Cybercriminals are probing a quiet layer of fuel infrastructure: the systems that monitor what is inside storage tanks.
According to a new government advisory, reports have emerged of threat actors targeting Automatic Tank Gauge (ATG) systems used to monitor fuel and liquid storage tanks across the US. Officials say these actors have already compromised internet-facing devices in recent months, raising concerns about the security of these often-overlooked industrial systems.
The warning points to a growing trend across the threat landscape. Instead of focusing exclusively on digital data theft or enterprise networks, attackers are also probing technologies closer to physical operations, where disruptions can halt real-world operations, affecting millions.
What does an ATG system do, and why are they being targeted?
At their core, ATG systems serve as digital monitoring platforms for checking inventory, detecting leaks, and managing tank conditions across sites ranging from gas stations to industrial facilities.
Because of the role they play in keeping everyday activities that rely on them running smoothly, they’ve recently become active targets for cyberattacks aimed at disrupting these services.
What makes this even more consequential is where they sit — right in the middle of digital infrastructure and physical activities. To make matters worse, the very conditions that allow these systems to operate smoothly — convenient access — have become the leverage threat actors now use to gain illegal access to them.
How the attack happens
According to a June 2 publication from the Cybersecurity & Infrastructure Security Agency (CISA), attacks on ATG systems have been observed exploiting several weaknesses within the system.
Among the techniques highlighted in the report are authentication bypass vulnerabilities and hardcoded credentials that can grant direct access to device management interfaces. The agency also noted that OS command execution and SQL injection flaws could enable arbitrary code execution, database manipulation, and, in some cases, the escalation of privileges to full administrative control over the system.
That level of access effectively puts the attackers in the position of a trusted operator, creating entry points to modify configurations, suppress danger alerts, or cause permanent damage to the systems.
Must-read security coverage
What CISA and partners are telling operators to fix
As the agency responsible for infrastructure security, CISA sits at the forefront of this… but it isn’t the only government body involved.
Affected agencies include the FBI, the NSA, the Department of Energy (DOE), and the Environmental Protection Agency (EPA). Others include the Transportation Security Agency (TSA), the Department of Transportation (DOT), and the US Department of Agriculture (USDA).
Together, these agencies are recommending that ATG operators do the following, where applicable:
- Disable direct internet exposure: Remove ATG systems from direct internet access wherever possible and restrict remote connectivity through VPNs, Access Control Lists (ACLs), or similar controls.
- Strengthen authentication: Replace default credentials with stronger ones and deploy phishing-resistant MFA where possible.
- Patch and update systems: The attacks exploited vulnerabilities within these systems that could have been avoided with system updates from ATG manufacturers.
- Increase system visibility: Enable continuous monitoring and logging to detect unauthorized access and unusual changes that could indicate tampering.
- Enforce vendor security: When working with a vendor, ensure they also follow secure practices, as a supply chain flaw can serve as an entry point into the broader system.
For operators, the message is straightforward: ATG systems should not be treated as forgotten back-office hardware. Any internet-exposed device should be reviewed, access restricted, credentials changed, and suspicious activity reported to CISA or law enforcement.
