Sources: TechCrunch
A chilling report from Poland’s top intelligence agency, the Central Information Agency (CBA), has revealed that hackers breached several water treatment plants in Poland, sparking concerns that the US could face a similar threat.
Key Takeaways:
* Poland’s CBA accused Russia of hacking activities against the country’s military and civilian infrastructure.
* The report identified at least five water treatment plants as being vulnerable to cyber attacks.
* The US is facing a similar threat, with cybersecurity experts warning that the country’s water treatment infrastructure is also at risk.
Historical Context
Cyberattacks on critical infrastructure aren’t new. In 2015, hackers believed to be linked to Russia disabled parts of Ukraine’s power grid, leaving over 200,000 people without electricity during winter. That incident was one of the first confirmed cases of a cyberattack causing widespread physical disruption. A year later, in 2016, the same group targeted Ukraine’s energy sector again, deploying more sophisticated malware designed to persist in systems and erase data.
Water infrastructure has also been in the crosshairs. In 2021, a hacker accessed a water treatment facility in Oldsmar, Florida, and increased the sodium hydroxide levels in the water supply to a dangerous degree—nearly poisoning the town’s drinking water. The breach was caught in real time by an alert operator, but it exposed a glaring weakness: remote access systems with weak passwords and no multi-factor authentication.
Since then, minor intrusions have been reported at smaller US utilities, often involving ransomware or phishing attempts. But many go unreported due to inconsistent public disclosure requirements and a lack of mandatory reporting thresholds for smaller facilities. The EPA estimates that fewer than half of all cyber incidents at water systems are reported to federal authorities.
The pattern is clear: as digital control systems become more common in essential services, they present a growing target. Supervisory Control and Data Acquisition (SCADA) systems, which monitor and manage water flow, chemical dosing, and filtration, were once isolated. Now, many are connected to corporate networks or even the internet for remote monitoring—often without proper segmentation or security upgrades.
What happened in Poland isn’t an isolated event. It’s part of a broader trend of state-sponsored actors probing civilian infrastructure in adversarial nations. The CBA report names Russian-linked groups as responsible, citing similarities in malware signatures and command-and-control server locations used in earlier attacks on Polish military networks in 2023 and 2024. The same tactics—phishing emails with malicious attachments, followed by lateral movement through internal networks—were used in both cases.
This history suggests a deliberate escalation. If cyberattacks on power grids were a warning shot, then targeting water systems crosses another threshold. Water isn’t just essential for health; it’s foundational to public trust. A successful contamination event—even if limited—could trigger panic, mass evacuations, and long-term reputational damage to local governments.
Poland’s Water Treatment Plant Breaches
The CBA report, published on May 8, 2026, revealed that hackers breached several water treatment plants in Poland, compromising the safety of the country’s drinking water supply. The report identified at least five water treatment plants as being vulnerable to cyber attacks, with the hackers able to access sensitive information and disrupt operations.
The breaches were discovered during a routine audit initiated after unusual network traffic was detected at one of the larger regional utilities. Investigators traced the intrusion back to a phishing email sent to a mid-level engineer, which installed a remote access trojan (RAT). From there, the attackers moved laterally across the network, eventually reaching the SCADA system that regulates chemical dosing and flow rates.
They didn’t alter chemical levels during the breach, but they had the capability to do so. Instead, they exfiltrated operational data, including maintenance logs, alarm thresholds, and real-time sensor readings. That kind of intelligence is invaluable for future attacks. It allows adversaries to map system behavior, identify failure points, and time disruptions for maximum impact—such as during a heatwave or natural disaster.
One of the compromised plants serves a city of over 300,000 people. Another is located near a major military base, raising concerns about dual-use targeting—civilian infrastructure as a lever to disrupt national defense operations.
No evidence suggests the water was contaminated. But the fact that attackers reached systems that control chemical balance, filtration, and pressure means they were within moments of doing so. The CBA called the breach “a near-miss of critical proportions.”
Scope of the Breaches
According to the CBA report, the hackers gained access to the water treatment plants through a combination of phishing attacks and malware infections. The report highlighted the severity of the breaches, stating that the hackers were able to access sensitive information, including water quality data and treatment plant operations.
The malware used in the attack is consistent with tools associated with Russian cyber-espionage units, particularly those operating under the GRU. It allowed persistent access, enabling long-term surveillance and data collection. The attackers also deployed keylogging software to capture login credentials used across the network, including those for third-party vendor portals.
Network logs show the hackers spent nearly eight weeks inside one of the systems, mapping access points and testing alarm responses. They triggered minor system alerts to observe how staff reacted—essentially conducting live-fire drills on real operators.
The plants targeted weren’t the largest in the country, but they were representative of a common setup: older hardware running legacy software, minimal network segmentation, and remote access enabled for maintenance. Some systems still used Windows 7, which Microsoft stopped supporting in 2020. Patching was inconsistent, and antivirus software was outdated.
One facility had not changed its default SCADA login credentials in over a decade. Another allowed remote desktop protocol (RDP) connections from any IP address without multi-factor authentication.
The CBA report doesn’t name the specific plants, citing national security concerns. But it does confirm that all five are located in western and central Poland—regions with high population density and strategic importance.
The US Threat
Cybersecurity experts warn that the US is facing a similar threat, with the country’s water treatment infrastructure also at risk. The US Environmental Protection Agency (EPA) has identified over 100,000 water treatment plants across the country as being vulnerable to cyber attacks, with many of these plants relying on outdated software and hardware.
Most of these facilities serve small communities—towns with fewer than 10,000 residents. They operate on tight budgets, with no dedicated IT staff and minimal cybersecurity training. Many still use analog controls, but an increasing number are adopting digital systems without the security infrastructure to support them.
A 2025 Government Accountability Office (GAO) report found that 60% of water utilities with populations under 3,300 had no formal cybersecurity policy. Only 22% had conducted a risk assessment in the past year. Federal grants exist to help upgrade systems, but the application process is complex, and funds are limited.
The threat isn’t theoretical. In 2023, a ransomware attack hit a water authority in Nevada, locking operators out of their monitoring systems for 36 hours. In 2024, hackers accessed a system in Maine and disabled alarms meant to detect chemical imbalances. Both were caught early, but both revealed the same vulnerabilities: exposed RDP ports, weak passwords, and no network monitoring.
The EPA has issued voluntary cybersecurity guidelines, but compliance is patchy. Unlike power or transportation sectors, water utilities aren’t subject to mandatory federal cybersecurity standards. That could change—the Biden administration proposed new rules in 2025 requiring larger systems to report cyber incidents within 72 hours and adopt basic protections like multi-factor authentication and endpoint detection.
But even if passed, enforcement will be slow. The rule only applies to systems serving more than 3,300 people, leaving tens of thousands of smaller facilities unregulated.
Cybersecurity Risks to Water Treatment Plants
The CBA report highlighted the significant cybersecurity risks to water treatment plants, including the potential for hackers to disrupt operations, compromise water quality, and even contaminate the water supply. The report emphasized the need for improved cybersecurity measures, including regular software updates, employee training, and advanced threat detection systems.
The risks go beyond contamination. A coordinated attack could shut down pumping stations, cut off supply to hospitals or fire departments, or trigger overflows that damage the environment. In a drought-prone state like California, even a temporary disruption could have cascading effects on agriculture and public safety.
Attackers don’t need to poison the water to cause harm. They can erode trust. If people believe their tap water is unsafe—even if it isn’t—they’ll turn to bottled water, straining supply chains and creating economic strain. In extreme cases, local governments could be forced to declare emergencies, diverting resources from other services.
Legacy systems are a major liability. Many SCADA platforms were built in the 1990s and early 2000s, long before modern encryption and authentication standards. They weren’t designed to be connected to the internet, but now they are—often through third-party maintenance tools that lack security controls.
Worse, many utilities rely on contractors for system updates and repairs. These vendors often have broad access to networks, but their devices may not meet the same security standards as the utilities themselves. A single infected laptop brought on-site for servicing could introduce malware that spreads silently for months.
What This Means For You
The breaches in Poland’s water treatment plants are a stark reminder of the importance of strong cybersecurity measures in critical infrastructure. For developers and builders, this means prioritizing cybersecurity when designing and implementing new systems. Regular software updates, employee training, and advanced threat detection systems are essential in preventing and responding to cyber attacks.
For software developers building tools for industrial control systems, it means treating security as a core feature, not an afterthought. Default passwords should be eliminated. Network segmentation must be baked into architecture from day one. APIs that connect to SCADA systems should require zero-trust authentication, with role-based access and audit logging enabled by default.
For startup founders building in the cleantech or smart infrastructure space, the threat creates both risk and opportunity. A single breach at a client site could destroy a company’s reputation. But there’s growing demand for secure, plug-and-play monitoring systems tailored to small utilities that can’t afford custom IT teams.
One founder might build a low-cost sensor network with end-to-end encryption and automatic firmware updates, designed specifically for rural water districts. Another might develop an AI-powered anomaly detection tool that runs locally—on-premise—so it can’t be disabled by external attackers.
For city planners and municipal engineers, it means asking harder questions before adopting new digital systems. Who owns the data? How often are patches deployed? Can the system operate safely in offline mode? Contracts with vendors should include cybersecurity requirements, with penalties for non-compliance.
The US is facing a similar threat, with cybersecurity experts warning that the country’s water treatment infrastructure is also at risk. This means that developers and builders in the US must take proactive steps to protect their systems against cyber attacks.
What Happens Next
The question isn’t whether another attack will happen—it’s when, where, and how bad it will be. The Poland incident was a warning. The next one might not be.
Federal agencies are stepping up coordination. CISA (Cybersecurity and Infrastructure Security Agency) has increased outreach to water utilities, offering free vulnerability scans and incident response planning. The FBI is tracking known threat actors more closely, sharing intelligence with local partners.
But real change will require funding, regulation, and cultural shifts. Small utilities need help upgrading systems. That means more grants, simplified application processes, and technical support from state and federal agencies.
There’s also a growing push for public transparency. Some lawmakers want utilities to disclose cyber incidents the way hospitals report data breaches. That would create accountability, but it could also spark unnecessary panic if not done carefully.
One thing is certain: water systems can’t be treated like IT networks. They’re part of the physical world. A software glitch can lead to a public health crisis. That demands a different mindset—one where uptime, safety, and resilience are non-negotiable.
The tools to fix this exist. They’re not flashy or new. They’re patches, training, access controls, and backups. The challenge isn’t technical. It’s about will, attention, and investment.
If Poland’s near-miss doesn’t trigger action, it’s hard to imagine what will.
Sources: TechCrunch, Cybersecurity Magazine
