On December 29, 2024, almost exactly ten years after Russian hackers blacked out 250,000 Ukrainians in the first-ever cyberattack to take down a power grid, the same threat group struck again. This time, the target was Poland.
The attack deployed DynoWiper, a destructive malware designed to erase critical systems and cause cascading failures across Poland's energy generation infrastructure. The targets included heat-and-power plants and systems managing electricity from renewable sources like wind turbines and solar farms. According to reporting by Kim Zetter, if the attack had succeeded, it could have cut power to 500,000 people.
It didn't succeed. Polish defenders caught it in time. But the attack, attributed with medium confidence to Sandworm (the GRU unit behind the Ukraine grid attacks), represents something new: an unprecedented escalation in disruptive cyber operations against NATO-member critical infrastructure.
The question every critical infrastructure operator should be asking isn't whether their defenses would have caught it. It's what happens when they don't.
The Bet You're Making Every Day
If your security strategy depends primarily on keeping attackers out of your environment, you're making an implicit bet: that your perimeter defenses will work 100% of the time, against 100% of threats, forever.
The math on that bet has never been worse.
In 2024, roughly 70% of all cyberattacks targeted critical infrastructure. Cyberattacks on utilities specifically increased 70% year-over-year, with Check Point Research documenting 1,162 attacks on the sector. Two-thirds of energy, oil, and utilities organizations experienced ransomware attacks. The North American Electric Reliability Corporation warns that vulnerable points on the electrical grid are growing by approximately 60 per day.
Nation-state actors are no longer occasional threats. They have become persistent adversaries with effectively unlimited resources. Chinese cyber espionage operations increased 150% in 2024. Iranian-affiliated attacks spiked 133% during periods of geopolitical tension. Russian groups like Sandworm have spent a decade perfecting their tradecraft against energy infrastructure.
Even a 99.9% effective perimeter (an optimistic assumption) means significant attacks get through at this volume. And when one does, the consequences for critical infrastructure aren't measured in data breach notifications. They're measured in blackouts, service disruptions, and threats to public safety.
The OT Reality: Systems That Can't Be Secured
The challenge is compounded by a fundamental truth about operational technology environments: much of our critical infrastructure was never designed to be defended against sophisticated cyber threats.
Walk through any power plant, water treatment facility, or manufacturing floor, and you'll find programmable logic controllers running software from the 1990s. SCADA systems that predate modern identity management. Industrial control systems with hardcoded credentials that can't be changed without replacing the hardware. Operating systems so old that patches simply don't exist.
These aren't signs of negligence. They're artifacts of a reasonable assumption that turned out to be wrong: that physical isolation would provide adequate security. The air gap was supposed to keep operational technology safe.
But the air gap is largely a myth now. IT/OT convergence has connected industrial systems to corporate networks and, through them, to the internet. Remote access for vendors and maintenance has punched holes through previously isolated environments. Supply chain dependencies mean that even "isolated" systems receive updates and configurations from connected sources.
The Poland attack targeted exactly these kinds of systems: energy generation infrastructure where legacy equipment, long operational lifecycles, and minimal maintenance windows make traditional security approaches impractical. You can't install endpoint agents on a PLC that doesn't support them. You can't patch a control system that would require a plant shutdown to update. You can't segment a flat OT network without redesigning infrastructure that's been operational for decades.
And yet these are precisely the systems that adversaries are now targeting with destructive malware.
What Happens After "In"
The traditional security model treats the perimeter as the critical boundary. Inside is trusted; outside is untrusted. Tremendous resources go toward preventing unauthorized access. But once that boundary is crossed (and it will be crossed), what then?
The post-breach reality is where critical infrastructure attacks become catastrophic.
When ransomware hit Colonial Pipeline in 2021, the attackers didn't need to understand pipeline operations. They compromised IT systems, and the company shut down the pipeline themselves out of an abundance of caution, causing fuel shortages across the southeastern United States. The lack of segmentation between IT and OT environments meant that a breach in one domain created unacceptable risk in the other.
When Sandworm attacked Ukraine's power grid in 2015, stolen credentials allowed the attackers to hop between systems freely. The flat network architecture, common in OT environments, meant there were no internal boundaries to slow their movement. Once inside, they had access to everything.
The lesson from these incidents isn't that perimeter defenses failed. It's that perimeter defenses were the only defenses. When they were bypassed, nothing remained to contain the damage.
Architecting for the Inevitable
A different security model starts from a different assumption: breaches will happen. The goal isn't to make them impossible; it's to make them survivable.
This is the core premise of Zero Trust architecture, and it's particularly relevant for critical infrastructure. Rather than treating the network perimeter as the security boundary, Zero Trust creates boundaries around individual assets, applications, and data flows. Every access request is verified. Every connection is authenticated. Every lateral movement is controlled.
Think of it like watertight compartments in a ship. A hull breach in one compartment doesn't sink the vessel because the damage is contained. The ship continues to function. The same principle applies to network architecture: even if attackers breach one area, they cannot freely access others.
For OT environments, this approach has specific implications.
Microsegmentation creates logical boundaries within flat networks without requiring physical redesign. Critical assets (SCADA servers, historian databases, engineering workstations) can be isolated into protected zones where only explicitly authorized traffic is permitted. An attacker who compromises a corporate workstation doesn't automatically gain access to industrial control systems.
Identity-based policies replace network-address-based rules. Rather than managing thousands of firewall rules based on IP addresses that change constantly, access is governed by who is requesting it, what device they're using, and what they're trying to do. This is both more secure and more manageable, particularly in environments where network topology wasn't designed with security in mind.
Overlay architectures apply modern security controls to legacy infrastructure without requiring replacement. A PLC that can't run security software can still be protected by placing a security gateway in front of it, creating a Zero Trust boundary around assets that can't protect themselves.
The result is an environment where breaches are contained by design. An attacker who gets past the perimeter finds themselves in a compartment, not a flat network. Moving laterally requires defeating additional controls at every step. The blast radius of any single compromise is limited.
The Regulatory and Threat Convergence
The case for this architectural shift isn't just theoretical. It's being driven by converging pressures from regulators and threat actors alike.
On the regulatory front, Zero Trust is moving from best practice to baseline expectation. NIST Special Publication 800-207 established the framework. The Department of Defense has mandated Zero Trust adoption across its networks and is extending requirements to the defense industrial base. NERC CIP standards continue to evolve, with new requirements around segmentation and access control. The European Union and individual countries like Switzerland are implementing mandatory incident reporting for critical infrastructure operators.
On the threat front, the Poland attack is a warning shot. State-sponsored actors are no longer just conducting espionage; they're pre-positioning for disruption. The House Committee on Homeland Security's 2025 Cyber Threat Snapshot noted that Chinese cyber actors maintained access for months within U.S. utility networks, apparently establishing persistent footholds that could be leveraged during a future geopolitical crisis.
The gap between where most critical infrastructure security stands today and where it needs to be is significant. Legacy architectures, flat networks, perimeter-centric defenses, and systems that can't be patched or modified remain the norm. The threat environment has evolved; the defensive posture largely hasn't.
The Path Forward
Implementing Zero Trust in critical infrastructure environments isn't a single project. It's a strategic shift that can be executed incrementally. The most successful implementations follow a phased approach:
Start with critical assets. Not everything needs to be protected equally. Identify the systems where a breach would have the most severe consequences (safety systems, primary control systems, historian databases) and focus initial segmentation efforts there.
Use what you know. Even if you don’t know the gory details, you probably have an idea of who should be talking to a PLC. Microsegmentation tools can help expose the gaps in your understanding, streamlining and automating the process of generating policies allowing communication inside your network. Understanding which systems communicate with which, and why, is the foundation for designing effective controls.
Deploy in detection mode first. Before enforcing new access policies, monitor what would be blocked. This reveals dependencies and legitimate traffic patterns that might not be documented, allowing policies to be refined before they impact operations.
Extend incrementally. Once critical assets are protected, expand the segmentation boundary outward. Each phase improves the security posture while the previous phases continue providing protection.
This approach respects the operational realities of critical infrastructure: limited maintenance windows, zero tolerance for unplanned downtime, and the presence of legacy systems that can't be modified. Security improves immediately with initial deployments and compounds over time as coverage expands.
Before the Next Attack
The Poland attack was stopped. The defenders did their jobs. But it was also a proof of concept: a demonstration that state-sponsored actors are willing and able to deploy destructive malware against NATO-member energy infrastructure.
The next attack might target different systems in a different country. It might use different malware with different capabilities. It might not be caught in time.
Critical infrastructure operators have a choice. They can continue betting that their perimeter defenses will work 100% of the time, against adversaries with nation-state resources and years of experience targeting exactly these environments. Or they can architect for the reality that breaches will happen, and ensure that when they do, the damage is contained.
The question isn't whether Zero Trust is needed for critical infrastructure. It's how quickly it can be implemented.
The threat actors aren't waiting. Neither should you.
