ProBackend
ai security infrastructure ics scada vulnerabilities
2 hours ago5 min read

Exposed ATG Cyberattacks Endanger US Fuel Infrastructure

Cyberattackers are targeting internet-exposed automatic tank gauge (ATG) systems across the United States. Federal agencies warn of immediate physical and operational risks.

The Vulnerability Right Below Our Feet

Stop pretending that critical infrastructure security is solely about high-end nuclear centrifuges or sophisticated cloud databases. Sometimes the most dangerous backdoors are in the most mundane places—like local gas stations or industrial liquid storage depots. Across the United States, hundreds of automatic tank gauges (ATGs) are sitting wide open on the public internet, practically inviting malicious actors to manipulate fuel readings, mess with pump systems, or disable safety alarms entirely.

It's a bizarre, avoidable mess. If you look at the raw numbers, the United States is overwhelmingly the global outlier. Recent scans show that the vast majority of unprotected, internet-exposed ATGs in the wild today are located right here in the U.S. While security analysts have successfully pressured many operators to pull these systems offline over the past decade, 909 devices remain exposed to the open web, according to data from The Shadowserver Foundation. That's not just a statistical anomaly; it's a direct invitation to threat groups, including state-sponsored adversaries looking to cause digital disruption on American soil.

The feds have finally lost their patience. A massive coalition of eight federal agencies—including CISA, the FBI, the NSA, and the Department of Energy—recently released a joint advisory sounding the alarm. They're warning site owners that these systems are actively being targeted. They aren't exaggerating. Reports have already linked recent campaigns against U.S. gas stations to actors associated with Iranian cyber units. The risk is no longer theoretical.

The Vulnerability Right Below Our Feet

What Exactly is an Automatic Tank Gauge?

To understand why this is such a headache, you have to understand what an automatic tank gauge actually does. It's a deceptively simple device. In essence, it's an electronic probe dropped into a physical storage tank containing fuel, hazardous chemicals, or other industrial liquids. This probe measures temperature, volume, and water level, sending that data to a local display or console.

From there, the console passes the telemetry to broader Supervisory Control and Data Acquisition (SCADA) networks. This allows remote operators to keep tabs on inventory and, more importantly, detect tank leaks before they turn into environmental disasters. Many of these units do more than just read numbers; they trigger emergency shutdown protocols or alert personnel when pressure levels reach a critical threshold.

However, because these systems are designed to operate continuously for decades, they are built with reliability, not security, in mind. The goal was simple: make sure the sensor survives in an underground gasoline tank for fifteen years without needing a technician to dig it up. Security was an afterthought—or more accurately, it was never on the radar.

What Exactly is an Automatic Tank Gauge?

Inside the Federal Warning on ATGs

The joint federal advisory is a remarkable document, if only for the sheer breadth of its authors. It was signed by CISA, the FBI, the NSA, the Department of Energy, the Environmental Protection Agency, the Transportation Security Administration, the Department of Transportation, and the Department of Agriculture. When eight separate agencies coordinate a response for a single class of hardware, you know something's broken.

The agencies noted that they have observed malicious cyber groups exploiting vulnerabilities in ATGs to alter tank readings, manipulate pump controls, and modify local system settings. By meddling with temperature or volume data, an attacker can mask a leak or fake a tank emergency. Even worse, if you disable the built-in alerts, a real hazard—like an overfill or chemical spill—could go unnoticed until it's too late.

To make matters worse, these devices are plagued by severe security bugs. A research study by Bitsight identified seven critical zero-day vulnerabilities across six major ATG models. These vulnerabilities included command-injection flaws with perfect CVSS scores of 10.0 out of 10.0, authentication bypasses, and hardcoded credentials that can't be easily updated. When you place a device with those vulnerabilities directly onto the open internet without so much as a firewall, you're essentially leaving the front door unlocked and hoping no one walks by.

SCADA Security and the Legacy Device Trap

Why are so many of these devices connected to the internet in the first place? The root cause is a classic operational technology (OT) trap: priority is always convenience over security. Operators wanted a cheap, easy way to check fuel levels from their phones or home computers, and plugging the ATG console directly into a standard internet connection was the easiest way to do it.

According to scanning data from The Shadowserver Foundation, the U.S. has 909 of these exposed devices, while Canada has 30, Australia has 22, the UK has 4, and Brazil has 4. What explains this massive disparity? It's likely a combination of the sheer volume of independent gas stations in the U.S. and a legacy habit of configuring remote management without checking the network topology.

Ten years ago, the situation was even worse. Scans from that era detected nearly 6,000 exposed ATGs in the U.S., meaning that cyber defenders have made substantial progress. But progress is a poor shield when a single compromised chemical tank can shut down a facility. These legacy systems aren't designed to host security agents, run antivirus software, or handle complex encryption. They're simple, fragile, and inherently insecure by design.

Concrete Hardening Steps for Operators

Securing these systems starts with a simple rule: if it doesn't absolutely need to be on the public internet, pull it off immediately. Many OT security experts agree that network segmentation is no longer enough. The priority has to be complete isolation from public networks. If remote access is mandatory, it must be hardened using strong credential controls, multi-factor authentication, and encrypted virtual private networks (VPNs).

Andrew Ginter, a veteran industrial security advocate, has argued that OT security must focus on physical or unidirectional solutions rather than relying on firewalls alone. Implementing unidirectional security gateways allows data to flow out from the ATG to the business network for inventory tracking, while physically blocking any inbound data packets or commands from entering the control network.

Beyond digital networking, physical engineering controls serve as the ultimate backstop. Overfill float valves, mechanical pressure release valves, and independent analog gauges provide a layer of safety that cannot be disabled by a line of malicious code. Even if a threat actor gains full administrative access to an ATG and spoofs the tank readings, physically unhackable hardware mitigations will prevent a catastrophic rupture or spill.

For additional context on hardening legacy platforms, you can check corporate patch approaches like the F5 NGINX Patch Analysis to see how modern IT infrastructure manages vulnerability updates under pressure, though securing OT systems requires a much more physical network strategy. We have to act before the next gauge failure causes real-world chaos.

More blogs