Centralized Energy System of Europe Remains Vulnerable

Workers are repairing sections of the Darnytsia Thermal Power Plant, damaged by Russian airstrikes in Kyiv, Ukraine, on February 4, 2026. This winter has proven particularly challenging for Ukraine, which has endured four consecutive winters of systematic Russian assaults on its energy infrastructure.

According to United Nations data, January 2026 saw nearly daily strikes on energy infrastructure across 17 regions. In Kyiv, repeated attacks on two combined heat and power plants resulted in the loss of central heating for nearly 6,000 residential buildings. All 15 thermal power plants in Ukraine have either suffered damage or been destroyed.

However, despite these challenges, Ukraine has managed to adapt and create what Europe currently lacks. As centralized thermal stations became high-quality targets, Ukrainian operators transitioned to municipal cogeneration units—compact systems that generate both electricity and heat independently of the overall grid.

By November 2025, the centralized heating sector operated using 182 such installations along with 239 modular boilers, forming autonomous "energy islands" for hospitals, water utilities, and residential buildings. While European procurement cycles measure implementation in years, Ukrainian operators install modules within days.

They have improvised under fire: pre-positioning spare parts, establishing emergency communication protocols, and streamlining bureaucratic hierarchies by making decisions at the municipal level. The International Energy Agency (IEA) identifies these emergency response capabilities as some of the most transferable elements of Ukraine's energy defense. But who can receive them, and how quickly?

In Central and Eastern Europe (CEE), centralized heating is the primary method of heating cities. Poland, Slovakia, the Czech Republic, Hungary, and the Baltic States all rely on centralized systems built during the Soviet era. This very architectural logic has made Ukraine's infrastructure a high-quality target—not only for missiles and drones but also for cyberattacks.

Modern thermal stations operate through industrial software that regulates temperature, pressure, and flow remotely. This digital layer is already susceptible to exploitation. In January 2024, a previously unknown malware called FrostyGoop targeted heating systems in Lviv, seizing Modbus, a widely used communication protocol for controlling industrial equipment. It resulted in heating outages in over 600 apartment buildings for two days.

Researchers later found heating controllers operating on the same protocol exposed to the internet in Lithuania and Romania. Three days before the start of this year, a coordinated cyberattack targeted a major Polish combined heat and power plant serving nearly half a million consumers. The attackers, linked to a group associated with the FSB, had been in the network since March 2025, mapping systems and stealing credentials.

Wiper malware was deployed to render systems irreparably unusable. Endpoint detection software at the station identified it in time. Most municipal heating operators across the continent lack such capabilities. Ukraine understands what these attacks look like, how they escalate, and how to maintain heat supply despite them. However, this knowledge is not reaching European suppliers who need it, and not as quickly as required.

There are several structural problems. The heating sector in Europe is fragmented: state suppliers in major cities, large private players like Veolia and Engie, municipal operators—the largest group in CEE—and small local owners who purchased stations during the privatization of the 1990s. Municipal operators are the weak link. They report to city councils rather than national governments. They lack a mandate for international knowledge exchange, a budget for it, and an institutional partner to connect with in Kyiv.

They primarily invest only when EU subsidy programs for infrastructure, which often have decades of history, are available. When managing 50-year-old pipes and production technology, cybersecurity is not a priority. It isn't even a second priority. These are small companies in district towns that lack spare resources, often led by managers preoccupied with daily operational issues.

Some of them are aware of the threat, but almost none have a mechanism to respond to it. The institutional infrastructure for knowledge exchange technically exists. The Energy Community Secretariat connects Ukraine with its European neighbors and has signed memorandums for coordinating centralized heating. The EU's readiness strategy outlines 30 actions for crisis resilience. But these connections exist between governments (not engineers and dispatchers) who actually manage the systems.

EU readiness policy is implemented top-down, which does not effectively address local heating vulnerabilities. No one has in their job description the task of connecting a Ukrainian cogeneration operator with a heating company in Poland or Slovakia. Meanwhile, proposals for a joint European cyber defense are under consideration, and several EU member states are developing offensive cyber deterrents. But the pace does not match the threat. Again, these initiatives operate at a strategic level—not at the municipal heating level, where vulnerability is greatest.

The question now is, what needs to be done? Returning to Ukraine, Kyiv is no longer improvising.

On March 3, President Volodymyr Zelensky held a meeting of the National Security and Defense Council, where regional energy resilience plans for each Ukrainian region were approved, built around four pillars: resilience, innovation, technology, and international cooperation.