Recent cyber incidents have highlighted how vulnerable critical infrastructure can be. In 2025, hackers successfully attacked five water treatment plants in Poland. The breaches were surprisingly simple, involving only default passwords and exposed control systems connected directly to the internet. This shows that basic security mistakes still pose huge risks to public safety and national security.

Details of the Polish Water Plant Attacks

The Polish Internal Security Agency, known as ABW, revealed these breaches this week. They identified five small towns affected: Jabłonna Lacka, Szczytno, Małdyty, Tolkmicko, and Sierakowo. The attackers gained access to the industrial control systems, which manage pumps, filters, and chemical dosing. In some cases, they could have altered operational settings, potentially affecting the water quality people receive.

The breaches were straightforward: hackers exploited weak passwords that had never been changed from factory defaults. Additionally, control systems were directly accessible via the internet, making it easy for anyone with basic hacking skills to compromise them. This kind of vulnerability isn’t new; cybersecurity advisories have warned about it for over a decade. The agency linked these attacks to “hacktivist groups” associated with foreign governments, particularly Russia, although specific attribution to individual groups was not confirmed.

Broader Threats and Growing Cybersecurity Efforts

Poland has responded by increasing its cybersecurity budget, investing over a billion euros in 2026—up from 600 million in 2024. A significant portion of this funding is dedicated to protecting water systems, among other critical infrastructure. While some European countries lead in defense tech spending, Poland’s per-capita cybersecurity spending now exceeds many NATO allies. This reflects a growing recognition of the threats posed not just by espionage but by potential sabotage or disruption.

The attacks on Polish water plants are part of a larger pattern of escalation. Cyberattacks on Poland spiked after its government took a pro-Ukraine stance. In December 2025, a coordinated cyberattack targeted a major energy provider, affecting hundreds of thousands of customers. Security firms linked this assault to Sandworm, a Russian group associated with military intelligence. These incidents show how cyber threats are increasingly sophisticated and persistent.

Despite the rising threat level, the root cause of many breaches remains simple: poor security practices. Leaving default passwords and exposing control systems online are common mistakes. In fact, the same vulnerabilities are widespread across the United States. Nearly 70% of US water utilities inspected in 2024 had failed basic cybersecurity standards, including changing default passwords. Such lapses leave critical systems open to attack and can have serious consequences for public health and safety.

In the US, cyber threats are also evolving. State-sponsored groups from China and Iran have targeted water and wastewater systems, trying to gather intelligence or prepare for disruptive attacks. For example, a Chinese group known as Volt Typhoon has compromised multiple US infrastructure networks. Meanwhile, Iranian-affiliated hackers have targeted programmable logic controllers at US water plants. Federal agencies like CISA, NSA, and FBI have issued warnings and advisories, emphasizing the need for better security measures.

Overall, these incidents show that basic cybersecurity practices are more important than ever. Simple steps like changing default passwords, limiting internet exposure, and regularly updating control systems can make a big difference. As threats grow more complex, governments and operators are working to improve defenses, but vulnerabilities remain if foundational security is overlooked.

Both Poland and the US demonstrate that neglecting simple security measures can lead to serious risks. Improving cybersecurity is essential for protecting vital infrastructure and ensuring public safety in an increasingly connected world. The message is clear: basic security practices are the first line of defense against cyber threats targeting critical services like water treatment.

Inspired by

• https://thenextweb.com/news/poland-water-treatment-cyberattack-russia-us

Sources

• gov.pl