Following last month’s investigation into a series of cyber intrusions targeting automatic tank gauge (ATG) systems used to monitor fuel levels at gas stations across multiple states, with Iran emerging as a leading suspect, U.S. agencies have released a joint fact sheet warning of ongoing malicious cyber activity targeting U.S.-based ATG systems. While the federal government has not formally attributed the activity to a specific nation-state or threat actor group, officials said the campaign involves cyber actors compromising internet-exposed ATG systems and manipulating them through remote command execution.
Issued by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), the Department of Energy (DOE), the Environmental Protection Agency (EPA), the Transportation Security Administration (TSA), the Department of Transportation (DOT), and the U.S. Department of Agriculture (USDA), the fact sheet details likely tactics, techniques, and procedures (TTPs) used in the attacks, and identifies key risk factors associated with exposed and compromised ATG systems. It also provides mitigation recommendations aimed at reducing the risk of further cyber activity targeting fuel-sector infrastructure.
“CISA works shoulder-to-shoulder with our government partners to identify, assess and respond to reports of malicious cyber activity targeting critical infrastructure systems and networks,” Nick Andersen, acting director at CISA, said in a media statement. “We urge all organizations using ATG systems to review this joint fact sheet and implement recommended actions. As always, CISA stands ready to provide voluntary support and resources to aid organizations in responding to and recovering from incidents.”
Deployed across energy, chemical, food and agriculture, and transportation systems sectors, these ATG systems are used for automated and remote monitoring of storage tank parameters, including fuel and liquid levels, temperature, and potential leak detection. Given their critical role in day-to-day operations, the authoring agencies urged ATG owners and operators to defend against ongoing malicious cyber activity by strengthening password security and removing internet exposure wherever possible to reduce risk of unauthorized access and compromise.
The document outlines that cyber adversaries may exploit flaws in ATG systems through multiple attack vectors. Adversaries can bypass authentication mechanisms or abuse hardcoded credentials to gain unauthorized access to device management interfaces. Once access is obtained, they may exploit operating system command execution flaws and SQL injection vulnerabilities to run arbitrary code and manipulate underlying databases. The guidance also warns that attackers can leverage privilege escalation techniques to obtain full administrative control over the ATG application and its underlying operating system, enabling deeper compromise of the device and its functions.
The agencies assess that, should a cyber threat actor exploit these vulnerabilities and compromise an ATG system, they could disrupt or manipulate critical functions by interfacing directly with the tank management as though they possessed legitimate physical access to the system console.
They added that hackers could alter system attributes, including network settings, product identifiers, tank volume data, and pump controls. Such unauthorized changes could compound operational malfunctions, as incorrectly functioning components may create a denial-of-view condition that prevents operators from accurately monitoring tank fill levels, potentially causing permanent damage to the tank system’s critical functions.
The attackers could also disable system alerts, reducing an operator’s ability to detect and respond to system issues and increasing the risk of environmental or physical hazards resulting from incidents such as fuel leaks or relay failures.
The agencies recommended that ATG owners immediately take steps to reduce their exposure to cyber threats. They advised organizations to eliminate direct internet exposure of ATG serial ports, including commonly used default TCP ports such as 8001, 9001, and 10001, as well as any related web interfaces. Where remote access is necessary, organizations should restrict access through firewalls, access control lists (ACLs), or virtual private networks (VPNs).
The guidance also calls for stronger credential security measures. Owners should immediately change any default passwords and implement strong, unique security codes and administrative credentials across all interfaces, including serial ports. Agencies further recommended deploying phishing-resistant multifactor authentication wherever feasible and consulting ATG service providers if assistance is needed to implement these protections.
In addition, organizations should work with certified ATG service providers, where available, to verify system compliance, update software, and apply the latest manufacturer-issued security patches. The agencies also urged operators to actively monitor their networks for signs of unauthorized access by enabling logging and auditing capabilities and reviewing logs for exposed device interfaces, unauthorized connections, suspicious alarms, alarm-threshold modifications, tank label changes, and other system alterations. Any suspected cyber incidents should be reported promptly through CISA’s reporting channels.
Finally, the agencies encouraged organizations to work with their third-party service providers to implement the primary mitigations for reducing cyber threats to OT (operational technology) systems that have been jointly recommended by the agencies.
