Polish Agency Reports ICS Breaches at Five Water Treatment Plants
Poland's Computer Security Incident Response Team (CERT Polska) has disclosed a series of intrusion campaigns targeting Industrial Control Systems (ICS) at five municipal water treatment facilities across the country. The threat actors, identified through indicators of compromise shared with the Cybersecurity and Infrastructure Security Agency (CISA), demonstrated capabilities to access SCADA management interfaces and manipulate programmable logic controller (PLC) configurations. CERT Polska's incident report indicates the attackers exploited unpatched VPN appliances and default credentials on operational technology (OT) networks to gain initial access.
The security agency confirmed that compromised systems included Siemens S7-1200 and S7-1500 PLCs, as well as Rockwell Automation CompactLogix controllers running vulnerable firmware versions. Technical analysis revealed the threat actors deployed custom-developed malware specifically designed to interact with ICS protocols, including modified versions of the Havex remote access trojan previously linked to state-sponsored groups. The malware enabled attackers to alter setpoints for chemical dosing systems, modify filtration cycle timings, and disable safety monitoring alerts without triggering industrial safety alarms.
Public water supply integrity remained uncompromised during the period of intrusion, though CERT Polska warned that concurrent manipulation of multiple treatment parameters could have produced hazardous water quality conditions. The agency has issued emergency directives requiring affected water utilities to reset all PLC configurations, implement network segmentation between IT and OT environments, and deploy industrial-grade intrusion detection systems. This incident follows a pattern of increased targeting of water sector infrastructure by advanced persistent threat (APT) groups, with CISA noting similar intrusions affecting utilities in the United States, Germany, and Australia over the past eighteen months.