CISA and Partners Warn of Cyberattacks Targeting U.S. Automatic Tank Gauge Systems

CISA, the FBI, NSA, DOE, EPA, TSA, DOT, and USDA are warning owners and operators to secure automatic tank gauge systems after malicious activity targeted U.S.-based devices exposed to the internet.

The joint CISA and Partners Urge Hardening Automatic Tank Gauge Systems fact sheet says attackers are compromising internet-exposed ATG systems and modifying them through command execution. The U.S. government has not attributed the activity to a nation-state or named threat group.

Automatic tank gauge systems monitor storage tank conditions such as fuel or liquid levels, volume, temperature, and possible leak detection. They operate across the Energy, Chemical, Food and Agriculture, and Transportation Systems sectors, which makes weakly secured systems a risk for both business operations and public safety.

What automatic tank gauge systems do

ATG systems help operators remotely track tanks at gas stations, farms, transport hubs, chemical sites, and other facilities. They reduce the need for constant manual checks and help companies detect problems such as leaks or abnormal levels.

That remote access also creates a security problem when devices sit directly on the public internet. Attackers can scan for exposed systems, test weak passwords, and try known device weaknesses without ever entering a facility.

The NSA announcement says the agencies released the guidance to help ATG owners and operators harden these systems against ongoing cyber risk. The main message is direct: remove ATG systems from public internet exposure and secure all access paths.

ATG function	Why it matters	Risk if compromised
Fuel and liquid level monitoring	Helps operators track inventory and avoid unsafe fill conditions	Attackers could create false readings or deny accurate visibility
Temperature tracking	Supports safe storage and operational awareness	Incorrect readings could affect decisions about tank conditions
Leak detection	Helps operators respond before environmental damage occurs	Disabled alerts could delay response to leaks or relay failures
Pump and relay controls	Supports normal site operations and safety workflows	Malicious changes could disrupt equipment behavior

How attackers are targeting ATG systems

The advisory says attackers may use authentication bypass, hardcoded credentials, operating system command execution, SQL injection, and privilege escalation to compromise ATG systems.

These methods are not unusual in operational technology environments. They often work because many industrial systems were built for long service life and reliability, not for direct exposure to modern internet threats.

Bitsight previously reported critical vulnerabilities in automated tank gauge systems, including risks that could allow attackers to change tank parameters, disable alarms, and manipulate systems that monitor fuel storage. That earlier research also found that many ATG systems remained exposed online despite years of warnings.

Why exposed ATG systems create physical risk

A compromised ATG system can affect more than a dashboard. If attackers alter system attributes, tank volumes, product identifiers, network settings, or pump controls, operators may lose confidence in the readings they depend on.

The joint advisory warns that component malfunctions could create a “denial of view” condition, where operators cannot see accurate tank fill levels. That can increase the chance of equipment damage, leaks, or other environmental and physical hazards.

The ATG hardening guidance also warns that disabling system alerts can reduce an operator’s ability to detect problems early. That matters because operators rely on those alerts to respond before a technical issue becomes a safety or environmental incident.

The main security problem is internet exposure

The most urgent fix is removing ATG systems from direct public access. The agencies specifically warned operators not to expose ATG serial ports, including common default TCP ports 8001, 9001, and 10001, or related web interfaces directly to the internet.

If remote access is necessary, operators should place it behind a firewall, access control list, or VPN. They should also restrict access to known users and systems rather than leaving management interfaces reachable from anywhere.

Broader primary mitigations for operational technology follow the same principle. Critical infrastructure owners should remove public exposure, strengthen credentials, secure remote access, segment OT and IT networks, and maintain incident response plans that include industrial systems.

• Remove ATG serial ports and web interfaces from direct public internet access.
• Block public access to default TCP ports 8001, 9001, and 10001.
• Use firewalls, access control lists, or VPNs for approved remote access.
• Change default passwords on every ATG interface.
• Use strong, unique administrative credentials.
• Enable phishing-resistant multifactor authentication where possible.
• Apply manufacturer updates through certified ATG service providers.
• Enable logging and review logs for unauthorized access or configuration changes.

Operators should monitor for configuration changes

ATG owners should not stop at password changes. They should monitor for unauthorized connections, suspicious alarms, alarm threshold modifications, tank label changes, and unexpected system modifications.

This type of monitoring helps operators spot tampering before it creates operational damage. It also helps incident responders understand what changed, when it changed, and which systems may need inspection.

The Bitsight research highlighted why ATG exposure matters beyond one industry. These systems can appear in gas stations, airports, hospitals, military facilities, emergency services, power plants, and other environments where tank visibility supports daily operations.

Warning sign	What it may indicate	Suggested response
Unexpected remote connection	Possible unauthorized access attempt	Block the source, review logs, and inspect device settings
Changed tank labels or product identifiers	Possible tampering with operator visibility	Verify the physical tank configuration and restore approved settings
Modified alarm thresholds	Possible attempt to suppress safety alerts	Compare against baseline values and investigate user activity
Network setting changes	Possible persistence or access preparation	Check firewall rules, remote access settings, and device accounts
Unexplained system errors	Possible command execution or malfunction	Engage the service provider and preserve logs for review

Remote access needs stricter design

Many operators use remote access because ATG systems sit across distributed locations. Convenience can help maintenance teams, but it also creates a direct attack path when teams connect OT devices without enough controls.

The joint Secure connectivity principles for Operational Technology guidance recommends designing OT connectivity around clear business need, managed access, monitoring, and risk reduction. That approach fits ATG environments where uptime and safety both matter.

ATG owners should review who can access each system remotely, how access is approved, how sessions are logged, and whether the same credentials work across multiple locations. Shared passwords and unmanaged vendor access can turn one compromise into a wider incident.

Who should act on the alert

The warning applies to any organization that operates internet-connected ATG systems. That includes fuel retailers, fleet operators, farms, chemical storage sites, logistics companies, municipal services, airports, and other facilities that rely on tank monitoring.

Small operators should not assume they are too small to target. Internet-exposed devices can be found through automated scanning, and attackers do not need to know the business before trying default ports or weak credentials.

The NSA release says the joint guidance aims to help owners and operators defend ATG systems in several critical sectors. The message extends to third-party service providers that install, maintain, or remotely manage these devices.

What to do if an ATG system may be compromised

Operators that suspect compromise should disconnect exposed access paths, preserve logs, document configuration changes, and contact their ATG service provider. They should verify tank readings through trusted local procedures if they suspect false or manipulated data.

U.S. organizations should report suspicious or criminal activity to CISA’s 24/7 Operations Center at [email protected] or 888-282-0870. The FBI also accepts complaints through the Internet Crime Complaint Center.

The broader OT mitigation guidance also recommends working with service providers, system integrators, and manufacturers to apply system-specific configuration advice. That is important because ATG hardware and software can vary by vendor and installation.

ATG security needs ongoing attention

The current warning shows that exposed operational technology remains an easy target. Many ATG systems perform a narrow function, but they still connect to physical processes that can affect safety, compliance, and business continuity.

The safest approach is to treat ATG systems as critical OT assets, not simple remote monitoring boxes. Owners should inventory them, remove public exposure, harden credentials, patch where possible, and monitor for changes.

The OT connectivity guidance reinforces a useful rule for every connected industrial system: remote access should exist only where needed, with clear controls, monitoring, and accountability. ATG systems should follow that standard now.

FAQ