What exactly happened at the Polish water plants?

Attackers gained unauthorized access to the Industrial Control Systems (ICS) at five water treatment plants. This allowed them to potentially alter operational parameters, such as the amount of chemicals used to treat the public water supply. The attacks were detected and stopped before any harm was done.

Was anyone's drinking water contaminated?

No. According to Polish authorities, including the Internal Security Agency (ABW), the attacks were detected and thwarted before the attackers could make any changes that would have impacted public health or the safety of the drinking water.

Who was responsible for these attacks?

The Polish government has not publicly attributed the attacks to any specific group or nation-state. However, the coordinated nature of the attack on five separate facilities suggests a sophisticated and well-organized adversary.

How common are attacks on water treatment facilities?

Attacks on water systems are becoming more frequent globally. Notable past incidents include an attempt to poison the water supply in Oldsmar, Florida, in 2021, and a similar attack on Israel's water infrastructure in 2020. Cybersecurity agencies worldwide regularly issue warnings about these threats.

What is an Industrial Control System (ICS)?

An ICS is a general term for the hardware and software that controls physical industrial processes. In a water plant, this includes systems like Programmable Logic Controllers (PLCs) and SCADA systems that automate pumps, valves, and chemical dosing equipment to ensure the plant operates correctly and safely.

Polish water plants breached in coordinated attack on industrial controls

Introduction: A Threat to the Tap

In late November 2023, Polish authorities issued a stark warning that sent a chill through the critical infrastructure community. The Polish Internal Security Agency (ABW), in coordination with GovTech Polska and CERT.GOV.PL, revealed that five separate water treatment facilities across the country had been targeted by coordinated cyberattacks. The attackers succeeded in breaching the plants' Industrial Control Systems (ICS), gaining the ability to manipulate operational parameters. According to an official government statement, this created a direct and severe risk to the public water supply, including the potential for attackers to alter chemical dosing levels.

While the agencies confirmed the attacks were detected and countered before causing public harm, the incidents represent a significant escalation in threats against essential services. This analysis delves into the technical specifics of the breach, assesses the potential impact, and outlines necessary defensive measures for critical infrastructure operators worldwide.

Background: Water Utilities in the Crosshairs

The targeting of water and wastewater systems (WWS) is not a new phenomenon, but the Polish incidents fit into a disturbing pattern of increasingly brazen attacks. These facilities are high-value targets for malicious actors—from state-sponsored groups to hacktivists—for several reasons. They are fundamental to public health and safety, making any disruption a source of widespread panic and potential physical harm. Furthermore, many of these facilities operate on a blend of modern IT networks and legacy Operational Technology (OT) systems, which were often designed for reliability and safety, not for internet-era security.

This attack echoes several high-profile precedents. In 2021, an attacker remotely accessed the control system of a water treatment plant in Oldsmar, Florida, and attempted to dangerously increase sodium hydroxide levels. A year earlier, in 2020, threat actors believed to be linked to Iran reportedly tried to manipulate chlorine levels in Israel's water supply. These events demonstrate a clear intent by adversaries to move beyond data theft or ransomware and into the realm of physical sabotage with potentially lethal consequences. Given Poland's strategic position as a frontline NATO member, the possibility of a state-sponsored motive, aimed at destabilization, cannot be dismissed, although authorities have not made any public attribution.

Technical Details of the Breach

While Polish authorities have withheld specific indicators of compromise (IoCs) to prevent copycat attacks, the official reports provide enough detail to construct a likely attack chain. The primary targets were the Industrial Control Systems, specifically the Programmable Logic Controllers (PLCs) that automate the physical processes within the treatment plants.

PLCs are ruggedized industrial computers that act as the brains of the operation, controlling valves, pumps, and chemical dosing equipment based on programmed logic. Gaining control of a PLC is the ultimate goal for an attacker aiming to cause physical disruption. The attackers in Poland achieved the ability to modify equipment operational parameters, which means they successfully bypassed or compromised the layers of security separating the corporate IT network from the sensitive OT network.

Common vectors for such an intrusion include:

Compromised Remote Access: Technicians and third-party vendors often require remote access to OT systems for maintenance. If these access points, which often use protocols like RDP or proprietary software, are not properly secured with multi-factor authentication (MFA) and strong access controls, they become a prime entry point. Using a secure VPN service can help segment and protect this traffic.
Exploitation of Internet-Facing Devices: Any device on the OT network, such as a Human-Machine Interface (HMI) or a data historian, that is improperly exposed to the internet is a major vulnerability. Attackers continuously scan for such devices and exploit unpatched software to gain an initial foothold.
Spear-Phishing: An attacker could target plant engineers or operators with carefully crafted phishing emails. A successful phish could lead to credential theft or malware deployment on an engineering workstation that has access to the OT network.
Lack of Network Segmentation: The most critical failure in many ICS breaches is a flat network architecture where the IT and OT environments are not adequately separated. A firewall with properly configured rules should strictly control all traffic flowing between these zones. A breach on the IT side (e.g., an office computer) should never easily pivot to the OT side that controls physical processes.

Once inside the network, the attackers demonstrated the capability to interact directly with the PLCs. This suggests they understood the specific industrial protocols in use (e.g., Modbus, DNP3) and possessed the knowledge to alter setpoints for chemical dosing, a non-trivial task that implies a degree of reconnaissance and operational knowledge.

Impact Assessment: Averting a Public Health Crisis

The successful detection and mitigation of these attacks prevented a worst-case scenario, but the potential impact was catastrophic. The primary threat, as highlighted by the ABW, was the manipulation of chemical levels in the water supply.

Direct Health Risks: Increasing chlorine to dangerous levels could cause chemical burns and severe illness. Conversely, reducing chlorine below effective levels could allow harmful bacteria and viruses like E. coli or Giardia to propagate, leading to widespread disease outbreaks.
Service Disruption: Beyond contamination, an attacker could shut down pumps, close valves, or manipulate pressure readings to cause equipment damage and disrupt the water supply to homes, hospitals, and businesses. Such an outage would have cascading effects on public services and economic activity.
Erosion of Public Trust: A successful attack on a nation's water supply would severely damage public confidence in the government's ability to provide basic, safe services. The psychological impact and resulting panic could be as damaging as the physical event itself.

The fact that five plants were targeted in a coordinated fashion suggests a well-resourced and determined adversary. This was not a random act of vandalism but a planned operation intended to cause maximum disruption. The timely intervention by Polish authorities underscores the critical importance of continuous monitoring and rapid incident response capabilities in OT environments.

How to Protect Critical Infrastructure

The Polish breaches serve as a global call to action for all operators of critical infrastructure. Securing these complex environments requires a defense-in-depth strategy that addresses technology, processes, and people. Key actionable steps include:

Enforce Strict Network Segmentation: Create a strong, defensible perimeter between IT and OT networks. Use firewalls and demilitarized zones (DMZs) to ensure that no traffic can pass from the corporate network to the control network unless it is explicitly authenticated and authorized. All traffic should be logged and monitored for anomalies.
Secure All Remote Access: Eliminate shared accounts for remote access. Implement multi-factor authentication (MFA) for all users, especially those with privileged access to the OT network. All remote sessions should be logged and monitored.
Implement a Continuous Monitoring Program: Deploy monitoring tools that are specifically designed for OT networks. These systems can detect anomalous behavior, such as unauthorized commands being sent to a PLC or unusual network traffic patterns, providing early warning of a potential intrusion.
Develop and Practice an Incident Response Plan: Have a well-documented plan specifically for OT incidents. This plan should include steps for isolating affected systems, failing-safe to manual operations, and communicating with stakeholders. Regular tabletop exercises are essential to ensure the plan is effective.
Maintain a Rigorous Vulnerability Management Program: Actively identify and patch vulnerabilities in all systems, including HMIs, engineering workstations, and network hardware. For legacy systems that cannot be patched, apply compensating controls like network isolation and enhanced monitoring.
Foster a Security-Aware Culture: Train all personnel, from operators to engineers, to recognize the signs of a cyberattack, such as phishing attempts or unusual system behavior. Empower them to report suspicious activity immediately without fear of reprisal.

The attacks in Poland were a near-miss that highlight a clear and present danger. While the immediate crisis was averted, the threat remains. Adversaries are actively probing the defenses of the world's most critical systems, and only a proactive and comprehensive approach to security can ensure the safety of our essential services.