In late December 2025, Poland experienced what senior officials described as the most serious attempted cyber operation against its energy sector in years. The coordinated attack, conducted on 29—30 December, targeted communication links between electricity generators and grid operators, including one combined heat and power plant and numerous dispersed renewable energy installations such as wind turbines and photovoltaic farms spread across the country. According to the Polish government, the operation was detected and neutralised in real time. No damage was done, no service was disrupted, and no blackout occurred (official statement of the Prime Minister’s Office).

What distinguishes this incident from many other reported cyber events is not only its scale and method but also the degree of public disclosure that followed. Polish authorities characterised the operation as unprecedented, attributed it to likely Russian sabotage, and explained why the defensive response succeeded. As such, the episode offers a rare and valuable case study in critical infrastructure resilience within an increasingly interconnected and decentralised energy system.

A new type of attack aimed at scale

Deputy Prime Minister and Minister of Digital Affairs Krzysztof Gawkowski stated publicly that the objective of the attack was to trigger a nationwide blackout. Energy Minister Miłosz Motyka emphasised that the novelty of the operation lay in its simultaneity. For the first time, multiple geographically dispersed assets were targeted at the same moment rather than a single large facility. The attack focused on disrupting communications between operators and generation units rather than causing physical damage.

This approach reflects a broader shift in threat models. Individually, renewable installations often have limited capacity. Collectively, however, they play a growing role in system stability. Poland’s experience mirrors trends observed elsewhere. As energy systems decentralise, systemic risk increasingly emerges at the edges of the network rather than at its core.

While the attack failed, sectoral risk assessments cited in Polish media suggest that a successful disruption of this kind could have affected millions of electricity consumers. Hypothetical scenarios discussed by analysts estimate that a 72-hour nationwide blackout could generate economic losses exceeding 20 billion USD. These figures show why even unsuccessful attempts warrant close attention.

Why the defence worked

From an Internet governance perspective, the most instructive element of the case is not attribution but defence. According to official statements, Poland’s response relied on institutional coordination between energy operators, national cybersecurity structures, and incident response teams. Authorities stressed that detection and response procedures functioned as intended and that operators were able to maintain control over affected systems throughout the incident.

Within weeks of the event, the Government Plenipotentiary for Cybersecurity, working with CSIRT GOV and CSIRT NASK, issued detailed technical recommendations for the energy sector, with particular emphasis on renewable energy operators. The guidance focused on practical operational measures, including:

• disconnecting operational technology devices and administrative interfaces from the public internet;
• limiting remote access exclusively to VPN connections with multi-factor authentication and IP allow-listing;
• enforcing strict network segmentation based on least-privilege principles;
• eliminating default passwords and shared accounts on IT and OT systems; and
• maintaining offline backups of system configurations after every change.

Importantly, the recommendations highlighted that while individual renewable installations may be small, coordinated interference with many such assets could have serious consequences for grid stability. This recognition reflects a shift from asset-based protection toward system-wide resilience.

Distributed energy and a shared Internet

The Polish case strongly reflects the principle of “One World, One Internet,” illustrating how disruptions in one sector can reverberate across interconnected systems. Modern energy systems are inseparable from the global internet. Cloud-based management platforms, remote maintenance, software updates, and cross-border supply chains all depend on shared network infrastructure. Attempts to secure critical systems by isolating them entirely from the internet are neither realistic nor desirable.

Instead, the lesson emerging from Poland is one of governed connectivity. Resilience was achieved not by disconnection, but by controlling access, monitoring behaviour, and ensuring that failures in one part of the system did not cascade across others. In this sense, the incident illustrates how openness and security are not mutually exclusive, but must be balanced through governance choices.

Resilience as a shared responsibility

The case also highlights resilience as a global public good. Distributed energy resources, software vendors, cloud providers, and network operators operate across jurisdictions and regulatory regimes. Vulnerabilities in one country’s renewable installations, or in widely used management software, can have spillover effects far beyond national borders. Effective resilience therefore depends on cooperation between states, private operators, and technical communities, including computer emergency response teams and standards bodies.

From an Internet governance standpoint, this raises familiar questions. How should responsibility be allocated across layers of the network? How can norms of interoperability be reconciled with the need to restrict access to sensitive systems? How can lessons from national incidents be translated into shared practices without fragmenting the global Internet?

From incident to insight

Publicly documented cases of failed cyberattacks on critical infrastructure remain rare. Poland’s disclosure, covering the nature of the attack, the absence of damage, and the subsequent defensive measures, offers an opportunity to move beyond abstract discussions of cyber risk. It demonstrates that resilience is not accidental but the product of institutional preparedness, technical discipline, and governance frameworks that recognise the internet as both an enabler and a dependency.

As energy systems become more decentralised and digitally managed, the Polish experience illustrates that resilience hinges less on preventing connectivity and more on governing it effectively. The absence of disruption in this case highlights the role of institutional preparedness and coordinated defence in securing interconnected infrastructure.