Full Report
Following last month’s investigation into a series of cyber intrusions targeting automatic tank gauge (ATG) systems used to... The post CISA and partners urge operators to secure automatic tank gauge systems against ongoing cyber threats appeared first on Industrial Cyber.
Analysis Summary
# Best Practices: Securing Automatic Tank Gauge (ATG) Systems
## Overview
These practices address the critical vulnerabilities found in Automatic Tank Gauge (ATG) systems used for monitoring fuel, chemicals, and liquids. Recent investigations highlight that these systems—often used in the energy, agriculture, and transportation sectors—are being targeted by nation-state actors through internet-exposed interfaces, hardcoded credentials, and remote command execution flaws.
## Key Recommendations
### Immediate Actions
1. **Eliminate Internet Exposure:** Disconnect ATG systems from the public-facing internet immediately. If remote access is required, place the ATG behind a Secure Remote Access (SRA) solution or a Virtual Private Network (VPN).
2. **Change Default Credentials:** Locate and update all default or hardcoded administrative passwords. Many attacks currently exploit these "out-of-the-box" settings.
3. **Disable Unnecessary Services:** Turn off all non-essential protocols and ports (e.g., Telnet, FTP, or unencrypted web services) that are not required for fuel monitoring operations.
### Short-term Improvements (1-3 months)
1. **Implement Multi-Factor Authentication (MFA):** Ensure that any interface used to manage the ATG or its underlying data requires MFA.
2. **Network Segmentation:** Isolate ATG systems on a dedicated Operational Technology (OT) VLAN, separate from the primary business network or guest Wi-Fi.
3. **Patch Management:** Update ATG firmware and software to the latest versions to mitigate known SQL injection and remote command execution vulnerabilities.
### Long-term Strategy (3+ months)
1. **Adopt Secure-by-Design Principles:** Transition to ATG hardware and software vendors that prioritize security-by-design (e.g., no hardcoded credentials, regular SBOM disclosures).
2. **Continuous Monitoring:** Implement logging and alerting for anomalous activity, such as unauthorized login attempts or unexpected command execution on ATG interfaces.
3. **Governance & IR Planning:** Incorporate ATG systems into the organization's formal Incident Response (IR) plan and conduct tabletop exercises specifically for OT-related triggers.
## Implementation Guidance
### For Small Organizations
- **Manual Hardening:** Focus on physically disconnecting the device from the internet and ensuring passwords meet minimum complexity requirements. Use a simple, hardware-based firewall if central IT resources are limited.
### For Medium Organizations
- **Managed VPNs:** Deploy a managed VPN service for technicians to access tank levels remotely. Conduct a quarterly audit of user accounts to ensure former employees no longer have access to ATG interfaces.
### For Large Enterprises
- **OT-Specific SOC Integration:** Integrate ATG logs into a Security Information and Event Management (SIEM) system. Use network orchestration tools to automate the segmentation and isolation of fuel-monitoring assets across multiple sites.
## Configuration Examples
*Note: Specific CLI syntax varies by manufacturer (e.g., Veeder-Root, OPW, Franklin Fueling).*
* **Port Blocking:** Configure perimeter firewalls to block inbound traffic on **Port 10001** (often used for serial-to-ethernet converters on older ATGs) unless explicitly authorized via a secure tunnel.
* **Database Security:** Ensure SQL queries used by management software are parameterized to prevent common SQL injection techniques mentioned in the CISA/FBI alert.
## Compliance Alignment
- **NIST SP 800-82:** Guide to Industrial Control Systems (ICS) Security.
- **ISA/IEC 62443:** Security for industrial automation and control systems.
- **TSA SD 1582-21-01:** (For transportation-related fuel entities) Requirements for cybersecurity documentation and reporting.
## Common Pitfalls to Avoid
- **Assuming "Security by Obscurity":** Believing that attackers won't find an ATG just because its IP address isn't listed on a website. Attackers use automated scanners (like Shodan) to find exposed industrial devices.
- **Neglecting Serial-to-Ethernet Converters:** Many older ATGs use external converters to enable network access; these converters often lack security features and must be secured as strictly as the ATG itself.
- **Universal Passwords:** Using the same password for all ATGs across multiple gas stations or facilities.
## Resources
- **CISA Fact Sheet:** hxxps://www[.]cisa[.]gov/sites/default/files/2026-06/fact-sheet-cisa-and-partners-urge-hardening-automatic-tank-gauge-systems_508c.pdf
- **CISA Secure-by-Design Alert:** hxxps://industrialcyber[.]co/secure-by-design/cisa-fbi-release-secure-by-design-alert-to-urge-manufacturers-to-eliminate-sql-injection-vulnerabilities/
- **Defensive Tooling:** CISA’s Cross-Sector Cybersecurity Performance Goals (CPGs).