The December attack on Poland's power grid was not remarkable for what went wrong. It was remarkable for where it went.
In late 2025, ELECTRUM, the Russian state-linked hacking group that caused blackouts in Ukraine in 2015 and 2016, moved against energy infrastructure in Poland. The target was not a single plant or substation. It was a distributed network of wind farms and solar installations. According to Dragos, which tracks the group and published an intelligence brief on the incident, ELECTRUM hit roughly 30 sites simultaneously, gaining access to operational technology systems that let grid operators manage power flow from renewable assets and disabling key equipment beyond repair at several sites. No widespread outages followed. That was not the point.
This was the first coordinated attack against distributed energy resources at scale. And it opens a question that the energy industry has been slow to answer: what does a grid operator do when the attack surface is not one facility but 8,000 turbines?
The old threat model assumed a finite number of targets. A utility knew where its substations were. It could harden them. It could monitor the perimeter. Distributed energy shattered that logic. Wind farms, solar arrays, and the remote terminal units that connect them to grid management systems are scattered across geography in quantities that make perimeter defense impractical. Each DER site is a potential entry point into the network that keeps the lights on. ELECTRUM did not need to breach a single hardened target. The group found exposed and vulnerable systems involved in dispatch and grid-facing communication, remote terminal units, network edge devices, and Windows-based machines at DER sites across Poland.
The AI agent layer is what makes this scalable in a way that 2015 Ukraine could not have imagined. Adversaries do not need to manually access each site. Autonomous agents can probe, map, and manipulate thousands of distributed assets simultaneously. Dale Peterson, who organizes the S4x26 conference for industrial control system security professionals, chose "Connect" as the theme for the 2026 edition because of the explosive growth in connections between OT systems, enterprise platforms, and AI-driven analytics. Every new connection is a potential attack path. The attack surface of the modern grid is not one facility. It is every sensor, every managed DER site, every communications gateway that an autonomous agent can reach.
The scale of the problem is documented. Dragos tracked 119 ransomware groups targeting 3,300 industrial organizations in 2025, up from 80 groups in 2024. Ransomware attacks against industrial organizations increased 64 percent year over year. Manufacturing accounted for more than two-thirds of all ransomware victims. These numbers span all industrial sectors, but the energy sector carries disproportionate consequence: a ransomware attack that disrupts a car factory is catastrophic. One that disrupts a grid operator's ability to balance load across a national renewable network is something else entirely.
KAMACITE, ELECTRUM's partner group, mapped control loops in U.S. industrial devices between March and July 2025, targeting operator interfaces, variable frequency drives, meters, and remote gateways together. The implication is not subtle. If you have been mapping the control loops of American industrial infrastructure for five months, you are not doing it for fun. The NIST AI Agent Standards Initiative, launched February 18, 2026, is one regulatory response: a public effort to establish security, identity governance, and interoperability standards for autonomous AI agents. The public comment deadline was April 2. Whether that timeline is fast enough is a different question.
The insurance market is struggling to keep up. The 2025 Dragos-Marsh McLennan OT Security Financial Risk Report estimated global OT cyber risk exposure could exceed $300 billion, with worst-case scenarios at $329.5 billion. Indirect losses account for up to 70 percent of OT-related breaches, often overlooked in traditional models. Traditional cyber insurance policies were not designed for a world where autonomous agents can reach into distributed physical infrastructure at scale. Coverage gaps exist across every major policy line. The report is a risk assessment, not an actuarial table. No specific insurance carrier would comment for this article on ELECTRUM or distributed energy resource coverage. That absence is itself a data point: the industry is still figuring out what it is pricing.
What grid operators and energy asset owners face now is adversaries with a documented track record of causing blackouts, operating at continental scale, and targeting exactly the distributed architecture that renewable energy built. ELECTRUM ran a proof of concept in Poland. The question is not whether the next one comes. It is whether the grid is ready for it.
The S4x26 conference theme was Connect. The industry connected its assets to the network to make them manageable. It did not finish connecting them to a defense that works at the same scale as the threat.
