The lights stayed on, but the SCADA systems are toast. Here is why your distributed energy assets are the next target.
It looks like the bad actors didn’t get the memo about taking time off for the holidays. While you were likely arguing with relatives over turkey or trying to ignore work emails, Poland’s power grid was fending off a coordinated assault. In late December, a group known as Electrum (friends of the notorious Sandworm) decided to turn the lights out — or at least, try to. They targeted Distributed Energy Resources (DER) across the country, aiming to wipe operational technology (OT) off the map. The good news? The lights stayed on. The bad news? Approximately 30 facilities had their systems bricked, damaging key equipment beyond repair. This wasn’t a failure on the attacker’s part; it was a warning shot. If you think your infrastructure is safe because you have a firewall and a prayer, you need to pay attention.
Electrum’s Holiday Special: Bricking the Grid
Late December is the perfect time for **shenanigans**. While IT teams were operating on skeleton crews and holiday leftovers, the threat group Electrum — closely linked to the infamous Sandworm and their Greatest Hits album of malware like **Industroyer2** and **Caddywiper** — launched a coordinated assault on Poland’s grid. According to ESET Research, this wasn’t a script kiddie poking around; it was a targeted campaign using wipers to scrub the brains out of critical infrastructure.
The targets weren’t your grandfather’s massive coal plants. They went after the modern, fragmented edge: Distributed Energy Resources (DER). We are talking about wind farms, solar dispatch systems, and Combined Heat and Power (CHP) facilities. BleepingComputer notes that while official reports confirm 12 affected sites, researchers at Dragos estimate the real count is closer to 30. That is a significant **blast radius**.
Here is the part that grinds my gears. The Polish government called the attack a “failure” because the lights didn’t go out. Reuters reported that while 1.2 GW (about 5% of supply) was affected, the grid stayed stable. But let’s be blunt: if a burglar smashes every window in your house and torches your furniture, but the roof doesn’t collapse, you don’t call that a “win.” The OT equipment was **bricked beyond repair**. The SCADA systems are dead. The hardware has to be physically replaced. That is not a failed attack; that is a distinct, expensive, and terrifyingly successful proof of concept that proves our new, green grid is made of plywood.
The Distributed Disaster: Soft Targets in the Middle of Nowhere
We used to defend the grid like a bank vault: thick concrete, armed guards, and a centralised control room. But the energy transition has turned that architecture inside out. Now, instead of one massive plant, we have thousands of wind turbines and solar farms scattered across rural fields, usually miles from the nearest paved road. It creates a massive, undefendable surface area where physical security consists of a padlock and a prayer.
These Distributed Energy Resources (DERs) are often stuck on cellular connections or Starlink because running fibre to a cornfield isn’t economically viable. This leads to a networking dumpster fire involving Carrier-Grade NAT (CGNAT). Since standard inbound connections don’t work through that mess, integrators create workarounds. They install unmanaged ‘jump boxes’ running TeamViewer or VNC just to keep the lights on without rolling a truck for every minor alert.
This is where the ‘Air Gap’ myth falls apart. As I’ve written in The Distributed Dilemma, that gap isn’t empty space; it’s filled with third-party contractors and insecure remote access tools. The perimeter isn’t just porous; it doesn’t exist.
In the Polish attack, the bad actors didn’t need to crack the encryption on a Programmable Logic Controller (PLC) immediately. They just had to compromise the Windows edge device sitting on that messy network. Once inside the ‘trusted’ zone, they moved laterally with ease. The OT equipment, designed for a world where local traffic was always friendly, accepted the wipe commands without question. We have built a glass house, handed out rocks, and acted surprised when the windows shattered.
Stop Trusting the Wire: A Blueprint for Survival
If you are still relying on a firewall to protect your OT, you are building a castle on a swamp. The breach in Poland demonstrated that once the perimeter is pierced — likely through a compromised Windows box — the bad actors can pivot to the operational technology because the internal network is wide open. We need to stop trusting the physical wire and start trusting cryptography and identity. As discussed in Porous Perimeters and Pro-Russian Pwning, relying on “security by obscurity” or air gaps that don’t actually exist is a recipe for disaster. Here is how you actually fix this mess:
- Kill the VPN: I will say this until I am blue in the face: a VPN is just a long Ethernet cable. It connects networks, not people. If an attacker compromises a contractor’s laptop, the VPN gives them a free ride past your drawbridge and direct access to the soft underbelly of your SCADA network. If they breach the perimeter, they own the network.
- Identity is the New Perimeter: You must move to a Zero Trust architecture. We need to stop authenticating network packets and start authenticating the user. It does not matter if the request comes from inside the building or a coffee shop; if the identity isn’t verified with strong multi-factor authentication (and no, SMS doesn’t count), they don’t get in.
- Segmentation: A wind farm in Gdansk has absolutely no business talking to a control centre server in Warsaw without a visa check. Strict segmentation ensures that if a wiper takes out one site, the blast radius stops there.
- Identity-Aware Proxy: This is the endgame. By using an outbound-only connection to a cloud broker, your infrastructure becomes invisible to scanners like Shodan. If they can’t scan it, they can’t pwn it.
Conclusions
We got lucky with Poland. The attackers managed to destroy the brains of the operation — the SCADA and OT systems — but failed to trip the breakers on a massive scale. Do not mistake this luck for resilience. This incident proves that the distributed nature of modern energy grids creates a massive, porous attack surface that legacy VPNs and firewalls simply cannot cover. The ‘Air Gap’ is a fairy tale we tell ourselves to sleep better at night. It is time to stop trusting the network and start verifying the human. Implement Zero Trust, use an Identity-Aware Proxy, and lock down your access before your own systems get turned into expensive paperweights. Class dismissed.