Polish intelligence services have confirmed what every security expert had been expecting for years - hackers broke into five water-treatment facilities, with the potential to interfere with the safety of the water supply. Poland made it official. And the question is simple: when were our own systems last actually checked?

Poland's Internal Security Agency (ABW) published a report covering two years of work. According to it, the agency stopped multiple acts of sabotage by Russian state spies and hackers, aimed at military sites, critical infrastructure (energy grids, water supply, transport) and civilian targets. The report doesn't spell out how the hackers in the five waterworks are linked to Russian services, but ABW had previously attributed to Russian state hackers an earlier unsuccessful attempt to bring down Poland's electric grid.

"The most serious challenge is sabotage activity against Poland, inspired and organised by Russian intelligence services. This threat was (and is) real and immediate. It demands full mobilisation," the report says.

The scenario isn't Polish, it is global. In 2021 a hacker breached a plant in Oldsmar, Florida, and tried to raise the sodium hydroxide level - an aggressive chemical - to dangerous levels. Last month, a joint advisory from CISA, the FBI, the NSA and other US agencies warned that Iranian hackers are actively targeting programmable logic controllers (PLCs) - the industrial computers that run water and energy plants. The same Iranian group, CyberAv3ngers, broke into several Pennsylvania facilities in 2023.

The Balkans are not outside this equation. Macedonian, Serbian, Bulgarian, Greek critical infrastructure runs on similar PLC controllers. Many of them are made by Siemens, Schneider Electric, Rover - the same manufacturers whose devices were hacked in the US and Poland. When was the last time it was publicly announced that any Macedonian agency had tested its systems against such an attack? When was such a thought publicly aired at all?

As Polish services conclude, these are not isolated incidents - it is a strategy. The same one Russia applies in war zones in Ukraine, and against countries it considers hostile. The Balkans aren't priority number one, but they are not off the list either. The question is not if, but when. And whether we work it out in time - or find out on the test.