Poland’s Internal Security Agency, ABW, says hackers compromised industrial control systems at five water treatment plants, including facilities in Jabłonna, Szczytno, Małdyty, Tolkmicko, and Sierakowo [1]. The incidents were described in ABW’s 2024-2025 activity report and first surfaced in English-language security coverage this week [2].
The report matters because this is not a normal website breach. Water utilities run operational technology where a login can map to pumps, valves, chemical dosing, filtration stages, alarms, or supervisory control screens. ABW said the intrusions allowed access to systems used to manage technological processes, and in some cases attackers could change parameters or disable devices [1].
The useful part is the exposure pattern. These attacks are a direct reminder that remote access to OT is not just another admin panel. A weak password, reused credential, exposed HMI, or forgotten remote desktop service can turn into a physical-process incident, even if the attacker never deploys ransomware and never steals customer data.
Older Gridinsoft coverage has tracked the same class of risk in the United States, including a Florida water facility where a hacker changed chemical treatment settings, a Pennsylvania water-system investigation, and a California water treatment plant compromise. The Polish cases show the pattern is still active: exposed control interfaces remain attractive because they offer visible impact with relatively simple access methods.
What operators should check first
The first triage question is whether any OT interface is reachable from outside the utility network. NSA, CISA, FBI, EPA, and allied agencies have repeatedly warned that internet-exposed operational technology, weak/default passwords, and remote-access tools such as VNC or poorly isolated HMIs are common paths into water and wastewater systems [3]. That is the technical gap to close before debating more advanced threat models.
Operators should inventory every externally reachable HMI, PLC gateway, engineering workstation, VPN endpoint, and remote support path. If a control screen can be found from the public internet, it should be treated as an emergency configuration issue, not a routine hardening task. Remote access should require a VPN or other controlled access layer, unique credentials, multi-factor authentication where technically possible, and logging that records both successful and failed access attempts.
The second question is whether the control network can prove what changed. After a suspected ICS login, review alarm history, setpoint changes, scheduled jobs, account creation, firmware or logic updates, and operator workstation process launches. If the environment has no reliable history for those events, the priority becomes containment and manual verification of process settings. In water systems, the absence of visible disruption does not prove the absence of compromise.
The third question is whether IT and OT credentials overlap. A stolen municipal mailbox, reused vendor password, or compromised remote-support account can become the bridge into control systems. Keep separate credentials for IT administration, OT engineering, and vendor support; disable inactive accounts; and remove remote access that only exists for convenience. For small utilities, this is often more realistic than deploying a complex security platform immediately.
ABW’s report also places the incidents in a broader threat environment where Polish public institutions, local governments, and critical services face pressure from state-linked and hacktivist activity. The practical takeaway is not to assume that small water facilities are too minor to target. Exposed OT is often targeted because it is visible, fragile, and useful for disruption.
References
- Agencja Bezpieczeństwa Wewnętrznego, “ABW 2024-2025: Wybrane aktywności,” published May 2026. Report
- The Record, “Polish intelligence agency says hackers breached five water treatment plants,” May 2026. Coverage
- NSA, CISA, FBI, EPA and partners, “Defending OT Operations Against Ongoing Pro-Russia Hacktivist Activity,” May 2024. Advisory
