The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent advisory warning about ongoing cyberattacks targeting fuel tank monitoring systems used across critical infrastructure sectors. Attackers are exploiting vulnerable automatic tank gauge (ATG) systems to gain unauthorized access to operational technology networks, potentially disrupting fuel supply chains and creating safety hazards. Organizations operating fuel storage facilities must immediately audit their ATG systems, segment networks, and implement enhanced monitoring to prevent compromise.
Introduction
Critical infrastructure operators face a new and immediate threat as CISA confirms active exploitation campaigns targeting fuel tank monitoring systems. These attacks represent a significant escalation in threats against operational technology (OT) environments, moving beyond traditional IT networks to target the physical systems that monitor and control fuel storage across gas stations, airports, military installations, and industrial facilities.
Automatic tank gauge systems serve as the digital backbone of fuel inventory management, monitoring fuel levels, detecting leaks, and managing automated ordering systems. Their compromise could enable attackers to manipulate fuel inventory data, trigger false alarms, mask actual leaks, or use these systems as pivot points to access broader facility networks. With thousands of vulnerable systems potentially exposed to the internet, the attack surface is substantial and the consequences potentially catastrophic.
Background & Context
Automatic tank gauge systems have evolved from simple mechanical float gauges to sophisticated networked devices that provide real-time monitoring, automated reporting, and integration with business management systems. Major manufacturers include Veeder-Root, OPW Fuel Management Systems, and Franklin Fueling Systems, with installations numbering in the hundreds of thousands across North America alone.
These systems typically consist of console hardware installed at fuel facilities, probes inserted into fuel tanks, and network connectivity enabling remote monitoring and management. Many ATG systems were deployed years ago with minimal security considerations, often running outdated firmware and using default credentials. The push toward connected infrastructure and remote management has inadvertently expanded the attack surface without corresponding security enhancements.
Previous security research has identified vulnerabilities in popular ATG systems, including weak authentication mechanisms, unencrypted communications, and inadequate access controls. Shodan and similar internet scanning tools reveal thousands of ATG systems with direct internet exposure, many displaying login portals or exposing telnet and HTTP services without proper hardening.
CISA’s warning comes amid broader concerns about OT security, following high-profile attacks against water treatment facilities, pipeline operators, and other critical infrastructure. The convergence of IT and OT networks has created new pathways for attackers to move from corporate networks into operational systems controlling physical processes.
Technical Breakdown
The attack campaigns targeting ATG systems leverage multiple vectors to achieve initial access and maintain persistence. Threat actors are primarily exploiting weak credential management, with many installations still using factory default passwords or easily guessable credentials. Common default credentials for major ATG manufacturers remain publicly documented and unchanged across thousands of installations.
Attackers typically follow this attack chain:
Initial Reconnaissance: Threat actors use internet scanning tools to identify exposed ATG systems by searching for characteristic HTTP headers, service banners, or specific web interfaces. Systems exposing ports 10001 (common for Veeder-Root systems), 80/443 (web interfaces), or 23 (telnet) become prime targets.
Credential Access: Attackers attempt authentication using default credentials, credential stuffing attacks, or brute force methods. Many ATG systems lack account lockout mechanisms, allowing unlimited authentication attempts. Successful authentication often provides administrative access to the entire system.
Lateral Movement: Once inside an ATG system, attackers explore network connectivity to identify connections to corporate networks, SCADA systems, or other OT infrastructure. Many facilities fail to properly segment ATG systems, allowing attackers to pivot from fuel monitoring systems into broader facility networks.
Persistence and Manipulation: Attackers may install backdoors, modify system configurations, or manipulate monitoring data. Some campaigns have involved disabling alarm systems, altering fuel level readings, or accessing historical data for reconnaissance purposes.
The technical sophistication varies significantly across observed campaigns. Some attacks appear opportunistic, seeking any accessible system for botnet recruitment or cryptocurrency mining. More concerning are targeted operations showing reconnaissance patterns consistent with intelligence gathering or pre-positioning for future disruptive attacks.
Impact & Risk Assessment
The potential consequences of compromised fuel tank monitoring systems extend far beyond data theft, creating real-world safety and operational risks:
Safety Hazards: Attackers manipulating ATG systems could disable leak detection mechanisms, mask environmental spills, or trigger false alarms that desensitize operators to actual emergencies. Fuel leaks pose environmental contamination risks and fire hazards.
Supply Chain Disruption: Compromised inventory management could cause artificial shortages, distribution failures, or economic losses. Automated ordering systems could be manipulated to over-order or prevent necessary fuel deliveries.
Economic Impact: Individual gas stations operate on thin margins where inventory discrepancies directly impact profitability. Widespread attacks could cause cascading economic effects across the fuel distribution sector.
Critical Infrastructure Targeting: Military bases, airports, hospitals, and emergency services depend on reliable fuel supplies. Attacks timed to coincide with crises or emergencies could amplify broader disaster scenarios.
Pivot Point for Broader Attacks: ATG systems often connect to corporate networks, payment systems, and facility management infrastructure. Compromise provides attackers with footholds for expanding access across organizations.
Organizations in the highest risk categories include truck stops, marine fueling facilities, airport fuel farms, military installations, bulk fuel distributors, and large commercial facilities with emergency backup generators requiring monitored fuel supplies.
Vendor Response
Major ATG manufacturers have responded to CISA’s warning with varying levels of urgency and transparency. Veeder-Root, controlling significant market share, has published security advisories recommending firmware updates and configuration hardening for their TLS-350 and TLS-450 console systems. The company emphasizes that systems following their documented security best practices are not vulnerable to the most common attack vectors.
OPW Fuel Management Systems issued guidance for their SiteSentinel and INCON systems, highlighting the importance of network segmentation and disabling unnecessary remote access features. Franklin Fueling Systems has directed customers to their certified installer network for security assessments and remediation support.
However, vendor response faces practical challenges. Many installed systems are no longer under active support contracts, and organizations may lack relationships with the original installers. Legacy systems may lack security update mechanisms entirely, requiring hardware replacement rather than software patches. The fragmented nature of the industry, with numerous small operators and independent installations, complicates coordinated response efforts.
CISA is coordinating with the Department of Energy, Environmental Protection Agency, and industry associations to disseminate warnings and facilitate remediation across the affected sectors.
Mitigations & Workarounds
Organizations operating fuel tank monitoring systems should immediately implement these mitigations:
Credential Management:
# Change all default credentials immediately
# Implement strong password policies (minimum 16 characters)
# Use unique credentials for each ATG system
# Enable multi-factor authentication where supportedNetwork Segmentation:
- Isolate ATG systems on dedicated VLANs separated from corporate networks
- Implement firewalls between OT and IT network segments
- Disable direct internet connectivity to ATG systems
- Require VPN access through hardened jump hosts for remote management
Access Control:
- Conduct immediate audit of all accounts with ATG system access
- Disable unused accounts and services
- Implement principle of least privilege
- Maintain detailed access logs for forensic purposes
System Hardening:
# Disable unnecessary network services
# Close unused ports (telnet, unnecessary HTTP interfaces)
# Enable encryption for all communications where supported
# Apply latest firmware updates from manufacturersMonitoring and Alerting:
- Deploy intrusion detection systems monitoring ATG network segments
- Configure alerts for authentication failures, configuration changes, and unusual network traffic
- Implement file integrity monitoring on ATG system configurations
Detection & Monitoring
Security teams should implement comprehensive monitoring to detect compromise indicators:
Network-Based Detection:
# Monitor for suspicious authentication patterns
# Detect unusual outbound connections from ATG systems
# Alert on protocol anomalies or unexpected service usage
# Track configuration changes via SNMP or syslog where availableLog Analysis Priorities:
- Failed authentication attempts exceeding baselines
- Successful logins from unusual source IPs or at unusual times
- Configuration modifications, especially to alarm thresholds or network settings
- Data exfiltration patterns or unexpected data transfers
Behavioral Indicators:
- ATG systems communicating with unexpected external IPs
- Changes to fuel level readings inconsistent with delivery schedules
- Disabled or modified alarm configurations
- New user accounts or privilege escalations
Organizations should correlate ATG system logs with broader security monitoring platforms. Many ATG systems support syslog forwarding, enabling centralized monitoring through SIEM platforms.
Forensic Indicators:
If compromise is suspected, examine:
- Console login histories
- Network connection logs
- Configuration file timestamps and modification records
- Tank inventory discrepancies against delivery records
Best Practices
Long-term security for fuel tank monitoring systems requires comprehensive operational security practices:
Asset Management: Maintain complete inventories of all ATG systems, including models, firmware versions, network connectivity, and responsible personnel. Many organizations lack basic awareness of their ATG system deployments.
Vendor Management: Establish clear security requirements in contracts with ATG vendors and installation companies. Require security assessments before deployment and periodic security audits thereafter.
Incident Response Planning: Develop specific playbooks for ATG system compromises, including procedures for isolating systems, verifying inventory accuracy, and conducting manual monitoring during recovery operations.
Training and Awareness: Ensure personnel responsible for fuel systems understand cybersecurity fundamentals. Facility managers and maintenance staff may lack cybersecurity training despite managing internet-connected industrial systems.
Regular Security Assessments: Conduct periodic vulnerability assessments of ATG systems and associated networks. Engage third-party security firms familiar with OT environments for independent validation.
Defense in Depth: Implement multiple security layers rather than relying on single controls. Combine network segmentation, access controls, monitoring, and physical security measures.
Regulatory Compliance: Align ATG security with relevant frameworks including NIST Cybersecurity Framework, ICS-CERT guidelines, and industry-specific standards for fuel handling facilities.
Key Takeaways
- CISA confirms active exploitation campaigns targeting fuel tank monitoring systems across critical infrastructure sectors
- Attackers are leveraging weak credentials, internet-exposed systems, and inadequate network segmentation to compromise ATG systems
- Compromised systems pose safety risks, supply chain disruption potential, and serve as pivot points into broader networks
- Immediate actions required include credential changes, network isolation, and enhanced monitoring
- Long-term security requires comprehensive OT security programs addressing people, processes, and technology
- The convergence of IT and OT continues creating new attack surfaces requiring specialized security approaches
- Organizations must treat fuel monitoring systems as critical infrastructure components deserving appropriate security investment
References
- CISA Advisory: Cybersecurity Best Practices for Fuel Tank Monitoring Systems
- ICS-CERT: Securing Automatic Tank Gauge Systems
- NIST Special Publication 800-82: Guide to Industrial Control Systems Security
- Veeder-Root Security Advisories and Best Practices Documentation
- Department of Energy: Cybersecurity Capability Maturity Model for Critical Infrastructure
- SANS ICS Security: Operational Technology Threat Landscape Report
Stay updated at https://cydhaal.com — Your Daily Dose of Cyber Intelligence.
📧 Subscribe to our newsletter at https://cydhaal.com/newsletter/
