Polish water and sewage sector under pro-Russian attacks. What does this mean?

It’s important to note that these cyberattacks were directed at OT infrastructure, which is a bit different from traditional IT. Operational technology interacts with physical machines and their processes including industrial control systems (ICS) and SCADA (Supervisory Control and Data Acquisition). As the National Cyber Security Centre (NCSC) states, OT prioritizes safety, reliability, and availability, because failure can have a physical impact on the world.

Incidents in Poland

It’s important to highlight that incidents affecting waterworks and sewage treatment plants are constant and happen every few months (on average). The timeline of victims is as follows:

• April 2024: sewage treatment plant in Wydminy (Warmińsko-Mazurskie Voivodeship);
• October 2024: sewage treatment plant in Kuźnica (Podlaskie Voivodeship);
• April 2025: sewage treatment plant in Witkowo (Wielkopolskie Voivodeship);
• May 2025: water treatment plant in Szczytno (Mazowieckie Voivodeship);
• September 2025: water treatment plant in Jabłonna Lacka (Mazowieckie Voivodeship);
• October 2025: sewage treatment plant in Chodaczów (Podkarpackie Voivodeship).

Real effects of cyberattacks

The key question is: ’what are the real consequences of these attacks?’.

An important statement was made by Marcin Dudek, Head of CERT Polska (Poland’s national-level CSIRT). In an interview with the Polish Press Agency (PAP), he said:

We've had cases where an attack led to a temporary interruption in the operation of a water treatment plant, which meant that for a short period of time, people had no water.
Marcin Dudek, Head of CERT Polska

It’s also worth noting that he provided a broader perspective on the incidents. Dudek largely reassured worried people, stating that:

• there was no direct danger to health or life;
• water wasn't contaminated in any of these attacks;
• attacks were possible by breaking very weak passwords, e.g. "111111" or "123456";
• an important element of these actions was to spread propaganda;
• attacks didn't have any impact on the environment.

Dudek also noted that devices responsible for operational technology processes have additional security features, which prevent critical parameters from skyrocketing.

How do we respond?

There are not many descriptions of direct responses to attacks like these, but we can still find some real cases online.

In some cases, staff did not expect a cyberattack when they noticed changes in the technical parameters of devices. TVP3 Olsztyn (a national TV broadcaster) asked the director of the waterworks in Tolkmicko about cyberattacks. He said:

We thought it was just a normal station glitch that happens from time to time. It turned out CERT had already spotted it
Jerzy Brzozowski, Director of the waterworks in Tolkmicko

This wasn’t an isolated case. When a cyberattack on a sewage treatment plant in Chodaczów (Podkarpackie Voivodeship) occurred, the local mayor said that it looked like a »malfunction«.

A similar thing happened when a pro-Russian hacktivist recently attacked a heating plant in Ruciane-Nida. The director of the company responsible for the facility said in an interview with the Polish Press Agency (PAP):

One boiler shut down—completely. But the display on that boiler had been malfunctioning before. The person on shift at the time thought the shutdown was related to the display issue. He reset everything, started the boiler again, and everything was working (...) We thought it was just a normal glitch related to that display.
Krzysztof Pieloch, Director of PEC Ruciane-Nida

We can fight

Media often focus only on cyberattacks that were successful. We need to remember that in many cases, cybercriminals break into systems, but they don’t have any real impact on our everyday life. Does it mean that we should overlook it and forget about it?

Of course not, because the risk is real. NASK (Research and Academic Computer Network) stated that manipulating the technical parameters of devices created a real risk to »health and life«, but as we know, this risk did not materialise because of the system’s security features and the immediate response from technical crews in these places.

We have also seen incidents that could be really dangerous, but Poland was able to counter the efforts of cybercriminals. In September 2025, Dariusz Standerski, Deputy Minister for Digital Affairs, said in an interview with the Financial Times that Russian-backed entities tried to shut down water in one of Poland’s major cities (one of the country’s 10 largest). The attackers successfully infiltrated the network, but were unable to cause real damage.

So, what now?

The major problem—not only in Poland’s water and sewage sector—is tied to a lack of necessary security measures. As we know from Poland’s Internal Security Agency (ABW), attacked entities were visible from the public internet, including Human-Machine Interfaces (HMI) responsible for technological processes. This shouldn’t be allowed on any such devices. In some of them, the maximum password length is eight characters, with no limit on attempts—which allows attackers to guess the correct password (via brute-force).

We should be ready for more attacks like these, which happen not only in Poland, but in many NATO countries. As we know from the U.S. Cybersecurity and Infrastructure Security Agency (CISA, successful attacks have occurred in the United States and many European countries.

As we can see from a indicment in California court, hacktivists were responsible for compromising:

• public water system in Texas, tampering with the set points of the water storage tanks and triggering 22 wells, causing an unknown volume of drinking water to overflow;
• public water system in Texas, changing passwords, tampering with storage settings, and causing an unknown volume of drinking water to overflow;
• public water system in Texas, altering pump set points and shutting down the system, causing approximately 200,000 gallons of water to overflow;
• children's water park in the Netherlands, tampering with temperature and other control settings including chlorination levels.

Sometimes it’s hard to separate propaganda efforts from real consequences, but we need to remember that things like this happen regularly and can influence our lives. Also, we have many countermeasures and people’s efforts to make our world more secure.