What happened
A cyberattack on the Polish energy grid impacted around 30 facilities after attackers targeted distributed energy resource (DER) control and operational technology systems in late December 2025. The incident affected multiple sites across the country, including combined heat and power (CHP) plants as well as wind and solar dispatch systems, but did not result in a loss of electrical power. Analysis published by Dragos describes the activity as the first major cyberattack against distributed energy resources, with attackers disrupting communications and access to control systems. CERT Polska confirmed the scale of the incident and the number of impacted facilities as part of the national response. Dragos attributed the activity with moderate confidence to a threat group it tracks as Electrum, noting characteristics consistent with prior attacks on energy infrastructure.
Who is affected
Operators and infrastructure associated with distributed energy resource sites, including CHP, wind, and solar dispatch systems, are directly affected. The compromised control and communication systems at these sites were impacted, resulting in damaged OT equipment and communication disruptions across the approximate 30 facilities involved in the incident.
Why CISOs should care
This incident involved compromise of control and operational systems supporting distributed energy assets within a national power grid, illustrating how cyberattacks on OT environments can affect critical infrastructure components and communications systems without causing immediate outages. Understanding the scale and technical impact of such attacks is relevant to risk assessments and cross-domain security governance where IT/OT integration exists.
3 practical actions
- Inventory DER system interfaces. Identify and catalog control and communication interfaces for distributed energy resource sites to assess exposure and segmentation gaps.
- Validate OT security controls. Review configurations, authentication mechanisms, and network protections for operational technology assets tied to energy infrastructure.
- Enhance monitoring for OT anomalies. Implement or refine monitoring of OT and communications device behavior to detect unusual activity indicative of remote compromise.