energy sector cybersecurity

target readers-cv

By Itay Glick

Energy sector cybersecurity focuses on nation-state threats, but breaches stem from basic failures like default credentials and weak OT controls. 

On 29 December 2025, coordinated attacks struck more than 30 energy facilities across Poland in the middle of winter. A detailed report by CERT Polska revealed that whilst the state-backed attacker was a sophisticated outfit, the vulnerabilities they exploited were anything but.

What lessons should be taken from the CERT Polska report?

The scale and destructive intent behind the attacks in Poland should have everyone paying attention. Simultaneous strikes across more than 30 renewable energy installations, a manufacturing company, and a major heat supplier required a high degree of coordination.

At the same time, every action was designed to disrupt and destroy, with no ransom demand and no financial motive.

CERT Polska’s forensic analysis attributed the attack infrastructure to a Russian state-backed cluster with a long history of targeting energy sector entities. However, I think the biggest learning point is actually the fundamental security flaws the group used to gain system access.

Every affected facility was accessed through FortiGate devices acting as VPN gateways. They were exposed to the internet, with no multi-factor authentication in place and static credentials that had never been rotated. These weren’t zero-days or novel techniques but known weaknesses that had simply never been addressed.

Another detail that stands out is that, in every instance where non-default credentials were properly configured, the attack failed. This is an extremely basic part of cyber hygiene, but it was enough to deflect a well-resourced, state-sponsored actor. 

Why do basic security failures remain the most significant risk for energy companies?

Most sectors struggle with the fundamentals, but these flaws are especially prevalent in areas like energy which rely on operational technology (OT).

The hardware in these environments was typically designed to run reliably and continuously for years or even decades. In many cases, they predate digitalisation entirely, so cybersecurity has historically been an afterthought.

Default credentials get left in place because changing them wasn’t on the commissioning checklist. Shared admin accounts persist because they’re convenient. Nobody goes back to fix what isn’t visibly broken.

Compounding this challenge, is the fact that OT environments tend to extend a high degree of implicit trust to anything operating inside the network perimeter. Once an attacker is through the front door – whether via a default password or an unpatched remote access interface – they can move quietly and gather what they need without immediately triggering alerts.

The attacks in Poland show this in action. At the combined heat and power plant, the attacker had been operating inside the network since at least March 2025. They spent months conducting reconnaissance, mapping SCADA systems, harvesting credentials, and exfiltrating sensitive operational data – nine months of undetected presence before the destructive phase began.

How do organisations address these basic security gaps effectively?

The starting point is understanding that this is as much a problem with process as it is technology. Default credentials persist because there’s no enforced process for changing them at deployment or auditing them after the fact.

 

The fix is making credential hygiene a non-negotiable step before any device goes live. Change the defaults on commissioning, document them, and audit them regularly. This needs to be uniformly applied to every OT device on the network: RTUs, HMIs, management servers, and network equipment.

Multi-factor authentication on every remote access interface is another vital step. The initial access vector in Poland via an internet-exposed VPN gateway with no MFA is one of the most common entry points for OT breaches. Again, this is as much about consistent policy enforcement as it is technology.

Cross-facility credential reuse is another factor here. The attacker in Poland were able to hit more than 30 installations in part because of widespread credential sharing across different sites.

Lastly, files also need to be inspected before they reach operational systems. Email attachments, web downloads and removable media should all be scanned and sanitised at the entry point. Detection after execution is too late.

How should companies rethink their approach to threat detection?

One fundamental shift we need to see is that perimeter defences alone are not sufficient. In the attacks in Poland, the combined heat and power plant had firewalls in place throughout the attacker’s nine-month presence, but this was not enough to compensate for the lack of visibility into what was happening inside the network.

Much of the activity that went undetected wasn’t subtle, with lateral movement via RDP between internal systems, SMB access to machines with “SCADA” in their names, and exfiltration of the Active Directory database using standard Windows utilities. Each of these is a recognisable indicator and, collectively, a pattern that behavioural monitoring would have surfaced far earlier.

Visibility into east-west traffic is another capability that can help spot these patterns sooner, as the internal communication that typically receives far less scrutiny than traffic crossing the perimeter.

ICS-specific monitoring tools can establish baselines for normal industrial protocol behaviour and alert on deviations. Where Modbus, DNP3, and similar protocols follow predictable patterns, unexpected activity stands out if you’re equipped to see it.

Finally, configuration changes deserve the same attention. Firewall rules, VPN settings, and Active Directory permissions should never change silently. Attackers also target logging systems to cover their tracks, so all audit logs need to be forwarded to a secure, write-once location to protect them.

Until operators get these fundamentals locked down, even the most basic attack tactics will be enough to trigger highly widespread, damaging security breaches.

About the Author

Itay GlickItay Glick brings more than 17 years of executive management experience in cybersecurity at global technology companies. Before OPSWAT, he served as AVP of network and cloud security at Allot. Itay launched his career as a software engineer in an elite intelligence unit of the Israel Defense Forces.

LEAVE A REPLY

Please enter your comment!
Please enter your name here