CISA and Agencies Warn of Cyber Threats to Automatic Tank Gauge Systems
Multiple US federal agencies, including CISA and the FBI, have issued a joint warning about cyber threats targeting Automatic Tank Gauge (ATG) systems, urging immediate hardening measures.
CISA, in conjunction with the FBI, NSA, DOE, EPA, TSA, DOT, and USDA, has identified malicious cyber activity targeting Automatic Tank Gauge (ATG) systems across critical U.S. sectors. These systems are vital for monitoring storage tank parameters such as fuel levels, temperature, and leak detection in the Energy, Chemical, Food and Agriculture, and Transportation Systems sectors. The agencies are urging owners and operators to secure these systems by implementing strong passwords and removing them from direct internet exposure to mitigate risks.
The observed threat involves cyber actors compromising internet-exposed ATG systems and subsequently modifying their configurations through command execution. While the U.S. government has not yet attributed this activity to a specific nation-state or threat actor group, the tactics, techniques, and procedures (TTPs) leveraged are concerning. Attack vectors include exploiting authentication bypass flaws and hardcoded credentials to gain unauthorized access to device management interfaces. Furthermore, threat actors are utilizing OS command execution and SQL injection techniques to execute arbitrary code and manipulate underlying databases, potentially leading to privilege escalation and full administrative control over the device.
Successful exploitation of these vulnerabilities could allow threat actors to directly interfere with critical tank management functions, mimicking legitimate physical access to the system console. The potential consequences include the alteration of system attributes such as network settings, product identifiers, tank volumes, and pump controls. This could lead to compounded operational malfunctions, creating denial-of-view conditions for tank fill levels, which may result in permanent damage to the tank system's core functionality. Additionally, threat actors could disable system alerts, significantly increasing the risk of environmental or physical hazards from undetected leaks or relay failures.
To counter these threats, the authoring organizations recommend several critical mitigation strategies. Foremost among these is the elimination of public internet exposure for ATG systems. This means not directly exposing serial ports (commonly using TCP ports 8001, 9001, or 10001) or other applicable web interfaces to the internet. For necessary remote access, organizations are advised to implement strict access controls, such as firewalls or virtual private networks (VPNs).
Credential security is another paramount recommendation. Owners must immediately change any default passwords and enforce the use of strong, unique security codes and administrative credentials for all interfaces. The implementation of phishing-resistant multifactor authentication (MFA) is also strongly encouraged wherever feasible. For organizations unfamiliar with these procedures, seeking assistance from their ATG service provider is advised.
Applying available patches and updates is also crucial. Owners should collaborate with certified ATG service providers to verify compliance, update software, and install the latest security patches released by manufacturers. Continuous monitoring and reporting are also essential components of a robust defense strategy. Organizations should actively monitor their networks for unauthorized access, enable logging, and audit logs to detect exposures of ATG device interfaces, suspicious connections, alarm modifications, and other system changes.
Organizations are encouraged to report any suspected incidents promptly to the CISA portal. Engaging third-party service providers to adopt recommended primary mitigations for Operational Technology (OT) is also advised. Resources such as CISA's guidance on reducing internet exposure and information on mitigating cyber threats to OT and ICS are available to assist organizations in enhancing their security posture.