Poland Says Hackers Breached Water Treatment Plants — and the US Is Facing the Same Threat

In a stark reminder of the vulnerabilities in critical infrastructure, Poland’s intelligence agency has revealed that hackers targeted five water treatment plants across the country. The attackers could have taken control of industrial equipment, raising the alarming possibility of tampering with the water supply itself. These water treatment plant hacks are not an isolated incident — they reflect a global pattern that puts US utilities on high alert.

What Happened in Poland?

Poland’s Internal Security Agency, the nation’s top intelligence body, published a report on Friday detailing two years of security threats. The document confirms that Polish intelligence thwarted multiple sabotage attempts by Russian government spies and hackers. These attacks targeted military facilities, critical infrastructure — including power grids, water supplies, and transportation networks — as well as civilian sites. According to the report, some of these incidents could have resulted in fatalities.

The report did not explicitly name the hackers behind the water treatment plant hacks, but it noted that Russian intelligence services have been behind a string of recent attacks on Polish infrastructure. A previous attempt to bring down Poland’s energy grid was also linked to Russian actors, though that breach was ultimately attributed to poor security controls at the targeted facilities.

Why US Water Utilities Are at Risk

The situation in Poland echoes a troubling reality for the United States. In 2021, a hacker briefly gained access to a water treatment plant in Oldsmar, Florida, and attempted to increase sodium hydroxide levels to dangerous concentrations. Since then, the FBI and the Cybersecurity and Infrastructure Security Agency have warned repeatedly that water utilities remain a soft target for foreign hackers.

As recently as last month, a joint advisory from CISA, the FBI, the NSA, and other federal agencies warned that Iranian-backed hackers are actively targeting programmable logic controllers (PLCs) — the industrial computers that manage water and energy facilities — at US utilities. The same Iranian group, CyberAv3ngers, previously broke into digital control panels at multiple water treatment plants in Pennsylvania in 2023. These attacks were tied to escalating hostilities in the Middle East.

The Bigger Picture: A Coordinated Threat to Critical Infrastructure

The water treatment plant hacks in Poland are part of a broader strategy. According to Polish intelligence, the Russian government is applying a consistent playbook both in war zones like Ukraine and against Western nations it views as adversaries. The goal, the report states, is to destabilize and weaken the West — using cyberattacks and cyberespionage as key tools in a larger toolkit for Putin’s regime.

This means that water utilities, power grids, and other critical infrastructure are not just targets of opportunity; they are deliberate objectives in a campaign of asymmetric warfare. The attacks on Poland are not unique, and they follow a pattern that security experts have tracked for years.

What Can Be Done to Protect Water Systems?

Strengthening cybersecurity at water utilities is no longer optional — it is an urgent necessity. Experts recommend implementing multi-factor authentication, segmenting industrial control networks from office networks, and conducting regular security audits. Federal agencies like CISA offer free assessments for water utilities, but adoption remains low.

Building on this, the US government has introduced new reporting requirements for critical infrastructure operators. However, many small and mid-sized utilities lack the budget and expertise to implement robust defenses. As a result, they remain the weakest link in the chain.

Conclusion: A Wake-Up Call for the West

The water treatment plant hacks in Poland should serve as a wake-up call for every nation with vulnerable infrastructure. The methods used — from phishing emails to direct exploitation of poorly secured PLCs — are well understood. What is missing is the will to act decisively.

For more on how to secure critical infrastructure, read our guide on securing industrial control systems. You can also explore the top cybersecurity threats facing utilities in 2025.