International 
Politics 
Local 
Finance 
Sports 
Entertainment 
Lifestyle 
Technology 
Literature 
Science 
Health 
1 week ago
2
Joern Hackbarth, technical executive within the renewable energy sector, responsible for EPC at IPPs of PV and BESS assets in 11 countries.
getty
On December 29, 2025, coordinated cyberattacks struck more than 30 energy-related sites in Poland: wind farms, photovoltaic installations and a combined heat and power plant serving nearly half a million people. Industrial systems were accessed, firmware manipulated and wiper malware deployed, yet no blackout followed.
That reflects one of the core challenges of modern cyber risk: Even when the threat is real, it rarely arrives in a way that conclusively settles the debate.
Poland was not a rumor. Attribution remains debated in public reporting, even as authorities classify it among the most serious attacks on the country’s energy infrastructure in recent years. And so the challenge persists: how to respond to credible signals without overreacting and without dismissing them too easily.
Cyber Risk In The Space Between Proof And Suspicion
Cybersecurity in energy today is not a question of if. Across the industry, organizations are strengthening controls, improving visibility and building resilience, yet the nature of the risk continues to evolve.
In late 2024 and into 2025, concerns circulated around the security of widely deployed power electronics, particularly inverters. Not confirmed breaches, but something harder to manage: credible suspicion without definitive proof.
Reuters reported that some solar inverters had been remotely disabled. Later, U.S. experts identified undocumented communication components in certain made inverters and batteries—devices that could, in principle, bypass expected controls.
Then came the correction. In early 2026, a review found no definitive evidence of intentionally malicious functionality in the equipment examined. Suspicion remained. Certainty did not.
This is where cybersecurity becomes difficult to govern. One cannot justify certainty. One cannot justify dismissal. The space between the two is where decisions are made and where mistakes happen. Consequently, the question presents itself: Are we crying wolf, or have we already allowed the Trojan horse inside?
Regulation, Trust And Strategic Dependency
Looking at Europe, the answer is not uniform. In September 2025, the Czech National Cyber and Information Security Agency (NÚKIB) issued a formal warning of a high cybersecurity threat linked to data transfers and remote administration. The warning explicitly referenced technologies such as inverters used in photovoltaic systems.
The wording was controlled, but the implication was not. Trust, it suggested, is not confined to the device. It extends to the system behind it—legal, political and operational. What appears technical is rarely only technical.
Regulators and policymakers are responding. The EU’s ICT Supply Chain Security Toolbox, adopted in 2026, provides a framework to identify and mitigate risks associated with high-risk suppliers. It does not prohibit. It exposes.
Exposure has a way of forcing decisions that policy alone avoids. Yet even here, policy remains incomplete. There is no universal ban on inverters, only a growing reluctance to treat origin as irrelevant. Policy, in this domain, advances by implication before it commits to action.
And then, there is NIS2, a defining feature of European cybersecurity policy. I see it as comprehensive in ambition, perhaps uneven in execution. NIS2 expands obligations across critical sectors, including energy. It introduces stricter requirements for risk management, incident reporting and governance. These are important steps, but they also reflect a system still in motion.
It also introduces a different kind of uncertainty:
• Who is accountable and at what level?
• Where does compliance begin in a distributed value chain?
• What constitutes failure in practice, not theory?
These questions remain unanswered to ensure executive clarity across member states, which creates a predictable condition: Assets are being financed, built and integrated while the rules governing them are still in motion.
Financial markets have a term for these consequences: mispriced risk. In more severe cases, the result can be a stranded asset.
That tension is difficult to ignore. Poland, for example, demonstrates capability, intent and access, reinforcing that distributed energy systems are neither peripheral nor insulated from cyber risk.
There is also uncertainty. Supply chain concerns are raised, investigated and partially resolved without ever reaching a stable conclusion. Policy signals are clear in direction but inconsistent in enforceability. Organizations continue to connect systems, expand dependencies and optimize operations while implicitly accepting that they do not fully understand the conditions under which those systems might fail.
When Efficiency Becomes Exposure
The analogy of crying wolf explains fatigue. The analogy of the Trojan horse explains something else: consent. The Trojan horse was not ignored. It was examined, accepted and integrated.
Remote access is efficient. Interoperability is necessary. Supply chains continue to consolidate because, operationally and economically, they often must. Each decision is rational on its own. Together, however, they create systems that may not need to be breached directly; they only need to function as designed and in concert.
In the early development of the internet, security was deferred. Connectivity came first, while trust was assumed. Architecture was built for openness. By the time adversarial use became unavoidable, the structure was already in place. The response was not redesign, but compensation: layers of security added to systems never intended to bear them. Entire industries emerged to manage the consequences of early assumptions that could not be reversed.
We are approaching a similar threshold. Only now, the systems are more consequential and less forgiving. Distributed infrastructure, embedded systems and artificial intelligence do not correct weak assumptions. They operationalize them. AI, for example, scales input rather than questioning it.
Closing Thoughts
The conditions being set now—what is trusted, what is integrated and what is left unexamined—will not remain contained. They will propagate, silently and efficiently, through systems that increasingly make decisions without pause.
The question, then, is no longer whether we are crying wolf. It is whether we are building systems that will recognize the horse when it arrives, and respond deliberately. Because once a system learns to trust without question, it does not hesitate. A system that trusts without consideration does not fail. It complies.
In the systems we are building now, trust is no longer a passive assumption. It needs to be a strategic decision.
The views and opinions expressed in this article are the personal views of the author and do not necessarily reflect the official position or views of Wento, its shareholders or business partners.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
English (US)