Full Report
Poland’s domestic intelligence service said attackers breached water treatment facilities in five towns in 2025, in some cases gaining access to industrial control systems that could have disrupted water supplies. In a new public report, the Internal Security Agency (Agencja Bezpieczeństwa Wewnętrznego, or ABW) said water treatment stations in Jabłonna Lacka, Szczytno, Małdyty, Tolkmicko and Sierakowo…
Analysis Summary
# Incident Report: Multi-Town Water Sector OT Breach - Poland
## Executive Summary
In 2025, cyber attackers breached the industrial control systems (ICS) of water treatment facilities in five Polish towns. The attackers successfully accessed internal systems, gaining the capability to alter technical device parameters, which posed a direct risk to the continuity of water supplies. The incident was disclosed in a May 2026 public report by Poland’s Internal Security Agency (ABW).
## Incident Details
- **Discovery Date:** Disclosed May 2026 (Investigation likely ongoing 2025-2026)
- **Incident Date:** Occurred throughout 2025
- **Affected Organizations:** Water treatment stations in Jabłonna Lacka, Szczytno, Małdyty, Tolkmicko, and Sierakowo
- **Sector:** Critical Infrastructure / Water and Wastewater Systems (WWS)
- **Geography:** Poland
## Timeline of Events
### Initial Access
- **Date/Time:** 2025 (Specific dates not disclosed)
- **Vector:** Not explicitly disclosed in the public summary; likely targeting of remote access or internet-facing ICS components.
- **Details:** Attackers targeted five specific municipal water facilities across Poland.
### Lateral Movement
- **Details:** Attackers moved from initial entry points to gain access to Operational Technology (OT) environments, specifically Industrial Control Systems (ICS).
### Data Exfiltration/Impact
- **Impact:** Attackers gained the unauthorized ability to modify technical parameters of water treatment devices. This created a high-risk scenario for operational disruption or contamination.
### Detection & Response
- **Discovery:** Detected and investigated by the Internal Security Agency (ABW).
- **Response Actions:** The ABW conducted an investigation and released a summary report (2024-2025 activity) to warn critical infrastructure operators.
## Attack Methodology
- **Initial Access:** Not disclosed (Commonly via spear-phishing or vulnerabilities in internet-facing PLC/HMI interfaces).
- **Persistence:** Not disclosed.
- **Privilege Escalation:** Not disclosed.
- **Defense Evasion:** Not disclosed.
- **Credential Access:** Not disclosed.
- **Discovery:** Identifying Industrial Control Systems (ICS) and technical device parameters.
- **Lateral Movement:** Movement from external/IT gateways into the OT environment.
- **Collection:** Technical parameters of industrial devices.
- **Exfiltration:** N/A.
- **Impact:** Unauthorized alteration of technical parameters of devices governing water supply.
## Impact Assessment
- **Financial:** Not disclosed; costs associated with incident response and security hardening.
- **Data Breach:** Compromise of internal OT network configurations and system access.
- **Operational:** High risk of "direct risk to the continuity of water supply operations."
- **Reputational:** Significant public concern regarding the safety of municipal water supplies.
## Indicators of Compromise
- **Network indicators:** None disclosed in the summary report.
- **File indicators:** None disclosed.
- **Behavioral indicators:** Unauthorized modification of ICS technical parameters and settings.
## Response Actions
- **Containment measures:** Isolation of affected ICS networks (assumed based on intelligence agency involvement).
- **Eradication steps:** Removal of unauthorized access points and hardening of water treatment stations.
- **Recovery actions:** Reporting by the ABW to inform the public and other infrastructure stakeholders of the threat.
## Lessons Learned
- **OT/IT Convergence:** Critical infrastructure remains a primary target for sophisticated attackers looking to cause physical or operational disruption.
- **Regional Vulnerability:** Smaller municipal facilities (like those in Jabłonna Lacka or Małdyty) may have weaker security postures than large-scale national utilities, making them attractive targets.
- **Operational Risk:** Digital access to ICS can translate directly to physical risks regarding water safety and availability.
## Recommendations
- **Network Segmentation:** Ensure strict air-gapping or robust firewalling between Business IT networks and Operational Technology (OT) networks.
- **Access Control:** Implement Multi-Factor Authentication (MFA) for all remote access points to ICS/SCADA environments.
- **Monitoring:** Deploy specialized OT-native network monitoring tools to detect anomalous changes in device parameters or unauthorized commands.
- **Patch Management:** Regularly audit and patch internet-facing equipment, such as Programmable Logic Controllers (PLCs) and Human-Machine Interfaces (HMIs).