The end of 2025 and the beginning of 2026 brought reports in Poland of attempted cyberattacks targeting the energy sector. Among others, combined heat and power plants, district heating networks, and elements related to energy management – including areas associated with renewable energy sources – were identified. Although public statements were not always consistent, the message was clear: security systems worked, and the attempted attacks were successfully repelled.
This is an important signal for all critical infrastructure. A cyberattack does not have to immediately lead to a spectacular blackout to pose a real threat. In practice, all it takes is a disruption in communication, loss of visibility, weakened control, or a problem with access to key systems. For organizations responsible for the continuity of heat and energy supply, this represents an operational, business, and public safety risk all at once.
The heating sector and combined heat and power plants operate at the intersection of industrial infrastructure, automation, OT networks, and traditional IT systems. It is precisely this complexity that makes the environment more difficult to protect. Over the years, many organizations have developed successive layers of technology, integration, and remote maintenance, but these advancements were not always accompanied by equally consistent architectural decisions regarding cybersecurity.
Today, an attacker doesn’t need to take over the entire control system to cause a serious problem. Often, it’s enough to target data exchange channels, telemetry, remote service access, or the interfaces between OT and IT. That’s where vulnerabilities most often arise, and under operational pressure, they can lead to actual operational disruptions.
In practice, three areas remain particularly vulnerable. The first is communication and telemetry—that is, all channels responsible for data transmission and system monitoring. The second is the OT-IT interface, where industrial systems meet office, analytical, or management infrastructure. The third area is remote access, used by service, maintenance, and integration teams.
Each of these elements can become an entry point or a point of incident escalation. Therefore, cybersecurity in district heating should not be treated solely as a matter of protecting a single system. It is a matter of the resilience of the entire operational environment.
The first step should be the segmentation of IT and OT and minimizing the points of contact between these environments as much as possible. The fewer unnecessary connections, the lower the risk of lateral movement and the easier it is to control an incident.
The second pillar consists of strict remote access policies. In practice, this means MFA, a bastion host, strict access controls, and full session logging. In industrial environments, remote access is often necessary, but it should not be left uncontrolled.
The third area is monitoring events in OT, not just in IT. Visibility of logs from the office layer alone is not enough if the organization cannot detect anomalies in the industrial layer. Rapid correlation of alerts and the ability to assess whether an incident affects only a single component or is already impacting operational continuity are critical here.
Disaster scenario testing is also important. The organization should know how it will respond in the event of a loss of connectivity, control degradation, or the need to switch to manual modes of operation. Such exercises reveal whether procedures are realistic or exist only on paper.
Requirements for suppliers and integrators must not be overlooked either. Supply chain security is of paramount importance today, especially in environments where many technical partners and external contractors operate.
We live in a time when scenarios once associated with action movies are becoming a reality. However, critical infrastructure security isn’t built in the moment of an attack. It begins much earlier—in careful architectural decisions, in planning, in network reviews, in access policies, and in operational readiness.
This is precisely why cyber resilience in district heating and combined heat and power plants must be built systematically. Not only after an incident, but before the organization faces a real test of its resilience.
