Tank gauging systems at over 900 US gas stations come under attack

Greater than 900 automated tank gauging (ATG) programs throughout the US used to watch gasoline and chemical storage tanks in numerous essential infrastructure sectors have been uncovered on-line and located to be susceptible to an ongoing assault.

ATG programs are digital monitoring units used to remotely monitor gasoline, chemical substances, or different liquids in storage tanks to automate stock administration, environmental leak detection, and regulatory compliance. They’re generally utilized in gasoline stations to watch gasoline tank ranges, however are additionally utilized in industrial settings to trace chemical storage tanks.

On Tuesday, the Cybersecurity and Infrastructure Safety Company (CISA), FBI, NSA, Division of Power, and different U.S. authorities companions issued a joint advisory warning essential infrastructure organizations to guard their internet-exposed ATG programs from ongoing assaults.

The federal company has warned that risk actors are concentrating on such units to switch system settings with command execution assaults after exploiting a wide range of safety flaws, together with hard-coded credentials, authentication bypass, SQL injection vulnerabilities, OS command execution flaws, and privilege escalation vulnerabilities.

“Latest malicious cyber exercise noticed by authoring organizations (which the U.S. authorities has not but attributed to nation states or risk actor teams) contains cyber attackers compromising ATG programs uncovered to the Web after which modifying ATG programs by means of command execution,” the joint advisory warned.

As CISA warned, a profitable breach may permit the attacker to disable system alerts, improve the chance of leaks and gear failure, and even trigger everlasting injury to the focused tank system.

In gentle of CISA’s suggestions, Web safety watchdog Shadowserver right now warned that greater than 1,000 ATG programs are uncovered on-line, with the bulk (909) in the US.

“We’ve added scans for automated tank gauging (ATG) programs to the Accessible ICS report, together with 1061 IPs seen (on port 10001/tcp) on June 5, 2026,” Shadowserver mentioned. “That is after eradicating a lot of the potential honeypots (together with ports 8001/9001).”

We advocate that essential infrastructure organizations prohibit distant entry to ATG programs from the Web as quickly as potential and implement managed entry by means of firewalls, VPNs, or entry management lists.

They need to additionally exchange default passwords on susceptible units with sturdy credentials, apply safety updates, monitor programs for unauthorized adjustments, and implement multi-factor authentication the place potential.

CISA’s warning comes within the wake of a Could CNN report that Iranian hackers had breached internet-connected ATG programs at a number of gasoline stations throughout the US. Iranian hacker teams had been concerned in these incidents primarily based on their previous historical past of concentrating on gasoline administration programs and different industrial management applied sciences.

After hacking the system utilizing a weak or non-existent password, the attacker reportedly manipulated the show worth however didn’t change the precise gasoline stage. Though these incidents didn’t trigger any bodily injury, they’ve raised considerations that such assaults may intervene with automated gasoline leak detection and related safety-related options.

One other joint advisory issued by U.S. federal businesses in April linked Iranian state-sponsored hackers to assaults concentrating on Rockwell Automation/Allen Bradley PLC units since March 2026, inflicting financial losses and enterprise interruptions.

The following day, cybersecurity firm Censys reported that 74.6% (3,891 hosts) of business management programs posted on-line worldwide got here from the US.