Full Report
U.S. officials are investigating a series of cyber intrusions targeting automatic tank gauge systems used to monitor fuel... The post US probes automatic tank gauge system breaches, exposing OT risks across critical infrastructure appeared first on Industrial Cyber.
Analysis Summary
# Incident Report: Multi-State Intrusion of Automatic Tank Gauge (ATG) Systems
## Executive Summary
Multiple U.S. gas stations and critical infrastructure sites experienced cyber intrusions targeting Automatic Tank Gauge (ATG) systems, with Iranian-linked actors identified as leading suspects. Attackers exploited internet-exposed systems lacking password protection to manipulate fuel level readings. While no physical damage or environmental hazards were reported, the incident highlights significant OT vulnerabilities across sectors including energy, aviation, and healthcare.
## Incident Details
- **Discovery Date:** Investigation reported May 2026 (Research coordination began March 2024)
- **Incident Date:** Ongoing/Reported May 2026
- **Affected Organization:** Multiple gas stations, airports, hospitals, and utilities
- **Sector:** Critical Infrastructure (Energy/Water/Healthcare/Manufacturing)
- **Geography:** United States (Multiple States)
## Timeline of Events
### Initial Access
- **Date/Time:** Circa 2024–2026
- **Vector:** Direct exploitation of internet-exposed Industrial Control Systems (ICS).
- **Details:** Attackers targeted ATG systems accessible via the public internet that were configured without password authentication.
### Lateral Movement
- **Details:** Not explicitly detailed in the report; the focus remained on direct interaction with the exposed OT controllers.
### Data Exfiltration/Impact
- **Details:** Manipulation of displayed fuel readings and tank parameters. No actual fuel levels were altered, and no physical equipment damage was confirmed in this specific wave.
### Detection & Response
- **How it was discovered:** Monitored by U.S. officials and highlighted by BitSight researchers who identified thousands of exposed systems.
- **Response actions taken:** U.S. officials (CISA) launched investigations; BitSight coordinated vulnerability disclosure with five vendors and CISA starting in March 2024.
## Attack Methodology
- **Initial Access:** Exploitation of zero-day vulnerabilities and lack of basic security (no passwords) on internet-facing ATG interfaces.
- **Persistence:** Limited forensic evidence left behind; persistence likely maintained through persistent internet exposure of the devices.
- **Discovery:** Scanning the public internet for specific ports and protocols associated with ATG systems (e.g., fuel monitoring vendors).
- **Impact:** Manipulation of tank geometry, disabling of safety alarms, and fraudulent display of fuel levels to cause operational confusion.
## Impact Assessment
- **Financial:** Not disclosed, though potential for loss exists if fuel leaks are masked or deliveries mismanaged.
- **Data Breach:** Exposure of operational parameters and system configurations.
- **Operational:** Potential for overfilling tanks, triggering environmental hazards, or disabling critical safety alarms.
- **Reputational:** Increased public concern regarding the security of the fuel supply chain and critical OT infrastructure.
## Indicators of Compromise
- **Network indicators:** Connections to ATG ports (e.g., custom vendor protocols) from suspicious IP addresses attributed to Iranian threat groups. [Note: Specific IPs/URLs not provided in source text].
- **Behavioral indicators:** Unexplained changes in fuel tank geometry settings or suppressed safety alarms.
## Response Actions
- **Containment:** Coordination with vendors to patch 11 identified vulnerabilities (including zero-days).
- **Eradication:** Advising owners to remove ATG systems from the public internet.
- **Recovery:** Implementation of password protections and Secure-by-Design principles for OT hardware.
## Lessons Learned
- **Key takeaways:** Basic security hygiene (passwords) is still frequently overlooked in critical OT environments.
- **Gaps:** Thousands of critical systems remain directly accessible via the public internet despite years of warnings regarding ICS exposure.
- **Attribution:** Forensic evidence remains limited in OT-specific attacks, complicating official attribution.
## Recommendations
- **Network Segmentation:** Ensure ATGs and other ICS/OT devices are not directly accessible from the public internet.
- **Access Control:** Implement strong, unique passwords and multi-factor authentication (MFA) where supported for all monitoring interfaces.
- **Vulnerability Management:** Prioritize patching for the 11 vulnerabilities identified in the BitSight disclosure across affected vendors.
- **Monitoring:** Implement behavioral monitoring to detect unauthorized changes to tank parameters or alarm suppression.