Researchers from BitSight Technologies’ TRACE team have uncovered several critical zero-day vulnerabilities in six Automatic Tank Gauge (ATG) systems from five different vendors. If these vulnerabilities are weaponized, malicious actors could exploit industrial control systems (ICS) used in critical infrastructure sectors, including retail and hospitality, potentially causing harm, including physical destruction, environmental risks, and financial losses.
Community Response
While the vulnerabilities exposed do not necessarily present imminent physical damage or environmental disaster, the potential for harm is pertinent and can be weaponized. Threat actors could disrupt fuel supplies, cause economic loss, or damage essential services, particularly in industries that rely heavily on fuel management, including logistical trucking transport firms that move consumer packaged goods and other products. RH-ISAC Members are encouraged to review the intelligence included in this report, and the original TRACE report linked above, and review the mitigations provided below.
Background
Automatic Tank Gauge (ATG) systems can automatically track and record the level, volume, and temperature of substances in storage tanks, like those found in gas stations. They can also detect leaks, activate alarms for high and low levels, and control devices such as sirens, emergency shutoff valves, ventilation systems, fuel dispensers, and other equipment. By connecting with internal or external relays, these systems manage physical processes. This technology ensures compliance with environmental regulations and helps improve inventory management at facilities that store fuel, including gas stations, hospitals, airports, and retail organizations.
Bitsight’s research found that threat actors using these vulnerabilities could gain full control of ATG systems, allowing them to manipulate fuel levels, disable alarms, and shut down fuel dispensing systems. The ability to control physical processes presents a grave risk to critical infrastructure, which could cause fuel spills, equipment damage, or widespread service disruption at essential facilities. Actors could rename tank information, alter tank sizes to trigger overflows, disable leak detection, or even shut down fuel pumps, creating physical and environmental hazards.
The financial impact could also be severe, with attackers able to steal sensitive operational data or disable critical systems, potentially leading to hefty fines and regulatory penalties.
While some facilities may have implemented external controls to mitigate these risks, the widespread exposure of ATG systems online is alarming. Bitsight has stressed that even the most basic cybersecurity measures, like disconnecting ATGs from the internet, are often neglected.
Recommendations
Provided by the TRACE Team, organizations should immediately engage in outreach and remediation efforts to combat these vulnerabilities affecting ATG systems:
- Identify any ATG deployed by your organization and/or your third-party business partners, and promptly assess the security of these systems.
- Remove any ATG from the public internet.
- Employ safeguards like firewalls to protect against unauthorized access to your ATG systems.
- Security leaders must acknowledge the unique control needs that apply to OT including industrial control systems rather than just apply a traditional IT risk model to this infrastructure.
