A Russian-linked group took down part of the Polish power grid by exploiting a single vulnerability: default credentials on an internet-exposed remote terminal unit.
Not a zero-day. Not a sophisticated multi-stage supply chain attack. A password that nobody changed.
The device itself was capable hardware — a high-end modular RTU supporting modern protocols, used in critical substation automation. By every technical measure, it was the right tool for the job. And it got owned because the organization assumed the perimeter was doing its job.
It was not.
The Perimeter Assumption Is Gone
For twenty years, the standard OT security model relied on one core assumption: if it is behind the firewall, it is protected. Segment the network. Keep OT off the internet. Trust the boundary.
That model has been eroding for years. Remote access requirements punched holes in it. IT/OT convergence blurred the boundaries. Cloud connectivity created new paths. Maintenance windows opened temporary doors that stayed open.
The result: thousands of ICS and OT devices that were never designed to be internet-facing are now directly reachable from the public internet. RTUs. PLCs. HMIs. Building automation controllers. Grid management systems.
And many of them are still running on default credentials.
Default Credentials Are a Structural Problem
It is tempting to frame this as a configuration failure — somebody forgot to change the password. But that is not what is actually happening.
In OT environments, devices get deployed by operations teams under schedule pressure. They get integrated into control systems that cannot tolerate disruption. Once they are running, the calculus around touching them changes. If the device is doing its job, the case for a potentially disruptive credential rotation is a hard sell.
So default credentials persist. Not because people are careless. Because the system was not designed to make changing them easy, and the operational incentive to do it never quite outweighed the risk of the change itself.
Nation-state actors know this. They scan for it. They catalog it. And when the moment comes, they use it.
The Attack Surface You Cannot See
The deeper problem is visibility. Most organizations do not have a complete picture of which OT devices are reachable from outside. The firewall rule says one thing. The actual traffic says another.
Dual-sensor correlation — monitoring both what comes in from outside and what moves laterally inside — shows you the gap. Not just “we blocked X at the perimeter” but “here is what is actually traversing your network, from where, to what.” When an internet-exposed device starts receiving traffic it should not, you know. When it starts talking to systems inside the OT zone in unexpected ways, you know that too.
The gap between what organizations think their exposure is and what it actually is tends to be significant. Egress monitoring alone is eye-opening for most environments.
You Cannot Patch Your Way Out of This
Credential hygiene matters. Patching matters. Reducing internet exposure matters. These are the right long-term actions and nobody should stop doing them.
But in the meantime, the devices are out there. They are running processes that cannot stop. The credential rotation will not happen this quarter. The network redesign is not funded.
The question is not how do you build it right from the start — ENISA just published a playbook on that, and they are correct. The question is what do you do about the infrastructure running right now, with the configuration it has today.
The answer is enforcement that does not require the device to be fixed first. Transparent deployment — no agents, no network redesign, no downtime — that sits in the traffic path and controls what can reach what, regardless of what credentials the device is running.
You do not wait for the password to be changed. You control who can even attempt the connection.
The Polish power grid incident is not a cautionary tale about a specific device or a specific vendor. It is a reminder that the attack surface in OT environments is larger than most organizations know, and that the weakest link is not always the most obvious one.
Default credentials are an open door. The question is whether anyone is standing at it.
Francesco Trama is the founder of PacketViper.