What happened
US federal agencies are warning organizations about ongoing cyberattacks targeting internet-exposed Automatic Tank Gauge (ATG) systems, which are widely used to monitor fuel and liquid storage tanks. The joint alert was issued by the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, NSA, Department of Energy, and several other government partners.
ATG systems are commonly used across critical infrastructure sectors to track fuel levels, temperature, leaks, and other operational data. According to the advisory, threat actors have been compromising exposed systems and modifying settings through command execution. Potentially affected functions include tank readings, pump controls, alarm settings, and other operational parameters.Â
While the US government has not attributed the activity to a specific threat group, recent reports have linked similar attacks against fuel management systems to actors associated with Iran. In some incidents, attackers reportedly manipulated displayed tank readings, though no physical fuel levels were altered.
Researchers from the Shadowserver Foundation identified approximately 909 exposed ATG systems in the United States, far more than any other country.
Who is affected
The warning primarily affects organizations operating ATG systems within critical infrastructure sectors, including energy, transportation, chemical manufacturing, food and agriculture, and fuel distribution. Gas stations, fuel storage facilities, logistics operators, and industrial sites that rely on connected tank monitoring systems may be at risk.
Organizations with legacy operational technology (OT) environments are particularly exposed because many ATG devices were designed for reliability and long service life rather than modern cybersecurity requirements. Older systems may contain unpatched vulnerabilities, weak authentication mechanisms, or default credentials.
Why CISOs should care
The incident highlights the growing cybersecurity risks associated with internet-facing operational technology. Although ATG systems may seem relatively simple, they often play a critical role in safety monitoring, inventory management, environmental compliance, and operational continuity.
A successful compromise could allow attackers to manipulate operational data, disable alerts, or interfere with monitoring functions. Even if physical processes are not directly altered, inaccurate readings and disabled warnings could lead to operational disruptions, compliance issues, safety concerns, or delayed responses to equipment failures.
The attacks also reinforce a long-standing challenge in critical infrastructure security: internet-exposed OT assets remain a common and attractive target for threat actors.
3 practical actions
- Identify and remove ATG systems and other OT assets from direct internet exposure wherever possible.
- Replace default credentials, enforce strong password policies, and implement multi-factor authentication when supported.
- Continuously monitor OT environments for unauthorized changes, suspicious remote access activity, and unpatched vulnerabilities.
