When a cyberattack hits an energy facility, most people instinctively ask the same question: Who did it?

During recent attacks against Poland’s energy sector—targeting more than 30 wind and solar farms, a manufacturing firm, and a combined heat and power plant serving nearly half a million people—the suspected culprit appears to be a Russian-linked threat cluster known as Static Tundra, also associated with groups like Berserk Bear and Energetic Bear.

But once the geopolitical finger-pointing fades, a more practical question emerges.

How did these systems become vulnerable in the first place?

Because the uncomfortable truth is that modern infrastructure isn’t usually destroyed by brilliant hackers. It’s usually undermined by weak security practices and complacency.

This is a story about more than cyberwarfare.

The Incentives Problem in Critical Infrastructure

At first glance, the attack sounds sophisticated. Malware called DynoWiper was deployed to destroy files and disrupt industrial systems. Attackers moved laterally through networks, accessed cloud accounts, and targeted operational technology tied to power infrastructure.

But look closer at the technical details revealed by Poland’s national cybersecurity agency.

The attackers gained access using:

• Default credentials

• Accounts without two-factor authentication

• Outdated firmware

• Exposed management interfaces

• Vulnerable VPN gateways

These are not cutting-edge weaknesses.

They are basic security failures.

And they point directly to a deeper systemic issue: the incentives surrounding infrastructure security often reward speed and cost-cutting more than resilience.

Energy companies face pressure to:

• Deploy systems quickly

• Keep operational costs low

• Maintain uninterrupted service

• Integrate new renewable technologies rapidly

Security upgrades rarely generate revenue.
But they do generate expenses.

So the incentive quietly shifts toward minimum compliance rather than maximum resilience.

The result? A system where the weakest link isn’t the hacker—it’s the economic structure surrounding security decisions.

The Truth About Modern Cyber-warfare

The attackers attempted destructive actions that could have been catastrophic:

• damaging firmware on industrial controllers

• deleting system files

• deploying data-wiping malware

• disrupting energy distribution communication

Yet in this case, the attacks failed to achieve their ultimate goals.

Electricity production continued.

Heat supply to hundreds of thousands of customers was not interrupted.

That’s important.

It suggests that despite vulnerabilities, redundancy and operational safeguards still worked.

But it also highlights something else: attackers are increasingly targeting operational technology (OT) systems directly.

These systems control:

• substations

• grid connections

• industrial control systems

• SCADA networks

And historically, many of them were designed decades ago, long before internet connectivity was considered a security risk.

Which means modern cyber threats are colliding with legacy infrastructure never built for this environment.

What We Should be Focusing On

Many headlines frame stories like this as a geopolitical battle between governments.

But the deeper issue isn’t international politics.

It’s institutional behavior.

Critical infrastructure operators often rely on a patchwork of vendors, legacy systems, and third-party contractors.

That complexity produces blind spots.

In this case, investigators discovered vulnerable equipment from multiple manufacturers, including:

• remote terminal units

• industrial relays

• human-machine interfaces

• serial device servers

Some were running default credentials straight from the factory.

Others were sitting behind outdated firewall firmware.

None of these weaknesses required elite hacking techniques.

They required time and patience.

And adversaries—especially state-backed ones—have plenty of both.

The Case for Centralized Security Standards (Steel-Man Argument)

To be fair, many cybersecurity experts argue that incidents like this prove the need for stronger centralized regulation.

Their reasoning is straightforward.

If private operators fail to maintain adequate security standards, governments must impose stricter rules.

Supporters of this view argue that:

• infrastructure security is a national security issue

• companies may cut corners under market pressure

• uniform regulations ensure minimum safety standards

From this perspective, expanding government cybersecurity oversight seems like common sense.

And in certain areas—like nuclear safety or aviation—centralized regulation has clearly prevented disasters.

So the argument deserves serious consideration.

The Quiet Strength of Redundancy

There is one encouraging lesson from Poland’s experience.

Despite multiple attacks and destructive malware attempts, the energy grid kept running.

Why?

Because critical infrastructure—at least in many parts of Europe—still relies on layered operational safeguards.

Systems are designed with:

• manual overrides

• isolated control networks

• redundant equipment

• operational fallback procedures

These design principles are old-fashioned, but they work.

They reflect a timeless engineering philosophy: never trust a single point of failure.

Ironically, the same philosophy that kept analog systems stable for generations may now be what protects them from modern cyber threats.

The Bigger Picture: Infrastructure in the Age of Cyber Conflict

The Poland incident is part of a larger pattern.

Energy infrastructure has increasingly become a battlefield in cyber conflicts.

Over the past decade, attacks have targeted:

• Ukrainian power grids

• European energy companies

• pipeline networks

• industrial manufacturers

The goal is rarely immediate destruction.

More often, attackers aim to:

• test vulnerabilities

• gather intelligence

• position themselves for future disruption

Cyberwarfare isn’t just about pulling the trigger.

It’s about quiet preparation.

And that makes infrastructure security a long-term challenge, not a one-time fix.

What Actually Works

If there’s one lesson from this episode, it’s that cybersecurity isn’t primarily a technology problem.

It’s an incentives problem.

The systems that protect power grids, hospitals, water utilities, and transportation networks must reward the behaviors that make them resilient.

That means:

• treating security maintenance as essential infrastructure investment

• eliminating default credentials and weak authentication practices

• aggressively patching vulnerable devices

• designing industrial systems with segmentation and isolation

• holding vendors accountable for insecure defaults

Most importantly, organizations must understand a simple truth.

If your system connects to the internet, it will eventually be targeted.

The question isn’t whether attackers will try.

The question is whether defenders are prepared.

The Smarter Path Forward

Strong infrastructure doesn’t come from panic or bureaucracy.

It comes from clear responsibility and disciplined engineering.

Energy systems should be built around a few core principles:

• local accountability for operational security

• incentives that reward proactive defense

• redundant systems that prevent single points of failure

• continuous improvement rather than static compliance

Cyber threats aren’t going away.

But resilient societies don’t depend on perfect defenses.

They depend on systems designed to keep working even when things go wrong.

And that kind of resilience has always come from the same place:

responsible institutions, practical engineering, and a culture that takes security seriously before disaster strikes.