Distributed energy resources (wind farms, solar installations, and combined heat and power plants) represent one of the fastest-growing and least-secured segment of the modern power grid. This course uses the December 2025 attack on Poland's DER infrastructure as a case study and replicates its kill chain in a hands-on lab environment. Students will move through the full attack sequence: passive reconnaissance using Shodan, credential-based VPN compromise, internal scanning and ICS device enumeration, DNP3 protocol exploitation, RTU bricking, and coordinated major attack. The second half of the course reverses perspective, challenging students to harden each layer that was exploited in the attack phase. Lab exercises use OpenVPN and DNP3-speaking RTUs to model the real-world architecture common to utility-scale DER deployments.
After completing this course, students will be able to:
- Explain how internet-exposed VPN concentrators and default ICS device credentials were exploited in the 2025 Poland DER attack, and describe the attacker's kill chain from initial reconnaissance to destructive payload.
- Use Shodan to identify and characterize exposed industrial devices and remote access infrastructure as part of passive pre-attack reconnaissance.
- Exploit weak VPN authentication to gain initial access to a simulated DER network environment.
- Perform internal network scanning and enumerate ICS assets using protocol-aware tools following VPN compromise.
- Issue unauthorized DNP3 commands against a live RTU to manipulate generation and demonstrate the operational impact of ICS protocol access.
- Execute a destructive RTU bricking attack by corrupting device firmware and configuration through exposed management interfaces.
- Harden a VPN deployment against the credential and authentication weaknesses exploited in the attack phase.