Renewable Energy Cybersecurity Wake‑Up Call: What Poland’s 29 December 2025 Incident Should Change

On 29 December 2025, Poland experienced coordinated destructive cyberattacks impacting more than 30 wind and solar farms, a manufacturing company, and a large combined heat and power (CHP) plant supplying heat to nearly half a million customers. CERT Polska described the operation as “purely destructive,” comparing it to arson in digital form.

This incident matters because it reflects real conditions we keep seeing in the field: remote access exposed to the Internet, missing multi‑factor authentication (MFA), credential reuse, and default credentials on OT‑adjacent devices. These are not theoretical gaps—they are the fastest path from the perimeter to operational disruption.

What the incident showed in practice

In the renewable sites, CERT reports that Internet‑exposed FortiGate VPN access is without MFA-enabled entry. From there, the attacker reached OT‑adjacent components and carried out destructive actions that caused loss of communication with the distribution system operator (DSO) and prevented remote control. Electricity generation continued—but visibility and controllability degraded across a distributed fleet.

At the CHP plant, CERT describes a longer campaign: initial attacker activity appears months earlier (March–May 2025), followed by renewed access and reconnaissance later in 2025, and then domain‑wide wiper deployment during the incident. Across victims, the theme is consistent: when remote access and identity hygiene are weak, sabotage becomes scalable.

Practical actions that could change the outcome

Partner view from Poland (Tekniska)

Tekniska CEO, Zuzanna Wieczorek, described why this keeps repeating in the field: “The challenge is often less technical and more organizational – how to execute improvements in complex brownfield environments and across contractor ecosystems. The pragmatic approach is two parallel tracks: long‑term risk reduction projects and quick wins that close the biggest gaps immediately. Asset owners must push clearer cybersecurity requirements into procurement and contractor delivery—otherwise even greenfield projects repeat the same weaknesses.”

Why this should change your 2026 priorities

Zuzanna’s point is the practical one: you don’t wait for perfect programs. You run parallel tracks. Harden remote access now, remove defaults, and put continuous OT monitoring in place in parallel with longer‑term segmentation and modernization. Monitoring and IDS are not “checkboxes”—they give you the visibility to detect pre‑attack activity, validate changes, and respond with evidence before disruption spreads.

Radiflow CEO, Ilan Barda, puts it directly: “For years, many mid-size critical infrastructure operators treated OT cybersecurity as “nice to have”. Nowadays, the baseline investment is manageable, and it’s no longer optional. It’s becoming mandatory, driven by regulations like NIS2, improving insurability, reducing production downtime risk, and limiting reputational exposure.”

To summarize, Poland’s incident shows how exposed remote access and weak credential hygiene can quickly cascade into OT disruption. Radiflow focuses on helping renewable and other critical infrastructure operators prevent repeat scenarios like this—using iSID to provide OT-aware visibility and early detection of remote-access abuse and destructive behavior, and CIARA to translate that evidence into fleet-wide remediation priorities, with measurable progress and reduced exposure over time.

For The Full Report>>>Energy Sector Incident Report – 29 December 2025 | CERT Polska