--