Research

What a 2025 cyberattack on Poland's energy system means for Ireland

By Daniel Cagney January 2026 12 min read

In summary

  • Over 30 wind and solar farms in Poland lost communications simultaneously, alongside a large CHP plant and an industrial site.
  • The attack targeted shared access and control infrastructure, not electricity production itself.
  • Power generation continued, but operators temporarily lost visibility and remote control.
  • The same weaknesses were repeated across many sites, allowing fleet-wide disruption.
  • Ireland's energy transition is creating similar operating conditions at scale.
Daniel Cagney is an ICS and operational technology security researcher at CyberInnovate, Munster Technological University, studying how Ireland's accelerating digital and energy transitions are changing the cybersecurity risks faced by businesses and critical infrastructure operators.

In December 2025, Poland experienced a coordinated attack against its energy sector. The incident did not cause blackouts and did not destabilise the national grid. Electricity continued to flow.

That outcome, however, should not be mistaken for reassurance.

The official investigation by CERT Polska documents how dozens of renewable energy sites, a major combined heat and power plant, and an industrial company all lost operational visibility and control at the same time.1 Communications were disrupted, equipment was damaged, and recovery was deliberately delayed. Independent analysis by Dragos shows that this event represents a broader shift in how modern energy systems are being affected as they become more distributed and digitally operated.2

This is not a story about malware. It is a story about energy system resilience in a world where generation, demand, and control are increasingly decentralised.

What happened in Poland

On 29 December 2025, coordinated destructive activity affected multiple parts of Poland's energy sector. According to the official CERT Polska report, the attackers focused on grid connection points and the systems used to remotely monitor and manage renewable energy facilities.3

At least 30 wind and solar farms were affected. In each case, communication between the facility and the distribution system operator was lost. Generating equipment continued to operate, but operators could no longer monitor or control it remotely. At the same time, a large combined heat and power plant and a manufacturing company were attacked using similar access methods and destructive techniques.

Independent incident response work by Dragos characterises this as the first publicly documented, coordinated attack at scale against distributed energy resources, rather than against central grid infrastructure.4 Unlike earlier energy-sector incidents that focused on control centres or transmission substations, this operation targeted the distributed edge of the grid: wind farms, solar installations, and the communications infrastructure that connects them.

Once access was obtained, devices were deliberately damaged or reset, credentials were changed, and logs were erased.5 These actions did not immediately interrupt electricity generation, but they removed operators' ability to see what was happening and slowed safe restoration of normal operations.

Why the grid stayed up — and why that isn't the point

Poland's electricity system remained stable for reasons unrelated to the attack itself. The affected sites represented a limited share of total generation capacity, and the wider system had sufficient inertia and redundancy to absorb the loss of visibility at those locations.

This distinction matters.

Dragos notes that in distributed energy systems, loss of communications does not automatically shut down generation. Assets often continue operating, but operators lose the ability to monitor, coordinate, or safely control them.6 This explains why electricity continued to flow in Poland while still representing a serious operational incident.

CERT Polska is explicit that, given the level of access achieved, there was a real risk of disrupting electricity generation, even though that outcome did not occur on the day.7 The absence of outages reflects system conditions, not the absence of vulnerability.

As energy systems become more decentralised, resilience increasingly depends on how thousands of smaller assets are connected, accessed, and managed—not just on the strength of the high-voltage grid.

Why this matters for renewables and data centres

Ireland is moving rapidly toward an energy system built around distributed assets:

  • Wind and solar farms that are unmanned and remotely operated
  • Rapid expansion of microgeneration across homes, farms, and businesses
  • Growth in data centres and other large energy users, often paired with on-site or proximate generation, storage, and flexible connections

Ireland's regulator has already recognised the system impact of this shift. The Commission for Regulation of Utilities (CRU) notes that electricity demand growth driven by large energy users—particularly data centres—has been faster than the delivery of new grid infrastructure and generation capacity.8

“The pace at which new electricity demand is being sought by data centres is faster than the pace of network infrastructure delivery and the development of new generation capacity.” — CRU Large Energy Users Connection Policy Decision Paper (Dec 2025)9

Dragos highlights that distributed energy resources differ fundamentally from traditional generation. They are more numerous, rely heavily on remote connectivity, and are often developed under tight commercial constraints that prioritise speed and standardisation.10 These characteristics increase efficiency, but they also mean that the same access methods, devices, and configurations are frequently repeated across many sites.

The Polish incident shows how this repetition creates a new form of risk. A weakness at one location does not stay local; it can be exploited repeatedly across an entire portfolio of assets.

What this means for data centres and large energy users

Ireland's Large Energy User Connection Policy increasingly positions data centres as active participants in the electricity system, rather than passive consumers.

New data centres are expected to bring additional generation, storage, or flexibility and to align demand with renewable electricity supply. The CRU explicitly frames this policy as necessary to protect security of supply and system resilience.11

As data centres develop on-site or proximate generation and participate in energy-park and private-wire models, their energy assets share many characteristics with renewable fleets: remote access, standardised designs, and limited on-site staffing.

The Poland incident does not suggest that data centres create risk. It demonstrates that system participation carries system responsibility. As data-centre-linked energy assets scale, their operational resilience becomes part of national energy resilience.

What Ireland should learn now

The most important insight from the 2025 Poland incident is that modern energy systems fail differently than traditional ones.

Dragos characterises the attack as a shift in targeting strategy: rather than attacking a single, heavily defended control point, the attacker exploited the distributed nature of modern grids, where many smaller sites share similar designs and remote access paths.12 This approach relies on repeatability rather than sophistication.

Ireland's own energy strategies already recognise that delivering renewable power at scale depends on more than generation capacity. The Wind Energy Ireland Strategy 2026–2030 emphasises system integration, operational readiness, and resilience as essential to achieving an “energy independent electrostate.”13

The lessons from Poland reinforce this direction:

1

Shared risk must be treated as shared risk

If the same access method or configuration exists across many sites, it must be managed at fleet level.

2

Loss of visibility must be assumed

Systems should be designed on the expectation that communications will fail, with independent means to assess scope and status.

3

Recovery is part of resilience

Deliberate actions to delay restoration were central to the Poland incident. Fast, safe recovery is as important as prevention.

4

Distributed assets are now central

Renewables, microgeneration, and LEU-linked infrastructure are no longer peripheral. Their operational integrity matters at national scale.

These are not abstract cybersecurity lessons. They are design considerations for how Ireland builds, connects, and governs its future energy system.

Ireland has a narrow window to apply these lessons while its energy transition is still being built.

Notes

  1. CERT Polska (CSIRT NASK), Energy Sector Incident Report — 29 December 2025 (Warsaw: NASK, 2026), sections 2–3.
  2. Dragos, Inc., Analysis of Coordinated Destructive Activity Targeting Polish Energy Infrastructure (Hanover, MD: Dragos, 2026), 1–4.
  3. CERT Polska, Energy Sector Incident Report, section 3.
  4. Dragos, Analysis of Coordinated Destructive Activity, 5–7.
  5. CERT Polska, Energy Sector Incident Report, section 4.
  6. Dragos, Analysis of Coordinated Destructive Activity, 8–10.
  7. CERT Polska, Energy Sector Incident Report, section 5.
  8. Commission for Regulation of Utilities (CRU), Large Energy Users Connection Policy: Decision Paper, CRU/2025/236 (Dublin: CRU, December 2025), 12.
  9. CRU, Large Energy Users Connection Policy, 12.
  10. Dragos, Analysis of Coordinated Destructive Activity, 11–13.
  11. CRU, Large Energy Users Connection Policy, 8–11.
  12. Dragos, Analysis of Coordinated Destructive Activity, 14–16.
  13. Wind Energy Ireland, Strategy 2026–2030: Powering Ireland's Energy Independent Electrostate (Dublin: WEI, 2026), 18–22. See also Department of the Environment, Climate and Communications, Powering Prosperity — Ireland's Offshore Wind Industrial Strategy (Dublin: Government of Ireland, 2025).