Based on Article 68 of the Act of July 5, 2018, on the national cybersecurity system (Journal of Laws, item 1560), on October 22, 2019, the Council of Ministers adopted Resolution No. 125 on the Cybersecurity Strategy of the Republic of Poland for 2019-2024. This domestic law repealed Resolution No. 52/2017 of the Council of Ministers of April 27, 2017, on the National Framework for Cybersecurity Policy of the Republic of Poland for 2017-2022.

Cybersecurity Strategy of the Republic of Poland for 2019-2024

As part of the RP cybersecurity strategy, a vision and main objective related to the cybersecurity of the Republic of Poland's cyberspace security have been defined. It was indicated that with economic growth and the daily activities of entrepreneurs and citizens related to the efficient and safe operation of information systems and means of electronic communication, it is necessary to strengthen and develop the national cybersecurity system. These actions were to include systemic organizational, operational, technological, legal solutions, shaping social attitudes, and conducting scientific research to ensure compliance with high cybersecurity standards in the area of ​​software, devices, and digital services. They were to be undertaken by the government with respect for the rights and freedoms of citizens and by building trust between individual market sectors and public administration.

Given the increasing frequency of information leaks concerning private email correspondence of politicians from their email accounts and considering all scandals related to eavesdropping on citizens, it is difficult to speak here about building trust in the actions of public administration in the sphere of building an efficient cybersecurity system.

The main goal of the Cybersecurity Strategy of the Republic of Poland for 2019-2024

The main goal of the Cybersecurity Strategy of the Republic of Poland for 2019-2024 is to increase resilience to cyber threats and improve the level of information protection in the public, military, private sectors, and promote knowledge and best practices enabling citizens to better protect their information. Specific objectives regarding a secure cyberspace in Poland were also outlined within the strategy:

1. Development of the national cybersecurity system.

2. Increasing the resilience of information systems of public administration and the private sector and achieving the ability to effectively prevent and respond to incidents.

3. Enhancing national capabilities in the field of cybersecurity.

4. Building awareness and social competencies in the field of cybersecurity.

5. Building a strong international position for the Republic of Poland in the field of cybersecurity.

From the perspective of issues related to offshore wind energy in Polish maritime areas, an important specific objective titled "Development of the national cybersecurity system" is relevant. Within this goal, the increase in cybersecurity of key and digital services and critical infrastructure was described.

It was indicated that information technologies (IT) used by operators of key services, providers of digital services, operators of critical infrastructure (including telecommunications operators) are critical for the continuity of state operations and ensuring citizens' safety. Furthermore, the security of the most important sectors of the economy, with particular emphasis on the energy sector, depends on ensuring the uninterrupted operation of industrial control systems (OT). Therefore, ensuring cybersecurity, both IT and OT, will be treated by the government as a priority. As an expression of this priority action, analyses aimed at specifying security requirements necessary for compliance by telecommunications operators, especially in the construction of 5G networks, which in the future will be the basis for the functioning of the state in mobile telecommunications, were indicated.

It is assumed that legal changes will be necessary in this area to enable proper control over ensuring cybersecurity. In addition to this, considering that the responsibility for ensuring service security lies primarily with the entities providing them, the government will take actions to support the development of capacities and competencies in cybersecurity among operators of key services, operators of critical infrastructure, and providers of digital services, taking into account their diverse specificities and varying levels of maturity in the field of cybersecurity. Moreover, the government will support these entities in responding to significant, critical, and serious incidents, especially in the event of cross-sector incidents. Once again, unfortunately, there is no systemic idea for ensuring security in this aspect.

First and foremost, coherence in the development of criteria for identifying operators of critical infrastructure and operators of key services, taking into account the need to include these entities in crisis management systems, was to be ensured. This process was to be carried out in cooperation with all sectors. Using mechanisms provided by law, minimum cybersecurity requirements will be recommended, with particular emphasis on continuity management.

Similar arrangements will apply to providers of digital services. However, considering the international nature of these entities and the need to provide regulations conducive to the development of the digital market in Poland, actions in this area will be conducted at the European level, primarily within the framework of the NIS Directive Cooperation Group, as well as in transatlantic cooperation with British and American institutions stimulating the raising of cybersecurity standards by providers of digital services.

The need to ensure security against cyberattacks on critical renewable energy infrastructure - a few examples

The importance of ensuring cybersecurity for critical infrastructure, including attacks on energy generation entities, including offshore wind farms, can be demonstrated by cyberattacks on entities involved in energy generation. The current situation, related to the conflict in Ukraine, will only contribute to the intensification of such activities. It is worth mentioning two such attacks that took place after Russia's invasion of Ukraine.

On the day of the Russian aggression against Ukraine, a number of significant irregularities were recorded in the operation of electric power generators. Most offshore wind turbines are controlled by automated centers often located far inland. To monitor and control them, satellite communication and internet protocols are used. This attack was most likely a side effect of an attack on the cybernetic infrastructure of the Viasat operator, which serves both satellite satellites, supporting the operation of wind turbines, and military satellites belonging to the US armed forces. The scale of the attack was quite significant, as according to experts' estimates, up to 5,800 wind turbines in Germany, with a capacity of 11 GW, could have been automatically shut down due to a threat to the automation of generators.

This was not the only attack on infrastructure related to wind energy in Germany. Deutsche Windtechnik, specializing in wind turbine maintenance, was also the target of a cyberattack. Attackers managed to break through security and control remote control systems serving about 2,000 turbines. They did not work for a day after the attack. Nordex SE, a company involved in the design, sale, and production of wind turbines, announced that on March 31 it detected a cyberattack that forced them to shut down IT systems. Conti group claimed responsibility for this attack, declaring support for the Russian government.

As can be seen, such situations occur, and according to the authors, their scale will unfortunately only increase. Taking into account Poland's ambitious plans related to the production of electricity from renewable sources such as offshore wind energy, hydrogen, and nuclear power plants, matters related to ensuring the cybersecurity of this infrastructure must be taken extremely seriously.

Summary

Taking into account the regulations mentioned above, it should be emphasized that without a systemic approach to the problem of cybersecurity in Poland, especially the cybersecurity of critical infrastructure, this problem will remain another sphere of both public and private life filled with dead regulations and empty declarations.

Once again shifting the entire responsibility for ensuring cybersecurity in cyberspace to the user of a given system, without simultaneous support from the State, appropriate legislation, and real assistance, is simply irresponsible and can seriously affect the energy security of our country in the future.

Another matter is a kind of blindness of public administration to the necessity of adapting the level of remuneration of cybersecurity specialists in government agencies to the conditions of the private sector. Such an approach to such critical issues will result in fewer high-quality specialists being willing to work within the framework of employment in the public sector, which will also negatively affect the cybersecurity level of the Republic of Poland.

Unfortunately, in the current "interesting times," it can be assumed that sooner or later there will be a dangerous cyberattack on Polish critical infrastructure, and then all these shortcomings and irresponsible approach to the problem that decision-makers have been presenting for years will expose all the deficiencies and weaknesses of our "cybersecurity strategy." One can only hope that these damages will not be too significant and will be reversible.

Mateusz Romowicz – Attorney-at-Law

Przemysław Niewiński - Lawyer