The INPOWERD Perspective: Poland Was the Warning. Cyber Governance Is the Real Issue. Why U.S. Preparedness Must Accelerate

The INPOWERD Perspective: Poland Was the Warning. Cyber Governance Is the Real Issue.

Why U.S. Preparedness Must Accelerate

By Earl Shockley, President and CEO, INPOWERD LLC

Trust • Accountability • Service

Why This Matters

Cybersecurity has long been identified as one of the most significant threats to electric reliability. Yet many organizations still treat cyber risk as a technical issue, an IT function, or a compliance exercise that can be managed with minimal staff through policies and periodic assessments.

The recent coordinated cyberattack against Poland’s energy infrastructure proves something far more sobering. This was not primarily a sophistication problem. It was a control governance problem.

The cyberattack was not simply a headline from overseas. It was a clear reminder that operational technology environments remain vulnerable to preventable compromise when foundational controls are weak, informal, or inconsistently executed. The incident provides a real-world case study of how quickly cyber risk can become operational and how reliability exposure often begins with basic control failures.

I am writing about it because these are the same failure patterns I have seen throughout my career, both in real-time reliability, and as a NERC regulator evaluating whether entities were truly managing risk or simply passing compliance intervals.

What Happened in Poland

On December 29, 2025, coordinated destructive cyberattacks targeted at least 30 wind and solar facilities, a combined heat and power plant serving nearly half a million customers, and other industrial environments. The attacks affected both IT and operational technology environments. Active Directory domains were compromised. Industrial control systems were accessed. Remote terminal units and protection devices were manipulated.

This was not an extortion event. There was no ransom demand. The intent was disruption and destruction.

Threat actors gained access through vulnerable internet-facing edge devices and were able to penetrate systems supporting multiple energy sites, including renewable generation facilities and industrial control environments. While a widespread blackout was ultimately avoided, the incident disrupted operational visibility, damaged critical components, and demonstrated how cyber intrusions can directly affect the systems that monitor and control real-time grid functions.

Initial access in multiple cases occurred through internet-exposed SSL-VPN gateways without multi-factor authentication enabled. VPN credentials were statically configured. In some instances, passwords were reused across facilities. In others, default credentials remained active. Industrial devices were accessible using factory-default usernames and passwords. Some firmware security features designed to validate secure updates were available but never activated.

The most troubling detail is that secure control features existed on some devices, but they were never enabled. Controls that are available but not activated are functionally nonexistent.

These were not unknown vulnerabilities. They were basic cyber hygiene failures.

When default credentials remain active on field devices, that is not a nation-state breakthrough. That is a governance failure. When multi-factor authentication is not enabled on internet-facing remote access points, that is not a zero-day exploit. That is a preventive control that was never fully implemented.

This is the difference between having controls on paper and operating controls in reality.

The Poland event reinforces a reality the industry cannot ignore. Cyber risk is not abstract, and reliability depends on disciplined execution of preventive controls long before an adversary finds the gaps.

The Lesson Is Not Sophistication

What is most instructive is not simply that an attack occurred, but how predictable the control failures were. When we strip away the technical jargon, the failure modes in Poland were classic internal control weaknesses. Access control failed. Internet-facing devices were reachable without sufficient authentication and governance. Multi-factor controls were either absent or inconsistently enforced. That is not a technology gap. That is a preventive control breakdown.

Network segmentation failed. Once attackers gained entry, lateral movement into OT environments was possible. Segmentation is a structural control designed to limit blast radius. When it is weak or unvalidated, localized compromise becomes systemic exposure. Monitoring and detection controls were insufficient. Many organizations assume that having a monitoring tool means the control is effective. That assumption is dangerous. Detection is only valuable if it is tuned, tested, monitored continuously, and tied to escalation and response discipline.

Configuration and firmware integrity controls were also weak. Legacy protocols, outdated firmware, and unmanaged edge devices remain common across the industry. Without disciplined configuration governance, drift accumulates quietly until it is exploited.

None of these are exotic failure modes. They are governance and control failures.

A Perspective from Operations and Regulation

From an operator’s perspective, degraded visibility and compromised control systems are not abstract risks. They affect real-time awareness and decision-making. If HMI systems are manipulated, if remote terminal units are reset to factory settings, or if firmware integrity is compromised, the operator’s ability to interpret system conditions is immediately degraded.

From a regulatory perspective, what matters most is whether leadership can demonstrate management-in-control. In my time at NERC, enforcement outcomes often reflected upstream control weaknesses that leadership had not fully recognized. Policies existed. Procedures existed. But the discipline of execution and testing was weak.

The Poland report shows long-term reconnaissance beginning months before the destructive phase Intrusion activity began as early as March 2025. Credentials were harvested. Active Directory databases were exfiltrated. Privileged access was escalated and maintained. This was patient infiltration that went undetected until destructive actions began.

You cannot assume that because nothing has happened, nothing is wrong. The Poland incident is simply the cyber version of that same reliability truth. Weak controls do not announce themselves. They accumulate silently until stress exposes them.

Cyber Hygiene Is Still One of the Strongest Defenses

The Poland event is a clear reminder that basic cyber hygiene remains one of the most important defenses against preventable compromise in operational technology environments. Strong access controls, network segmentation, disciplined configuration management, and removal of insecure legacy pathways are not optional technical preferences. They are foundational reliability controls.

In my experience, most failures do not occur because organizations refuse to do the work. They occur because control execution is inconsistent, ownership is unclear, and leaders assume systems are operating effectively without evidence that they are.

Preparedness is not proven by policy. It is proven by control performance.

Five Control Failures Leaders Must Address Now

If there is one lesson from Poland, it is this: basic control failures create systemic risk. Leaders should immediately evaluate their organizations against these five areas.

1. Remote access governance - Internet-facing VPNs without enforced multi-factor authentication are unacceptable in today’s threat environment. Remote access must be tightly controlled, monitored, and regularly validated.

2. Default credential elimination - No operational device should retain factory-default credentials. Credential management must be formal, documented, and periodically audited. If a device can be accessed with default settings, governance has failed.

3. Segmentation between IT and OT - Network segmentation must limit lateral movement. Administrative compromise in IT should not provide unfettered access to operational environments. Segmentation must be validated through testing, not assumed.

4. Configuration and firmware integrity - Secure update features and integrity verification capabilities must be enabled where available. Configuration drift should be detected through disciplined monitoring, not discovered during an incident.

5. Monitoring and escalation discipline - Security monitoring tools are only effective if alerts are tuned, reviewed, and tied to defined escalation protocols. Detection must be tested under simulated compromise conditions. If you have never validated your detection response under stress, you are operating on assumption.

None of these controls are exotic. All of them are governance responsibilities.

The Regulatory and Reliability Implication

Cyber is a core component of the reliability control environment. Regulators are increasingly evaluating not just whether cyber requirements were met at a point in time, but whether the control environment is sustainable, repeatable, and defensible.

From a former regulator’s perspective, what matters most is management-in-control. Oversight bodies want to see structured programs, defined ownership, documented testing, escalation protocols, and evidence that weaknesses are identified before an adversary does.

After an event, explanations such as “we had a policy,” “the vendor owned that system,” or “we were planning an upgrade” rarely satisfy regulatory expectations. Accountability does not transfer to tools or third parties.

Cybersecurity failures are rarely sudden surprises. They are the result of accumulated drift, informal practices, and insufficient governance focus.

Why U.S. Preparedness Must Accelerate

The United States grid is more interconnected and more digitally dependent than ever. Remote access, vendor-managed systems, cloud platforms, virtualization, and distributed resources have expanded the operational control surface. That evolution brings efficiency, but it also introduces new failure modes that cannot be managed through perimeter defenses alone.

Preparedness must include:

• Clear ownership of OT and IT integration risk

• Routine validation of segmentation and access controls

• Formal configuration and firmware governance

• Evidence-based testing of monitoring effectiveness

• Leadership oversight that treats cyber as enterprise risk

Cyber risk is not an IT problem. It is a reliability governance responsibility.

The INPOWERD Perspective

The lesson from Poland is not that cyber threats are increasing, or adversaries are becoming more capable. We already know that. The lesson is that predictable control weaknesses remain exploitable.

In my recent blog discussion of the ERO’s internal controls shift, I argued that sustainable compliance performance depends on disciplined execution and management-in-control. The Poland event demonstrates that cybersecurity resilience depends on the exact same discipline. Different risk category. Same control maturity requirement. The lesson is consistent across domains: reliability performance is a function of governance, not intention.

Reliability in a modern grid depends on disciplined execution of preventive, detective, and corrective controls across digital and physical environments. Leadership must ensure these controls are not assumed to be working, but demonstrably operating as designed.

Preparedness is not proven by technology purchases. It is proven by controlled execution and accountable leadership.

‍

A detailed look at the technical aspects of this event was nicely presented by Patrick Miller in his AMPYX Cyber blog - https://ampyxcyber.com/blog/polands-energy-sector-attack-when-cyber-sabotage-targets-ot

‍