This article is a part of Poland Unpacked. Weekly intelligence for decision-makers
Two years of operations and USD 500 million (approximately PLN 2bn and EUR 460 million) collected in ransom payments. That is the record of just one organization, which between June 2023 and June 2025 disrupted global companies in manufacturing, R&D, and healthcare. This was no coincidence.
The group known as BlackSuite (BlackSuite) had a clearly defined target set and a specific operating model. It focused on deliberately targeting individuals working at companies with the most to lose. Once access to internal infrastructure was obtained, systems were locked down.
The only way out? Pay the ransom. Experts from Bitdefender, who assisted a global law enforcement alliance – including the European Europol – in dismantling the group, found cases in which ransom demands reached millions of euros. This was because critical infrastructure was encrypted, without which the organization could not continue operating.
And this concerns only one group. The scale of the challenge is steadily increasing.
How critical infrastructure becomes a target
In 2025, the Polish government recorded a 150% increase in cyberattacks compared with the previous year.
“We have, in practice, been waging a cyber war for many years. The number of incidents and attacks is increasing significantly and radically year on year,” said Paweł Olszewski, Deputy Minister for Digital Affairs.
In Poland’s economy, it is increasingly difficult to find a company that operates “outside critical infrastructure.” Even if a business is not an operator of energy networks, water utilities, or telecommunications, its revenues, payments, and logistics depend on them. This leads to one conclusion: protecting critical infrastructure is becoming not merely a matter for the security department, but a core business risk indicator – on par with exchange rates or energy costs.
And infrastructure also exists within the company itself.
“In the context of enterprises, ‘critical infrastructure’ refers to all systems, assets, and processes without which a company cannot function, or whose failure would cause serious financial, operational, or reputational losses. This does not refer to state infrastructure alone, but also to key elements of business operations,” notes Anna Kwaśnik, a cyber awareness expert at NASK.
This includes elements such as IT systems, databases, cloud environments and data centers, communication systems, technical infrastructure, data (e.g., customer data and intellectual property), as well as logistics systems and components of the supply chain.
“Today, the importance of this infrastructure is growing alongside ongoing digitalization. In addition, geopolitical events such as the war in Ukraine or tensions in the Middle East show that disruptions may be not only technical, but also cyber and hybrid in nature,” Ms. Kwaśnik adds.
Why businesses suffer
Targets of attacks are not limited to large companies. Experts point to a growing trend of expanding operations to smaller businesses as well. These firms hold highly valuable data but typically have weaker defenses.
“Moreover, they are part of the supply chains of larger organizations. This makes them potential entry points for more sophisticated attacks (e.g., supply chain attacks). Limited resources, a lack of adequate procedures, and lower awareness of threats make SMEs particularly vulnerable to incidents,” comments Anna Kwaśnik.
And this is not just about losing access to data. Consider a scenario in which a cyberattack causes a factory to lose power. The cost of downtime can be quantified in Poland at least for energy. The President of the Energy Regulatory Office (URE) has published the value of lost load (VoLL) for Poland. It averages PLN 80,600 per MWh (approximately EUR 18,600 per MWh), with sector-specific values including trade at PLN 115,800 per MWh, services at PLN 172,700 per MWh, and industry at PLN 75,700 per MWh.
Comment from the series partner
People as the cornerstone of defense
Technological resilience, in turn, involves the precise identification of infrastructure vulnerabilities (single points of failure) and a thorough assessment of risk. Implementing safeguards is the next natural step. We deploy advanced redundancy and geographic distribution of services, link protection, and comprehensive Disaster Recovery systems.
Data security is ensured through multi-layer backups and modern transmission protocols that protect against cyber threats. At the same time, we continuously simplify our solution architecture, which minimizes the risk of failure, and in critical situations we activate a degraded mode of operation – thereby maintaining continuity of key service functions.
However, technology alone is not enough. Processes are essential to reduce the risk of service unavailability. Our model is based on strict standardization and “golden rules” that must be followed without exception. We have introduced rigorous verification procedures, such as the “double eye” principle (double-check by a second person) for high-risk changes, as well as comprehensive frameworks for business continuity management (BCM) and crisis management.
And, of course, the human factor is crucial, as people are the cornerstone of the entire system. That is why we invest in continuous training, because proficiency in operating equipment and knowledge of response procedures are essential for technology and processes to fulfill their role. Equally important is our organizational culture – it builds awareness and a sense of responsibility among every employee for our shared resilience.
To ensure that the mechanisms we have implemented are effective, we regularly test and exercise them. Periodic crisis simulations allow us to verify assumptions and continuously correct any shortcomings. For us, resilience is more than just a business attribute – it is a social mission. We ensure communication is always available, anywhere and at any time: both in everyday life and in the most critical moments.
Physical attacks are also possible
The approach to critical infrastructure is becoming increasingly blurred.
“Today, critical infrastructure is anything that, if it fails, brings business to a halt – primarily IT systems, data, and their availability. In many organizations, the boundary between ‘critical’ and ‘standard’ IT has effectively disappeared,” notes Konrad Badowski, Business Relationships Manager at Axis Communications.
And as technology advances, this category continues to expand.
“Today, this includes not only networks, servers, or ERP and CRM systems, but also cloud environments, identity management systems, and operational technologies such as SCADA or PLC. A key trend is the convergence of IT and OT. A cyber incident can now directly result in the shutdown of production or logistics,” adds Mr. Badowski.
This also applies to physical infrastructure. As experts point out, protecting critical infrastructure requires a holistic approach.
“In terms of best practices, implementing a holistic approach is key. This includes, among other things, network segmentation, restricting access according to the principle of least privilege, centralizing security policies, and close cooperation between IT and OT teams and those responsible for physical security,” comments Jakub Kozak, Area Sales Director CEE at Genetec.
He also highlights the growing importance of real-time data analysis and the automation of processes that detect anomalies and potential threats.
“Another essential element is compliance with personal data protection regulations and careful management of the entire data lifecycle – from collection, through storage, to deletion,” Mr. Kozak adds.
Cloud under attack
It is important to understand that the concept of critical infrastructure is fluid. For example, an increasing number of companies are now investing in data centers and AI servers located not only in large facilities owned by technology giants, but also within their own organizations.
“We are clearly seeing that organizations – particularly in sectors such as energy, telecommunications, healthcare, transport, and public administration – are beginning to treat data location and jurisdiction as one of the pillars of cybersecurity,” comments Albert Szczepaniak, Director of Security and Quality at Polcom.
He notes that, according to Polcom’s report Barometr cyfrowej transformacji polskiego biznesu 2025–2026, as many as 93% of companies are investing in technologies related to IT infrastructure, cybersecurity, and business continuity. At the same time, 91% of organizations are implementing monitoring and protection solutions for IT environments, such as Security Operations Centers (SOC). This reflects a shift from a reactive approach to a model of continuous, proactive protection.
“This trend fits into a broader global context. According to Gartner forecasts, spending on sovereign cloud infrastructure is expected to reach $80 billion (approximately PLN 320 billion and EUR 74 billion) in 2026, growing at 35.6% year on year. Up to 20% of workloads currently handled by global hyperscalers could be shifted to local data center providers. This indicates a clear move toward local models that provide greater control over data and its security,” Mr. Szczepaniak adds.
How to secure a company
Experts point to several factors that should be taken into account when aiming to strengthen the protection of critical infrastructure.
“The starting point is the identification of key assets, risk analysis, and the implementation of business continuity and disaster recovery plans. A layered approach (defence in depth) is essential, including network segmentation, multi-factor authentication, encryption, monitoring, and regular updates. In parallel, physical security must also be addressed, such as access control and surveillance,” lists Konrad Badowski.
Anna Kwaśnik highlights the importance of complying with regulatory requirements such as the NIS2 Directive and the amended Polish Act on the National Cybersecurity System (KSC). These frameworks reinforce a risk-based approach and business continuity management.
“A key element of this approach is building a security culture within the organization—namely awareness of threats, employee accountability, and the day-to-day application of good practices,” the NASK representative concludes.
Even the best must stay vigilant
A useful lesson – even for smaller businesses – comes from an incident in December 2025. Cybercriminals targeted companies that own real critical infrastructure, including photovoltaic power plants and wind farms. The attackers went after a specific controller located within one of the devices protecting hardware controllers. They uploaded corrupted firmware, causing the device to enter a reboot loop.
In 2021, a more serious attack hit the U.S. pipeline operator Colonial Pipeline Company. The company paid more than USD 4.4 million (approximately PLN 17.6 million and EUR 4.1 million) in ransom following a ransomware attack. Law enforcement authorities later recovered part of the funds.
Key Takeaways
- Protecting critical infrastructure is no longer solely the responsibility of IT departments; it has become a core element of business risk management. Experts emphasize the importance of a holistic approach covering both digital and physical systems, as well as the implementation of advanced protection methods such as network segmentation, multi-factor authentication, and real-time monitoring. Regulatory compliance and building employee awareness are also playing an increasingly important role.
- The example of the BlackSuite group, which extracted approximately $500 million (around PLN 2.0 billion and EUR 460 million) over two years, illustrates the growing effectiveness of targeted ransomware attacks. These organizations do not operate randomly. They select victims with the highest operational sensitivity, and by gaining access to critical infrastructure, they are able to extort multimillion-dollar ransoms. This confirms that cyberattacks have become an organized and highly profitable criminal business model.
- Modern enterprises are heavily dependent on IT systems, data, and interconnected supply chains. This means that virtually any company can become a target. In Poland, the number of cyber incidents has increased by 150% year on year, indicating a rapidly deteriorating situation. In addition, digitalization and geopolitical tensions are increasing the risk of disruptions that are both technical and hybrid in nature.