When Red Lines Cross Blue Lines: Cyber Attacks on Poland’s Water Infrastructure – Part I

While the digital transformation of water treatment plants, distribution networks, and dams has created significant efficiencies, few civilian infrastructure systems link digital control so tightly to physical effects. In water systems, access to control interfaces can allow even minor digital interference to alter chemical dosing, pressure, or flow in ways that can immediately affect water safety or availability. Because these systems operate within narrow safety margins and serve large civilian populations, such interference can quickly escalate from a keyboard input to tangible physical consequences, shrinking the timeline between digital access and a humanitarian crisis to minutes.

This is the first of a two-part post that takes this reality as its starting point. Part I examines when cyber operations against water infrastructure may qualify as attacks under the law of armed conflict and how precautionary obligations apply. Part II turns to questions that follow if an operation is considered an attack: whether water systems can be targeted as lawful military objectives; how the principle of proportionality operates when harm spreads through civilian life; and how the special protections for indispensable objects constrain targeting.

Cyber Attacks on Water Infrastructure

Recent cyber intrusions in Poland demonstrate how readily hostile actors may reach and manipulate water systems, and how quickly online access can produce effects.

In several cases, attackers altered visible operational parameters such as filtration, pumping, or flushing cycles through exposed interfaces and circulated recordings on social media platforms. Polish authorities have also disclosed at least one thwarted attempt in 2025 that, if successful, could have interrupted the water supply to a major city. Although most incidents were brief and did not result in sustained outages, their significance is amplified by Poland’s structural water vulnerability. Despite its temperate climate, Poland’s renewable freshwater resources are among the lowest in Europe, at roughly 1,400 m³ per capita. Additionally, heavy surface water pollution has made the country heavily reliant on groundwater for drinking water. This limited redundancy means that cyber interference, which might appear trivial in other sectors, can leave entire communities in Poland without safe water or expose downstream populations to risks created by manipulated dam operations.

Attribution for the recent intrusions remains contested, and the incidents described here fall outside the scope of armed conflict. They are therefore governed, as a matter of current law, by domestic criminal law and the general rules of international law rather than the law of armed conflict. Still, water systems are a predictable pressure point in modern conflict, and the same access techniques used for performative or exploratory intrusions in peacetime can be repurposed to generate deprivation, contamination, or loss of control during hostilities. For that reason, this post treats international humanitarian law (IHL) as a conditional analytical framework. It does not seek to reclassify Poland’s current experience as war. Rather, it examines the key IHL questions that would arise if similar cyber operations against water infrastructure were carried out with the requisite nexus to an armed conflict.

Water’s Indispensability and Vulnerability

Water occupies an indispensable position in civilian life and State stability. Its loss or contamination causes immediate and far-reaching harm because water sustains not only human life but also hygiene, sanitation, infrastructure, agriculture, and energy production. These interdependencies link it across the entire water–energy–food–ecosystem (WEFE), meaning that disruption in one area rapidly cascades through others. Unlike electricity or telecommunications, which often have localized backups or alternative supply routes, water networks have little redundancy. This compresses the timeline between interruption and civilian harm, particularly when compared to other critical infrastructure. For example, outages or contamination can lead to dehydration, sanitation collapse, and the spread of disease within days, leaving minimal buffers for mitigation. Water Knowledge Hub (WKH) defines the concept of vulnerability as “the characteristics and circumstances of an individual, community, or system that make it susceptible to the damaging effects of a challenge(s)/hazard(s).”

In the context of hydraulic infrastructure, vulnerability to cyber attacks is shaped by the physical properties of water systems, their digital interconnectivity, and the dependence of human and ecological systems on their continuous operation. WKH identifies four categories of water vulnerability factors: physical; social; economic; and environmental. Cyber manipulation is most legible within the physical factors category, but its effects cascade across all identified domains. Guidance from the World Health Organization sets basic individual needs in emergency contexts at roughly 7.5–15 liters per person per day to cover basic consumption and essential health and hygiene. Unexpected or illegitimate disruption to this minimum has had real-world impacts on populations.

The narrow margin for error in managing these systems is particularly relevant to cyber operations. Minor digital adjustments in chemical dosing, pressure regulation, or gate operation can translate into major civilian harm. Unlike most industrial sectors, water treatment operates within very tight safety tolerances: too little disinfectant allows pathogens to proliferate; while too much produces toxic or carcinogenic by-products or fatalities. The 2021 incident in Oldsmar, Florida, where a hacker briefly increased sodium hydroxide concentrations by a factor of 100 in the municipal water system before operators intervened, illustrates the potential immediacy of harm. Such actions, if undetected, could expose entire populations to poisoning within hours.

Recent Attacks in Poland

Poland is especially vulnerable to disruption, because water substitutability in Poland is particularly low. A recent study indicates that approximately 99.5 percent of the nation’s rivers and 88.5 percent of its lakes are in “bad condition,” leading to groundwater accounting for roughly 70 percent of the country’s drinking water. This dependency on a single water resource creates systemic fragility. If treatment or distribution of groundwater supplies is compromised, there are few alternative pathways for delivering safe water.

Polish water treatment plants and distribution networks rely heavily on industrial control systems and remote telemetry to monitor pressure, chemical levels, and flow. Each digital interface creates a potential attack vector. As Poland increases automation to improve efficiency, it also expands the potential for cascading cyber failures with civilian implications. Dams and reservoirs exemplify this convergence of physical criticality and cyber exposure. Dams perform multiple simultaneous functions, including flood control, hydropower generation, water supply, and navigation, which are often governed by digital control systems and can manifest as a distinct cyber vulnerability. Particularly when regulatory systems are compromised, even small manipulations can unleash enormous kinetic energy through improper water regulation or disrupt water distribution at regional scales.

Recent modelling of Poland’s dam infrastructure upstream of Kraków demonstrates how civilian populations could directly be affected by disruptions to hydraulic infrastructure. A 2023 study of the upper Vistula basin simulated the impact that failure of the Goczałkowice, Tresna, and Porąbka dams would have on areas around Kraków. The results showed that floodwaters from dam failures at these sites would reach the city with force comparable to Poland’s largest historical floods, including the catastrophic 1813 flood. Schools, hospitals, and major cultural sites fell within the areas of deepest water depth, illustrating that tampering with Poland’s critical hydraulic infrastructure would likely have devastating impacts on its civilian population.

2024-25 Cyber Attacks

Since early 2024, attackers have repeatedly gained unauthorized access to wastewater and drinking water facilities, including wastewater treatment plants in Wydminy and Kuźnica and potable water treatment stations in Tolkmicko, Małdyty, Sieraków, and Szczytno. These cyber attacks demonstrate the plausibility of interference with real-world hydraulic parameters. They have involved low‑to‑mid‑level compromises of water and wastewater control systems, most often short, show‑off intrusions into Supervisory Control and Data Acquisition/Operational Technology (SCADA/OT) panels where attackers tweak set‑points and boast about it online.

Two event waves stand out. First, the spring–autumn 2024 incidents at wastewater plants in Wydminy (confirmed by Computer Emergency Response Team-Polska as part of a wider campaign) and Kuźnica (with Telegram videos showing reactor parameters). Commentators widely described these events as pro‑Russian propaganda‑style hacks with limited operational effect. The second wave, during winter–summer 2025, targeted potable‑water stations. In January–February 2025 hackers published videos from stacje uzdatniania wody (SUW) in Tolkmicko, Małdyty and Sieraków, showing filters set to maximum cycles and other parameter abuse, again a risk signal more than a sustained outage.

In May 2025, the city SUW Szczytno was filmed live while someone changed flushing cycles. Separate footage claimed a small hydro plant was accessed but showed zero generation and limited panel permissions (i.e., spectacle over effect). Polish officials also disclosed a higher‑end attempt. On August 14, 2025, authorities thwarted a cyber attack that could have cut water to a major city, shutting systems “at the last minute,” without naming the city or culprit. Reuters amplified the warning and quoted the Polish Deputy Prime Minister’s claim that Poland blocks ~99% of cyber attacks. Most recently, on September 24, 2025, a video from SUW Jabłonna Lacka (Mazovia) showed access via an “admin” account and manipulation of pump and filter thresholds. Supply was not interrupted, but the clip underlined how little stands between a screen and a spill.

Open‑source evidence points to pro‑Russian hacktivists (and at times better‑resourced actors) using Telegram for bragging rights (a similarly interesting case was that of Denmark). Several compilations include pro-Russian tags and cross‑reference earlier wastewater and SUW clips. Official Polish comments stop short of naming specific advanced persistent threats (APTs) but consistently point to Russia‑aligned activity. The August 2025 city‑water attempt was reported without a formal technical attribution but as being Russia‑linked.

If comparable cyber operations occur in connection with an armed conflict, legal analysis would apply international humanitarian law. IHL does not govern the above-mentioned incidents that occurred in peacetime, but it supplies the controlling framework once the armed conflict and nexus thresholds are met. With that in mind, a cyber operation targeting water facilities raises two legal issues that frame the discussion below. First, does the operation’s expected impact make it an attack governed by IHL’s conduct-of-hostilities rules? Second, is the operation, or the threat of such an operation, unlawfully directed at terrorizing the civilian population instead of pursuing a legitimate military aim?

Attacks on Water Infrastructure

An important first question concerns when a cyber operation on water infrastructure would qualify as an “attack” under IHL? This question is critical because many rules governing the conduct of hostilities apply only to attacks. Additional Protocol I (AP I), Article 49 defines attacks as “acts of violence against the adversary, whether in offence or defense.” In the cyber context, this definition is understood to include operations expected to cause violent effects, even if the means of the operation are digital. In other words, a cyber operation qualifies as an attack if it is reasonably expected to result in physical harm, for example, death or injury to persons, or physical damage to objects. The method (kinetic weapon or computer code) is legally irrelevant; what matters are the anticipated consequences.

Although the prevailing view is that only cyber operations expected to cause injury or physical destruction count as attacks, the International Committee of the Red Cross and several States (e.g. France and Germany) maintain that a significant loss of functionality in critical infrastructure can also qualify as an attack if it predictably results in serious humanitarian consequences. France’s position, for example, is that a cyber operation is an attack when it causes the targeted system to no longer provide its intended service, even if the effect is temporary or reversible. Germany has likewise stated that physical damage is not required for an operation to be an attack, so long as the disruption to services could imperil civilians on a comparable scale.

A cyber operation against water infrastructure that is likely to cause death, illness, or physical destruction thus meets the definition of an attack. A clear example of using force through cyber means would be manipulating a water treatment system to poison civilians or to trigger mechanical failures. Water systems are uniquely vulnerable to such actions because even minor digital tweaks to dosing, pressure, or flow can produce immediate, violent effects. Tight safety margins in water treatment mean that a slight change can let pathogens through or create toxic levels of chemicals.

Thus, cyber interference with water infrastructure that predictably endangers civilian lives or health, for example, by depriving the civilian population of safe water, meets the definition of an attack under IHL and activates the full range of targeting rules and protections. From a civilian protection standpoint, this approach ensures that IHL safeguards of distinction, proportionality, and precaution apply, compelling attackers to minimize harm to the civilian population.

Prohibition on Spreading Terror

AP I, Article 51(2) prohibits acts or threats of violence if their primary purpose is to spread terror among civilians. This rule reflects customary international law. The International Criminal Tribunal for the former Yugoslavia (ICTY) in the Prosecutor v. Galić case clarified the war crime’s element of intent, which requires that operations were designed mainly to create extreme fear, rather than to gain a military advantage. This rule applies directly to cyber operations targeting water infrastructure with the objective of intimidating, coercing, or destabilizing. For example, threatening to poison a city’s water supply, or infiltrating a water utility system and publicizing the intrusion solely to incite panic, would violate this prohibition. Such cyber tactics are unlawful even if no immediate physical damage ensues, because they weaponize fear itself.

Water is a particularly effective object for terror because the consequences are not confined to inconvenience. A warning that taps may run dry is coercive. A warning that taps may run toxic is destabilizing because it invites civilians to assume the worst while depriving them of clear ways to verify safety in real time. That difference helps explain why the online “brag” dynamic in some of the incidents above is not just atmospherics. When an actor records its access, tweaks visible settings, and posts the footage for an audience, the publicity can be the point. However, it can also supply evidence of specific intent, an operation aimed chiefly at generating fear, rather than producing a concrete military advantage, aligns with what Article 51(2) prohibits. In that sense, cyber operations against water can weaponize uncertainty. They create the impression that a life-sustaining service has become untrustworthy, and that impression can spread faster than any physical effect.

Conclusion

Taken together, our analysis suggests that the water intrusions described above, if carried out with the requisite nexus to armed conflict, would raise serious IHL concerns on two fronts. First, operations that manipulate treatment or control systems in ways that foreseeably endanger civilians fit comfortably within an effects-based understanding of attack under IHL. Second, the practice of recording and broadcasting system access can be legally relevant where it indicates that intimidation, rather than a concrete military advantage, is the dominant purpose, potentially engaging Article 51(2)’s prohibition on acts or threats of violence intended to spread terror among the civilian population. With those threshold issues addressed, further IHL targeting rules become relevant to legal analysis.

Water installations and supply networks are generally civilian objects that cannot be attacked unless they become legitimate military objectives. Part II of this post will examine how the principles of distinction, proportionality, and precautions govern attacks on water infrastructure. It will discuss under what conditions (if any) a water facility may be considered a military objective, and how to balance military necessity against the imperative to safeguard civilians and essential resources.

***

Szymon Skalski is a PhD student at Jagiellonian University in Krakow, where he is preparing his doctoral thesis on tort liability for cyber attacks in Poland, Germany, and US.

Dr Natosha Hoduski is a scholar of hydropolitics and environmental governance whose work examines how water shapes authority, legitimacy, and statecraft in fragile and conflict-affected environments.

The views expressed are those of the authors, and do not necessarily reflect the official position of the United States Military Academy, Department of the Army, or Department of Defense.

Articles of War is a forum for professionals to share opinions and cultivate ideas. Articles of War does not screen articles to fit a particular editorial agenda, nor endorse or advocate material that is published. Authorship does not indicate affiliation with Articles of War, the Lieber Institute, or the United States Military Academy West Point.

Photo credit: Dan Meyers via Unsplash