Targeted Attacks on Automatic Tank Gauges
US government agencies including CISA, the FBI, the NSA, and the Department of Energy have issued a joint advisory warning that hackers are actively targeting internet exposed automatic tank gauge (ATG) systems. These devices are widely used across the Energy, Chemical, Food and Agriculture, and Transportation Systems sectors to remotely monitor fuel levels, temperatures, and detect leaks in storage tanks. The advisory states that threat actors are compromising exposed systems by modifying settings through direct command execution.
Vulnerabilities and Potential Impact
Attackers are gaining access through various means including authentication bypass flaws, hardcoded credentials, operating system command injection vulnerabilities, SQL injection issues, and privilege escalation weaknesses. Once inside, they can alter network configurations, product identifiers, tank volumes, and pump controls. Critically, they can disable alerts, preventing operators from properly monitoring fill levels and increasing the risk of leaks or equipment failures. The agencies strongly recommend blocking ATG systems from direct internet access, using firewalls and VPNs for remote connections, replacing default passwords with strong credentials, enabling multifactor authentication, applying security updates, and continuously monitoring for unauthorized changes.
Attribution and Precedent
While the advisory does not officially attribute the activity to any specific group, recent reporting by CNN has linked similar breaches at gas stations across multiple states to Iranian hackers. In those incidents, attackers exploited ATG systems with weak or nonexistent passwords to manipulate display readings without altering actual fuel levels. Although no physical damage occurred, the incidents raised serious concerns about potential interference with leak detection and other safety functions. Iran has a documented history of targeting fuel management systems and other industrial control technologies, though limited forensic evidence has made definitive attribution challenging.
Source: BleepingComputer
