Ep 96: Poland’s Power Grid Cyberattack What It Teaches Us About OT Security and Renewable Energy Risks | PrOTect IT All
HomeEpisodes › Episode 96
Episode 96
Episode 96 Solo

Poland’s Power Grid Cyberattack What It Teaches Us About OT Security and Renewable Energy Risks

Mar 9, 2026 00:34:26
OT SecurityCritical InfrastructureRisk ManagementNetwork SecurityRansomware

Watch This Episode

What happens when attackers target the systems that keep the lights on?

In this episode of Protect It All, host Aaron Crow breaks down the December 2025 cyberattack on Poland’s energy infrastructure, where coordinated attackers disrupted wind farms, solar installations, and heat and power plants - impacting nearly half a million people.

This real-world incident highlights the growing risks facing distributed energy resources (DER) and modern power grids. As energy systems become more connected and decentralized, the attack surface expands - often faster than security programs can adapt.

Aaron walks through what actually went wrong: default passwords, unpatched devices, and weak network segmentation that allowed attackers to brick OT equipment and blind operators to what was happening in their own systems.

You’ll learn:

For engineers, operators, and cybersecurity leaders responsible for critical infrastructure, this episode delivers practical insights on defending modern energy systems before attackers strike again.

Tune in to understand what Poland’s grid attack reveals about the future of OT security - only on Protect It All.

Key Moments: 

04:57 "Corrupted Firmware Disables System Control"

10:01 DER Risks and Scaling Threats

10:55 Risks of Expanding Energy Grids

16:30 OT Security Vulnerabilities and Risks

18:34 Prioritize OT Security Systems

23:06 Change Default Passwords Immediately

24:49 "Critical ICS Security Measures"

30:15 "OT Cyber-Physical Response Plan"

32:56 "Critical Security Steps for Resilience"

Connect With Aaron Crow:

Learn more about PrOTect IT All:

 

To be a guest or suggest a guest/episode, please email us at [email protected]

Please leave us a review on Apple/Spotify Podcasts:

Apple   - https://podcasts.apple.com/us/podcast/protect-it-all/id1727211124

Spotify - https://open.spotify.com/show/1Vvi0euj3rE8xObK0yvYi4

Chapters

04:57Corrupted Firmware Disables System Control
10:01DER Risks and Scaling Threats
10:55Risks of Expanding Energy Grids
16:30OT Security Vulnerabilities and Risks
18:34Prioritize OT Security Systems
23:06Change Default Passwords Immediately
24:49Critical ICS Security Measures
30:15OT Cyber-Physical Response Plan
32:56Critical Security Steps for Resilience
Read the full transcript

Aaron Crow (0:1.358): Hi everyone. Welcome back to Protect It All. I'm your host, Crowe. Today, another solo episode. I wanted to dig into something I think every single OT person in OT security needs to be paying attention to. On December 29th, 2025, which is what, two days before New Year's Eve, in a coordinated attack

Aaron Crow (0:28.654): there was in the middle of the night, there was a coordinated attack that hit Poland's energy grid. We're talking 30 wind farms, solar installations, heat and power plants impacting, you know, what half a million people. It bricked RTUs and corrupted firmware and HMI data was destroyed. And this wasn't some, you know,

Aaron Crow (0:56.694): Script Kitty. This wasn't just a kid messing around. This was sophisticated, deliberate and destructive operation. Obviously, this is not, you know, US. This is not, you know, NERC SIP. But the tactics of vulnerabilities, the types of assets that were hit are the same types that would be no matter what the country is, whether it's the US, whether it is

Aaron Crow (1:27.062): It doesn't matter, right? The power, the capabilities, the systems themselves are the same, really across the board. So every country, every sector, know, even CESA says, you know, they put an alert February 10th, essentially telling US critical infrastructure operators to pay attention because this could happen here. So let's break it down. What happened in Poland? Kind of a tack timeline. So basically,

Aaron Crow (1:55.819): What happened on December 29th, 2025 coordinated attacks hit the Polish cyberspace across multiple sectors. The primary targets were more than 30 renewable energy farms. How many of those do we have? been to those types of places and they are not physical security like you would have at a nuclear plant. It's completely different. But those renewable energy farms think wind and solar.

Aaron Crow (2:23.138): along with major combined heat and power plant that serves nearly half a million customers, private manufacturing company, CERT, Polska, Poland's computer emergency response team, CERT, published a detailed incident report on January 30th, and they compared the attack to deliberate arson. That's what it said in their report.

Aaron Crow (2:49.666): The attackers targeted power substations, the grid connection points, like substations outside of power utilities where they generate it from transmission and distribution, et cetera. And these grid connection points, you've got all the OT equipment, RTUs, relays, SEL equipment, like whatever the make and model, I'm not sure, but the local HMIs for visualizing operational status, protection relays, serial ports.

Aaron Crow (3:17.734): modems, routers, network switches, like all the things that are at a distribution center or distribution system, substation, etc. Once they were in, they conducted reconnaissance, they mapped out network devices themselves that they had access to, and then they prepared their destructive actions. They damaged firmware controllers, deleted system files, launched custom-built wiper

Aaron Crow (3:47.138): Malware, Sir Polska identified two primary wipers, DynaWiper and LazyWiper. And interesting detail that they say that it's, they suspect that the LazyWiper's core wiping functionality was developed using large language model, which is as we've talked about with AI and the risks of it adversaries are, know, bad guys are using AI as well.

Aaron Crow (4:16.790): We know this is going to be the case. They're going to have these devices, but they can even learn on the fly. So they can say, hey, we're seeing this thing. can use the use AI to help them move faster and, and, you know, live off the land. The specific devices compromised. I don't want to dive into exact specifics of things, but again, all the types of things, IDs, RTUs, know, serial port servers, HMIs.

Aaron Crow (4:43.810): domain controllers, network switches, like all the different things. The attackers used automated targeting, shared configurations. They're really going after these things. They factory reset firewalls and Moxa devices, and they changed IP addresses and passwords, and they changed firewall rules, and they overrope disks and deleted files. They were just causing havoc on absolutely every system they could get into. They uploaded corrupted firmware and RTUs that caused

Aaron Crow (5:13.026): you know, reboot loops, things that were, you had to go repair them, right? They were broke. Let that sink in, like field irreparable. You can't even fix these things on site because they are in this loop. You're gonna have to replace these devices. And we know supply chain is an issue with a lot of these types of things. It's not something you can just go to Best Buy or Walmart or something simple, or even your vendors that own these things, may not have them.

Aaron Crow (5:42.774): especially if you think about this at scale, right? If this happens, how long will it take you to get that device, get it in a technician's hand, get it to site, get it replaced, et cetera? How much is that going to impact downtime? So here's the critical outcome, right? It's the power, the power didn't go out. The renewable energy systems continued producing electricity, but the operators lost ability to see and control the systems.

Aaron Crow (6:10.606): CESA said it clearly, the malicious activity caused loss of view and control between facilities and distribution system operators. They destroyed the data on HMI's, they corrupted system firmware and OT devices. The system operator could not control or monitor them according to their intended design. So what happens in those situations? And I've been in those, not from a cyber attack, but even if it's just...

Aaron Crow (6:34.658): Hey, a system goes down, the network goes down, whatever, the operator's not going to continue running those things. They are going to safely shut those things down because they can't control them. If I can't control it, then I can't allow it to continue running because it could cause problems. It could break things. It could hurt people. Right. So I want to pause here because I know some people read that and think, well, you know, the power state on what's the big deal? Right. I think most of us probably that are listening to this can see the difference, but maybe if not, right.

Aaron Crow (7:5.018): But that's the wrong takeaway. You cannot run a power system you can't see your control. Even in renewables, like obviously, you know, a nuclear power plant, everybody would understand like if I can't control the reaction, I have to shut it down. But it's going to be the same for any of these things because I have to be able to control you know, the grid that it's a bigger system than just that one side. It's not just the solar panel that's on your house.

Aaron Crow (7:31.018): It's tied into the grid. So we're dealing with phase and all these very complex things. I don't even fully understand. And I've been in this industry for a long time and I probably understand it better than many laymen and better in this space. So all this to say, you can't respond to fonts, can't faults, you can't balance loads, you can't coordinate with the distribution system, you can't ramp up, you can't wrap down. All these are risky.

Aaron Crow (8:0.866): So you can't continue to run. That's not the system work. That's that they got lucky. They didn't tip over the right domino that caused it to fail. So who's behind this? Attribution, right? So who did this? Poland's prime minister pointed to Russia. Serpulska attributed the attack to a threat cluster they call static tundra, which also tracked as berserker bear, dragonfly, and ghost blizzard. And all of those are linked to Russian FSB.

Aaron Crow (8:32.034): Dragos assess with moderate confidence that the activity aligns with their electrum threat group which overlaps with sandworm a GRU linked operation And he set also connected it to sandworm. So it appears It looks like it's in the Russian intelligence agency responsibility FSB GRU, etc For most of us defending these environments. It doesn't really matter. I mean was it a nation-state who which nation-state it was

Aaron Crow (9:0.782): It's more about that it was a state level capability. It was coordinated, it was destructive, and it targeted the types of systems that we're responsible for protecting and maintaining. Every power grid on the planet has this exact same type of system. So if they can do it there, they can do it here. They can do it in the US, they can do it in Texas, they can do it on the East Coast, they can do it on the West Coast, they can do it Canada, Mexico, you name it, right? It is the same across the board. Sun Tzu art of war, you know,

Aaron Crow (9:29.390): We use our strengths as weaknesses and weaknesses as strengths. The strength is that we use the same types of systems across the globe. That makes us really good at using those systems and protecting them. But it's also, hey, I know if I can test in this space over here, I know I can do that same attack or that same sting elsewhere. That's terrifying. If you really think about that, right? And how can you scale that? How can you use that in other spaces?

Aaron Crow (9:58.683): You know getting into organizations, you know, this is professional. It's scalable it was There's more and more of this you can't just say we've got a firewall or we could air gap this Unfortunately, that's just not the case Now we've seen attacks on power grids before Ukraine in 2015 and 2016 both attributed the same family of threat actors The Poland attack though is

Aaron Crow (10:28.510): fundamentally different because it targets the distributed edge of the grid. Dragos CEO, Rob Lee called this the first major attack against decentralized energy resources, DERs, which is the industry term for wind turbines and solar farms and battery storage and combined heat and power, smaller distributed generating assets, right? The things that are, again, not a big

Aaron Crow (10:55.586): you know, coal fire power plant or large big turbines with, you know, 1800 megawatts or a thousand megawatts or 800 megawatts. These are those smaller, you you drive through West Texas and you see solar farms and you see wind turbines. These are the types of things. There's not the same amount of protections around those things because they have a lower risk. They're below the NERC SIP guidelines on many of those things because it doesn't meet the generating perspective or even the distribution, right? It's not.

Aaron Crow (11:24.344): high enough criticality to meet a lot of those criteria in NERC SIP and even business risks things, because it would take impacting all of those in an organization before it would really impact the system. But that's what you're seeing here is like, if I can do it at one, they could coordinate that thing and go across all the solar plants, all of the wind, all of the batteries. Like that's where this thing scales. And it's where it gets real for everyone. Right. DERs are not going away.

Aaron Crow (11:53.965): Those distribution smaller generated assets, every country is adding more of them. Energy transition is happening. This isn't about, I'm not talking about global warming or any of that type of stuff. It's just a batter of, hey, we're going to put resources and assets in these spaces, more wind, more solar, more distributed assets to connect to the grid. Having a giant nuclear power plant in one place and having to run wires everywhere is not as effective, especially in other countries.

Aaron Crow (12:22.690): where it's easier to put in these smaller locations, these smaller grids, these smaller micro grids even. So these are going to be a bigger and bigger and bigger problem as we do these. And as we start interconnecting all of these things, that it's going to expand on these issues. And unfortunately, in many cases, the same level of cybersecurity investment is not put into those smaller sites as are in large centralized plants.

Aaron Crow (12:52.878): power plants, substations, et cetera. So the point here, Rob Lee made a good point in that. said Poland was actually somewhat fortunate that the DERs make up a smaller portion of its energy portfolio than some other countries. Because if that had happened in the US, Australia, certain parts of Europe, where they're more heavy, it could have been a catastrophic event. Imagine in Texas,

Aaron Crow (13:21.900): when it's a super hot and sunny day and a very large percentage of the grid is using solar and it's a really windy day and they're using wind and this type of thing happens. That's when you start having rolling brownouts and blackouts and then you have to black start or there's all sorts of bigger dominoes that come into that if those assets go down because we've decommissioned so many old fossil fuel type plants.

Aaron Crow (13:49.895): That that are bigger and running so this this can impact those things, right? So think about that for a second if we're adding these distributed assets to grids around the world and accelerating pace and The first major coordinated attack against him just happened. It's not theoretical anymore, right? It's the new attack surface. It's growing every day We're going to we're gonna start seeing more and more of these attacks going after the things that we're not as focused as much on Using AI to get in for things that they don't necessarily know as much about

Aaron Crow (14:21.603): Something else happened in 2025 as well. Like in April of 25, Spain and Portugal experienced the largest power blackout in Europe in two decades. 60 million people lost power. In just five seconds, Spain lost approximately 15 gigawatts of capacity, 60 % of its national electric demand. I remember I was at RSA speaking with a gentleman from Spain. In that moment, he started getting text messages because they didn't have power at home. Traffic lights went dark.

Aaron Crow (14:50.509): Hospitals ran on generators, ATM stopped working, emergency systems were, services were impacted. I think seven people died in Spain from outage related circumstances. And that blackout was not a cyber attack to be clear. Investigators ruled that out. It was caused by a combination of technical factors from generator failures and voltage, all the things. It wasn't a cyber attack.

Aaron Crow (15:18.255): but Spain's relatively weak interconnection with the rest of Europe. All of this to say, this is that collapse analyzing this Poland attack. Imagine, so that wasn't even a cyber attack, but knowing that it's already at risk, knowing that it's an issue, these types of attacks in that space could have an expounding problem. So connect the dots with it, right? So the blackout showed us at modern grids, especially those with

Aaron Crow (15:45.679): you know, a high renewable penetration and limited interconnects are vulnerable to cascading failures, right? There's a reason why everybody gives us a hard time. I'm from Texas. There's a reason why everybody gives us a hard time because Texas is its own grid. Who you guys think you are? You know, we've had problems with our grid. Our grid's not perfect. There's a reason why the US is not one big large grid. It wasn't a mess up, right? There's a reason why we have DC ties to the East Coast, DC ties to the West Coast, DC ties to Mexico.

Aaron Crow (16:15.937): It's to stop a big incident from on the East Coast rolling out and blacking out the entire country, right? It's by design. So we have to think about as we're adding this complexity and adding these risks to our environment and we're putting more dependency upon wind and solar and these smaller things that we're not putting the cyber and monitoring and controls around. This isn't, you know, fear-mongering, right?

Aaron Crow (16:45.443): This is showing with real world examples of things that have happened that can happen and can happen here if we're not careful. Right. So how do they get in? The basics, you know.

Aaron Crow (17:4.617): This part should really like almost frustrate and motivate us, right? So the initial access came from vulnerable internet edge facing devices, specifically exposed firewalls and VPNs. I can't tell you how many, I know I sound like a broken record. How many times I've been to this site and seen this and seen that, right? We have firewalls.

Aaron Crow (17:29.785): They have any any rules or we have a firewall that's on the edge that's allowing access directly to an OT environment. Many of them lacked multi-factor authentication. Many were running unpatched firmware with no vulnerabilities. know, once inside, I just did an episode about east-west monitoring, And we're putting, so many OT sites are putting all of their security around this north-south at that firewall and they're not monitoring when they get past that. So.

Aaron Crow (17:58.895): But then we also have multi-factor lacking multi-factor authentication, unpatched firmware, known vulnerabilities. And those are the things that are providing the south monitoring and protections. Once inside, they're able to pivot. They're using default OT credentials. Like we know these OT spaces are vulnerable. We know we're using default credentials. We know we're not patching our systems. We know we have old antiquated, old technology. We're in Windows XP and older systems in these spaces. These had

Aaron Crow (18:28.855): you know, RTUs and Moxa serial servers with default credentials.

Aaron Crow (18:35.575): attackers exploited default password on internet facing devices to gain gain access to critical OT infrastructure. CESA specifically called that out. Right. Threat actors leveraged default credentials of vulnerability, not limited to specific vendors to pivot onto HMI and RTUs. So look.

Aaron Crow (18:58.841): We've been talking about default credentials. We've been talking about exposed edge servers. We've been talking about multi-factor authentication and segmentation and monitoring, like all of these things we know are a problem in every damn near, excuse my language, every OTSpace that we have, right? We know that if somebody gets in, there's no limitation in what they can do.

Aaron Crow (19:24.547): right we know that they don't we don't have encryption on these these protocols we know that an r two u and appeal see these devices will respond as long as you understand how to speak to it and with a i it's not you don't have to know you could just say hey this is this type of device how do i talk to it what language what protocol what are its common commands how would i tell this p l c to turn on turn off speed up speed down open or close

Aaron Crow (19:50.703): So here we are with state sponsored threat actor walking through the front door because somebody didn't change the default password on a firewall or didn't patch it or didn't update it. And it's basically like just leaving your front door wide open and saying you've got an alarm system that's not armed.

Aaron Crow (20:9.081): So look, I get it. There's reasons this happened. know, nobody's perfect. These are lessons learned. These are not to point out or point fingers and say, you guys are stupid or none of that, right? It's all about what can we learn from this? Like what is the RCA, the root cause analysis to this? How do we make sure this doesn't happen again? These are often remote sites. They're managed by integrators and third parties. Devices were installed years ago. Nobody went back to harden them. There's no dedicated OT security team.

Aaron Crow (20:37.217): I think the engineers are responsible for it. think the IT guys are responsible for it. They think somebody else is responsible for it. Like, you but a lot of times the engineer has many hats like they're, they're, they're responsible for making sure the plant runs, but they're also supposed to be responsible for the security and locking it down and passwords and secure mode access and all these types of things. And it's not their expertise. They're engineers. They're an operator.

Aaron Crow (21:4.857): but we're putting all this expectation because we don't have anybody else to take the baton. Who can do this? Well, the only person there is Bob. OK, Bob, that's your responsibility. But Bob doesn't know how to do it. So he does his best. He gets help from vendors. He gets help from contractors, consultants, whatever. But still, we're not doing it enough. We're not understanding that these things are such big risks. Right. So.

Aaron Crow (21:31.919): Dean Parsa, I just had him on my podcast the other day, right? Understanding the operational reality, but understanding why it happens doesn't excuse it continuing to happen, right? We can't just continue to have these problems knowing that we're not patching, knowing that we have these old systems, knowing that we have vulnerabilities in these spaces, knowing that we're not monitoring on these things, it's not enough. Like we have to start putting more focus in these spaces, especially at a power utility, especially at these types of places. That's the place where the focus should be.

Aaron Crow (22:1.155): Yeah, we're locking down, you know, your laptops and we're locking down the exchange server and the web front end. You need to do all those things. I'm not saying you shouldn't, but how are you not spending as much time or more time or more money, more focus and people resources, people process of technology in these OTSpaces, which are the things that actually run the thing.

Aaron Crow (22:23.315): factor here was poor network segmentation. was lack of passwords. It was lack of updating a system, right? And who owns it? Who's responsible for it, right? And one of the cases that the attackers had long-term data theft going back to March of 2025, nine months of access before the destructive phase.

Aaron Crow (22:44.547): So the good news is they had an EDR system and that EDR system actually blocked wiper malware, right? So the defensive tools worked when they were in place, but at the renewable sites, the wipers executed successfully.

Aaron Crow (23:1.401): So lesson is, is that we're doing some of the right things, but we have to do it everywhere. We can't just pick and choose. You NERC SIP is focused on, you know, medium and high assets. You look at a low asset, a low generating site, which all of these would have been, if even that, there's almost no requirements. There's very minimal requirements at a low site to do very much of anything. And if you're only doing the bare minimum to check the box for compliance, then

Aaron Crow (23:30.049): You would have had none of these controls. You would have had no EDR system whatsoever. You probably aren't monitoring. You have a firewall, but maybe nothing else. You're not required to change your password on some regular thing. You're not required to have MFA. You're not necessarily required to segment your networks, right? You're not doing any of those types of things because you don't have to. Nobody is going to find you if you don't do it.

Aaron Crow (23:59.097): I think this is a showcase of that you do have to, there is going to be financial impact and reputation impact because if a bad actor gets in and shuts these things down, you're going to lose money. There's going to be fines associated with it. There's going to be potentially damage and life lost, both employees and customers and just the public.

Aaron Crow (24:25.337): So CISA's response and kind of the regulatory signal. On February 10th, CISA published a security alert specifically about this event. And they didn't just echo certs, findings, they used this as a kind of a launching point to push several important messages to the US critical infrastructure operators, right? So first, vulnerable edge devices remain a primary target. CISA has now issued a binding operational directive

Aaron Crow (24:53.427): which requires federal agencies to inventory and remove end of support edge devices. That's routers, firewalls, VPN concentrators, et cetera, et cetera, et Whatever those perimeter devices are, because they become the number one entry point for OT attacks, obviously, right? Unless I'm walking somebody in or I have something that's going around that, that's going to be my main focus of attack. So federal agencies have 12 months to comply.

Aaron Crow (25:20.235): And while they technically only apply to federal agencies, they're a signal. When CISA puts out a directive like this, the private sector should be thinking about reading that into, this is where the regulation is heading. Secondly, OT devices without firmware verification capabilities can be permanently damaged.

Aaron Crow (25:46.179): This is what happened in Poland. Attackers uploaded corrupted firmware to the RTUs and those devices became bricks. Worthless. I mean, we've all updated a firmware on a laptop or some devices says don't unplug power. If you upload the wrong thing to it, it's going to brick it. And sometimes not recoverable. Like these could not be recovered in the field. I'm sure you could send it back to the manufacturer and they probably have a workaround. But again, remember we talked about this earlier. The guy in the field is probably not a hardware expert.

Aaron Crow (26:16.035): to be able to do these things, right? So CISIS teleoperators prioritize updates that enable firmware verification. If updates aren't immediately feasible, you need to have an IR plan to account for the possibility that devices may permanently destroyed. What are you going to do if one of your devices in the field is not recoverable and you have to replace it? Are you going to have them on hand? How many are you going to have?

Aaron Crow (26:42.797): Where, are you going to get them into the right space? Are the people trained on them? Like all this type of stuff, right? And lastly, you know, third, you know, change your default passwords. Like everybody, this is, it should be a something I shouldn't even have to talk about, or we shouldn't be talking about, or we shouldn't even be having an issue, but you need to immediately require your integrators, your OT suppliers, everyone to force password changes as part of their deployment process, right? If,

Aaron Crow (27:9.387): your vendor deploys something and it is whatever the password, even if it's a super complex password, whatever they put it in as change it right after they leave or before they leave. Because I promise you they're using that same password everywhere they go. Maybe not all of them, but many of them. I bet there are sites that I could walk into from when I was an asset owner back in the day and probably have a similar password.

Aaron Crow (27:36.751): There's probably been plants that I've been to that the password that's written on the wall that was there 20 years ago, it's probably the same password it's still using. And that's a problem. It's basic hygiene. It's a difference between a bad guy walking in and being able to have full carte blanche and them actually having to fight for it. A lock on my front door does not stop a bad actor from getting in. It's gonna slow them down a little bit though.

Aaron Crow (28:4.871): If they have to pick the lock and I've got a decent lock and I've got two locks and then I've got an alarm and then I've got a dog, all those types of things are just going to slow them down. And then you add monitoring on top of that, then you can potentially respond before it gets bad. They're not in there for six months playing around before they actually do bad things. So UK's National Cybersecurity Center also weighed in.

Aaron Crow (28:34.099): You know, one of the operators of the UK critical national infrastructure said we must not, we must not only take note, but act now. This is becoming the global message that's going out. Everybody's saying the same thing, right? Fundamentals matter, the threat is real, and the time to act is now. It really has been a while back, right? But anyways, the point is, right,

Aaron Crow (29:2.031): We've laid out what happened. You've heard me talk about this. Dean Parsons talked about the SANS five critical controls. What are those five controls? The reason that Dean harped on it so much, I just had an episode not too long ago, so if you haven't listened, go listen to that. But ICS, Specific Incident Response Plan. Do you have a response plan for your system? If this RTU goes down, is that unrecurvable?

Aaron Crow (29:31.713): What are you going to do? Right? Do you have a defensible architecture? Is it segmented? Do you know how to make sure that things are blocked from the outside? I don't have my firewall directly on the internet. Like all these types of things, right? I have ICS aware firewalls. I'm monitoring things. I've got secure remote access. I've got proper vendor access. I've got, you know, limited accounts. My corporate account can't get me into my OT environment. Like all of these things are here. Architecture matters.

Aaron Crow (29:57.867): Even if, even if the bad guy gets in, but he's blocked into this one place, I'm going to more likely notice him before he gets to the next place. He or she, right? ICS network visibility and monitoring. It's a huge one. And I just did an episode about, you know, NERC SIP and how they're doing East West, SIP 15, right? This is a big concern because, you know, these are renewable energy sites that would not have been part of SIP 15. So SIP 15 is a great thing. We're rolling it out medium and higher.

Aaron Crow (30:28.087): this would not have been, we would not have been rolling this out for SIP reasons in these spaces. So we would not have had East-West monitoring in any these spaces. If you have network visibility, packet captures, network monitoring, traffic analysis, you have the ability to detect these things, detect anomalous traffic, right? See when things are happening, when things are being weird. A lot of this stuff, it also gives you asset inventory, understands a lot of the protocols you can actually look at

Aaron Crow (30:57.761): and come back and understand what's going on, potentially monitor and then know what's going on, right? And be able to respond. Control four is secure mode access. I harp on all of these, but secure mode access is a huge one. need, especially because we have less and less folks that we can have in the field. These sites are in remote locations that I'm probably not staffing with a full staff, but I need to be able to manage these things remotely. I have to do that securely.

Aaron Crow (31:27.811): So I have to have multi-factor authentication. need to be monitoring everything that's going on, session recording, know, all of these things. Remote management of these, you know, remote locations is huge. Even when I had big power plants in my, but I had a team, a small team. There's no way I can have a person at every site. had 40 something power plants, I had a team of six. How do we cover that? We have to be able to remotely support them. Well, you have to do that in a secure way.

Aaron Crow (31:59.619): And then, you know, risk-based vulnerability management. We know that this attack came through vulnerabilities and firewalls, not zero days, known patchable vulnerabilities that they didn't patch. And this is an issue at every site I've ever been to because I have more devices than I have people and ability to do it, right? Some of these things on the firewall, turn it on auto.

Aaron Crow (32:28.781): Yeah, I know I said it. Update your firewalls. not, if that is your only, that's your first line of defense, make sure it's the most strong. You know, you're not going to patch your control system every day. At least patch the things that are patchable. Your FortiGate, your, your Palo, your whatever firewall you're running, patch it daily, hourly, as often as possible. Have redundancy. So I can patch one of them, test it, make sure it's working, roll it over to the other one and then patch the second.

Aaron Crow (32:58.003): This is not complex. We've been doing this in IT for decades and we do it without bringing down service. There's no reason we can't do it here. This also gets to one of the conversations that Dean and I had as well. I keep harping on him because it was a couple of weeks ago that we recorded this. But this is where the ties between your OT and your IT organizations are so powerful. Because your IT organization probably has a firewall team. They probably know

Aaron Crow (33:23.925): and our testing firewall tests and patches and updates and can help you with architecture and can help you with support and have the skill set to be able to manage and monitor these types of things. So if you're not using that team, you're missing out. Every single one of these controls is directly related to what happened in Poland. It's not coincidence. It's a reason why we harp on just the basics, the foundations of OT.

Aaron Crow (33:50.019): When I go into most of these places or I'm making recommendations on architecture or how to get a site to the next place, nine times out of 10, it's not AI, it's not super crazy, fancy architecture and technology, it's basic blocking and tackling. Give me an architecture, give me an asset inventory, make sure I'm monitoring, have square mode access, change my passwords. It's not that hard.

Aaron Crow (34:14.255): So if you're listening to this and you're chuckling with me or you're terrified, make sure that you've inventoried at least your edge devices, every firewall, every VPN concentrator, every router on your OT network. Change your passwords, even if they're not default. I've said default a couple of times, change the password now.

Aaron Crow (34:36.675): Just go through them, update them, have them on some regular cadence on absolutely every one of your devices. Yes, it's paying the backside, but it makes a difference. Enable MFA everywhere you can. Obviously you can't necessarily do that on your OT environments, but you should absolutely do that on your Edge. You should absolutely do that in your Secure Mode Access environment. You should absolutely do that everywhere that you can.

Aaron Crow (34:59.991): Review your answer response plan. Make sure that it has specific OT things in it. If I lose this field device and it's permanently destroyed, do the operators know how to run critical processes? This is where that answer response really overlays with it is not a cyber led answer response. Or maybe it is led by them, but it is not a hundred percent all cyber tasks. In these scenario, yes, cyber.

Aaron Crow (35:26.005): initiated the problem, but now I've got physical OT specific equipment that's failed. Most of your cyber incident response plans are not going to have an answer for what happens if I get to an OT system that fails. You're going to have to bridge that with the actual site implementation incident response plan. Disaster recovery, what happens when these devices go out? These sites are really good at recovery, but we have to make sure that we have a combined plan.

Aaron Crow (35:52.697): They're all the parties are at the table talking about all of these risks and how do we get things back? And then you've got to get visibility into your OT network. And it can't just be North South as we're seeing, right? Once they get past that firewall, you've got to have something. Even if it's a Linux box with a hard drive plugged in and a span port going to it, capturing packets, like it doesn't have to be expensive and complex.

Aaron Crow (36:19.723): Raspberry Pi, like any number of things. Yes, I know open source and Raspberry Pi, whatever, but it's better than nothing. But even if I'm monitoring and I'm getting the data, somebody has to look at it. This is where technology isn't always the answer. mean, it is the answer, but I still have to have the people side of this. We talked about process, but we also have to have the people thing. None of this requires millions of dollars, but it is going to have a millions of dollar impact on you if you don't do something. Right. It doesn't have to have

Aaron Crow (36:49.519): cutting edge AI doesn't have to be, this is foundational, it's practical, it's achievable, no matter what your budget level is, the size of your organization, any of that. And it's a difference between being the next headline or being the organization that it was the headline because it was, we stopped this thing. There's a lot of great coverage on this. Dive into Dragos. Thank you, Rob and Dragos team for their annual review.

Aaron Crow (37:18.957): which comes alongside with this Poland attack as well, paints a clear picture, go check those things out. Bad guys are targeting us. They're targeting OT. When I say us, I mean OT. And I don't care what country you're in. If you're a practitioner, if you're a protector, if you're in cybersecurity and you have OT assets, even if you're not the OT guy, you're still protecting these spaces. They're actively mapping control loops or understanding how to manipulate physical processes. AI.

Aaron Crow (37:44.321): labs, eBay, I can get all this stuff. It's going to be more and worse and it's going to happen more and more and more. I'm excited. I should be at S4 this week. I'm sure a lot of us will talk about this this week. This is not going away. We've known it's not going away. Unfortunately, it's just going to get worse. We're at that inflection point where it's creating a new attack services faster than we can defend them. The bad guys are getting more capable and willing to cause physical damage with all the political stuff and

Aaron Crow (38:13.803): and wars and all that, you know, all that is going to drive more and more attention in these types of areas, whether it's in the U S or Canada or overseas Europe, Middle East, whatever. So always come back to this. is doable. OT security is different. It's not harder. those, those basic foundational things, the five critical controls at Sands and, and Dean and I talked about

Aaron Crow (38:41.116): Change passwords, do all those things, right? It is achievable. You don't have to have a massive budget. Maybe you need help. Bring in a consultant, bring in somebody like myself and a million others that are out there that do this and have experience and can help get you very quick, right? Poland's grid survived this, but that's luck, right? It's not something that I want to risk in the future, right? So thank you for listening. Hopefully this resonated with you. Honestly, hopefully this

Aaron Crow (39:9.795): scared the crap out of you. Share it with your CISO. Share it with your plant managers, your engineers. Share it with people that understand the threat landscape, the people that are fighting this fight, that have been screaming this from the mountaintop and can't get the people process and budget to push to this, right? So definitely leave us a review on Apple, YouTube. If you wanna be a guest, reach out. If you're gonna be at S4, come see me, come say hi.

Aaron Crow (39:37.271): This is February of 26th, so it's S426. And y'all stay safe out there and I'll see you down the road.

Transcript lightly edited for readability.

Want your brand in front of OT, IT, AI, and cloud security decision-makers?
PrOTect IT All listeners are the practitioners and leaders making security buying decisions across critical infrastructure.
See Sponsorship Packages →

Never Miss an Episode

Subscribe to PrOTect IT All and stay ahead of the threats targeting critical infrastructure.