U.S. officials are investigating a series of cyber intrusions targeting automatic tank gauge systems used to monitor fuel levels at gas stations across multiple states, with Iran emerging as a leading suspect, according to a CNN report citing officials and cybersecurity experts. The attackers allegedly exploited internet-connected tank monitoring systems that lacked password protection, allowing them in some cases to manipulate displayed fuel readings, though officials said the actual fuel levels inside storage tanks were not altered.
While investigators said the breaches did not cause physical damage or injuries, the incidents have raised broader concerns about the cybersecurity of operational technology embedded across critical infrastructure. Officials and private-sector experts warned that unauthorized access to automatic tank gauge systems could theoretically be used to conceal fuel leaks or create operational confusion.
Sources familiar with the investigation told CNN that Iran’s previous history of targeting fuel-related infrastructure contributed to suspicions surrounding the campaign, though attribution may remain difficult because the hackers reportedly left limited forensic evidence behind.
In a September 2024 report, BitSight researchers disclosed 11 vulnerabilities, including multiple zero-days, affecting six automatic tank gauge systems from five vendors, warning that thousands of internet-exposed fuel monitoring systems remained vulnerable across critical infrastructure environments. The researchers said the flaws could allow attackers to manipulate tank parameters, disable alarms, alter fuel tank geometry, trigger operational disruption, or potentially cause fuel leaks and environmental hazards.
The exposed systems were identified across gas stations, airports, hospitals, utilities, manufacturing facilities, and government networks, with the U.S. described as the most affected country. BitSight added that it coordinated disclosures with the U.S. Cybersecurity and Infrastructure Security Agency and affected vendors beginning in March 2024, before publicly releasing the findings six months later.
Commenting on the alleged recent intrusion, Ben Edwards, principal research scientist at Bitsight, wrote in an emailed statement that “automatic tank gauges are a prime example of the industrial control systems that underpin our most critical physical infrastructure – silently monitoring fuel levels at gas stations, military bases, airports, and hospitals around the clock. What today’s reported activity makes clear is that these systems are an active target, and the attack surface is larger than most people realize.”
He added that “Bitsight’s research has found that thousands of ATG systems remain directly accessible over the public internet, completely exposed to anyone who knows where to look — and we continue to find new systems coming online every day.”
Noting that the consequences of exploitation go well beyond data theft, Edwards observed that threat actors who gain access to these systems could overfill tanks and trigger environmental disasters, disable critical safety alarms, or override physical relays to cause permanent, irreversible damage to equipment.
This incident should serve as an important warning to every critical infrastructure operator in the U.S., wrote Louis Eichenbaum, federal CTO at ColorTokens, in an emailed statement, adding that while no physical damage was reported this time, the implications are far more serious than simply manipulating fuel gauge readings on a screen. “Operational Technology (OT) environments rely heavily on Human Machine Interfaces (HMIs) and monitoring systems to give operators accurate situational awareness. If an adversary can compromise those systems and present false data, operators can be tricked into making dangerous decisions based on inaccurate information.”
“In a gas station environment, manipulated tank readings could potentially lead an operator to overfill a tank, fail to detect a leak, or improperly manage pressure and fuel distribution systems,” Eichenbaum pointed out. “In other OT environments, such as water treatment facilities, pipelines, manufacturing plants, or energy infrastructure, false telemetry could have even more severe consequences, ranging from environmental damage to safety incidents and operational outages. The larger issue is that many of these OT systems were never designed with cybersecurity in mind. They were built for reliability and availability, not to withstand modern nation-state cyber threats. Unfortunately, many remain internet-facing, poorly segmented, and inadequately monitored.”
He added that this is exactly why the cybersecurity conversation must move beyond prevention alone. “We are never going to patch fast enough or prevent every intrusion. The focus now must be on resilience, assuming an adversary may gain access and ensuring they cannot move laterally or manipulate critical operations at scale. Granular microsegmentation and zero trust principles are essential in OT environments because they help contain breaches, restrict unauthorized communications, and reduce the blast radius when a compromise occurs. The goal is not simply to stop every attack, but to ensure that a localized intrusion does not become a catastrophic operational event.”
Eichenbaum observed that what makes the automatic tank gauge incident particularly concerning is that it demonstrates how relatively unsophisticated compromises of exposed OT systems can create the conditions for real-world physical consequences. “Today, it was false tank readings. Tomorrow, it could be manipulated safety systems, disrupted fuel distribution, or compromised industrial controls.”
“Malicious hackers will often target OT and IoT systems because, unlike IT systems, they often were not planned with cybersecurity in mind, they are not managed by IT professionals, and they are spread far and wide, unlike IT systems inside data centers,” John Gallagher, vice president of Viakoo Labs at Viakoo, wrote in an emailed statement. “Because these are fuel pumps operated by gas stations and fuel distributors, it is also likely that their network access is not managed well. How many are on the gas station guest Wi-Fi system versus being strictly controlled and monitored on separate networks?”
He noted that it’s unknown how many ‘test runs’ Iranian hackers have performed, or the depth of their intrusions. Ideally, if there were a quick and lightweight method of scanning that could be performed by fuel system operators to discover indicators of compromise, it would provide a better sense of the scale of this issue.
“To mitigate these risks, fuel system operators should urgently review their network setup, remove or block external network access,” Gallagher said. “In addition, the manufacturers of fuel systems should be providing guidance on key basic cyber hygiene requirements: how to set up multi-factor authentication, how to update firmware, how to change passwords, and so forth. These functions don’t require manual changes to each gas pump (which would take forever and still leave these systems vulnerable); automated methods for firmware, password, and other security functions can make all fuel system operators capable of maintaining a strong cyber defense.”
Unfortunately, most OT systems were designed without security in mind, pointed out Vincenzo Iozzo, CEO and co-founder at SlashID. “This includes the inability to patch them promptly or monitor them. Large Language Models (LLMs) are likely going to make these attacks more frequent as they further reduce the skill level required to launch these attacks. In the short term, the most effective approach we have to secure them is appropriate segmentation. Long term, these OT systems are some of the best candidates for architectural changes driven by LLMs.”
For critical infrastructure operators, Aleksandr Yampolskiy, CEO of SecurityScorecard, wrote in an emailed statement that the takeaway is straightforward: default credentials and internet-exposed OT are not acceptable in 2026. “The federal government has issued guidance on ATG security for years.”
