The Cybersecurity and Infrastructure Security Agency (CISA) has issued a cybersecurity alert for the US energy sector following a series of destructive cyberattacks on energy infrastructure in Poland. The alert calls on operators to review default passwords and strengthen protections on internet-connected devices after the December incident exposed vulnerabilities in operational technology and control systems.
The incident in Poland occurred on 29 December 2025, when multiple facilities, including more than 30 wind and solar power installations, a combined heat and power plant, and a manufacturing site, were targeted in coordinated malicious activity, according to an analysis by Poland’s Computer Emergency Response Team (CERT-PL). The attackers gained access to internet-connected edge devices such as firewalls, virtual private network (VPN) gateways, and other systems with default or weak credentials.
Once inside the network, attackers deployed destructive malware that corrupted firmware on remote terminal units (RTUs), erased data on human machine interfaces (HMIs), and wiped data from corporate IT systems, the alert states. These actions disrupted the ability of operators to monitor and control critical infrastructure, although power production at affected renewable energy sites reportedly continued during the incident.
In its notice, CISA highlighted that internet-facing edge devices remain a primary target for threat actors. These devices link internal control systems to broader networks and can provide an entry point for attackers when left with default or reused login credentials and weak authentication protections. The advisory urged organisations to replace end-of-life equipment and enforce password changes for all devices.
The guidance also pointed to the risk posed by operational technology that lacks firmware verification. In some cases, devices without mechanisms to validate firmware integrity can be permanently damaged by malicious code or corrupt configuration changes. CISA recommended operators prioritise updates that support firmware verification where possible and ensure that incident response plans account for potential OT failures.
The Polish CERT analysis attributed the incident to a deliberate and disruptive campaign aligned with broader geopolitical tensions, though no major outages were reported at the time. The use of default credentials to gain initial access underlined the continuing risk of basic security oversights in critical infrastructure environments.
In its alert, CISA encouraged US energy firms and other critical infrastructure operators to review the technical findings from CERT-PL and integrate recommended security measures into their operations. These include enforcing multifactor authentication where feasible, reducing network exposure for OT and industrial control systems, and removing unsupported or vulnerable hardware from service.
The agency has recently focused on reducing risks from unsecured network equipment. In a separate directive issued to federal agencies, CISA ordered the removal of unsupported edge devices from government systems, reflecting a broader push to close common attack paths exploited in recent incidents.
The alert forms part of ongoing guidance from US security authorities aimed at strengthening protections across energy, manufacturing, and other sectors that rely on interconnected operational technology. CISA’s notice serves as a reminder of the importance of basic cybersecurity hygiene, including changing default passwords and enforcing secure configuration standards for all internet-connected devices.