In a joint effort to protect critical infrastructure, the Cybersecurity and Infrastructure Security Agency (CISA), along with the FBI, NSA, and the Department of Transportation, recently issued an urgent alert regarding malicious cyberactivity targeting U.S.-based automatic tank gauge (ATG) systems.
These critical systems, which allow haulers and distributors of fuels, chemicals, and food-grade liquids to monitor levels, temperature, and leak detection, are being actively compromised by malicious cyberthreat actors, the agencies report.
The threat to bulk distribution
ATG systems are widely deployed across the transportation and energy sectors for automated remote monitoring of storage tank parameters. According to the alert, threat actors—whose identities have not yet been attributed to a specific nation-state—are exploiting internet-exposed ATG systems.
By gaining unauthorized access, these actors can interface with tank management as if they had physical access to the system console. Once inside, they can:
- Alter system attributes, including pump controls, tank volumes, and product identifiers.
- Disable system alerts, which significantly increases the risk of environmental hazards or physical incidents like leaks and relay failures going unnoticed.
- Create “denial of view” conditions, where operators cannot see tank fill levels, potentially leading to permanent damage to critical tank functions.
How systems are being compromised
Cyberthreat actors are leveraging several tactics to gain control over these systems, including authentication bypass and the exploitation of hardcoded credentials. They are also using OS command execution and SQL injection to manipulate underlying databases and escalate their privileges to full administrator status.
Essential steps for hardening systems
The authoring agencies urge ATG owners and operators to take immediate action to defend their infrastructure. The following mitigations are recommended:
- Eliminate public internet exposure: Do not expose ATG serial ports or web interfaces directly to the internet. If remote access is required, use a VPN, firewall, or Access Control List (ACL) to restrict access.
- Enforce credential security: Change all default passwords immediately and implement strong, unique security codes. Use multifactor authentication (MFA) where possible.
- Apply security patches: Work with certified service providers to ensure your software is up to date and that all manufacturer security patches have been applied.
- Monitor and log activity: Enable network logging to identify unauthorized connections, suspicious alarms, or unauthorized changes to tank labels and thresholds.
Reporting and resources
Bulk liquid transporters and distributors are encouraged to review their security posture and report any suspicious activity. If a compromise is suspected, incidents should be reported to the CISA 24/7 Operations Center or the FBI’s Internet Crime Complaint Center (IC3).
By taking these steps, industry stakeholders can reduce the likelihood of a cyberattack that could disrupt operations or cause significant environmental and physical damage.
