US Warns of Vulnerabilities in Automatic Tank Gauge Systems Used in Critical Sectors

The U.S FBI Cyber Division, plus many other infrastructure agencies, have joined hands to issue a warning in an advisory published by the FBI’s Internet Crime Complaint Center (IC3).

The Federal agencies are the Cybersecurity and Infrastructure Security Agency (CISA), together with the U.S. Department of Agriculture (USDA), & the National Security Agency (NSA).

Also, the Environmental Protection Agency (EPA) was part of it, plus the Department of Energy (DOE), & the Department of Transportation (DOT), including the Transportation Security Administration (TSA).

In the document they shared, they warned organizations that bad actors are now moving their interest to entering Automatic Tank Gauge (ATG) systems that many companies in the sectors of Energy, Food & Agriculture,  Chemical & Transportation, use to keep a close eye on fuel & liquid storage tanks all over the US.

These systems are there to support fuel distribution, transportation, agriculture, chemical processing, & energy infrastructure.

Authorities say these bad actors are exploiting the flaws in the ATG systems that are linked to the internet to gain secret access, change sensitive operational settings, &  potentially disorganize fuel storage operations that enable essential services across the United States to perform optimally.

Internet-Exposed Tank Monitoring Systems Become an Attractive Target

The focus of the advisory is on Automatic Tank Gauge systems, which are devices that companies rely on to measure the levels of fuel or detect when fuel leaks occur.

Also, the systems monitor temperatures & manage inventory in storage tanks, both underground and aboveground. Many companies use these systems at their fuel terminals, in convenience stores,or truck stops.

They are also supporting the operation of marinas, emergency generator facilities, plus chemical storage sites, & industrial operations.

According to these federal agencies, many of the ATG deployments are still open for direct access from the public internet, and the companies still use default credentials or outdated software to run them.

Recently, hackers have increasingly scanned for these systems from the public internet and have utilized many of their weaknesses to gain access.

According to the advisory, there are many flaws that the threat actors can exploit, such as authentication bypass flaws, hardcoded passwords, operating-system command injection weaknesses, & SQL injection flaws.

The dark web market for stolen financial data remains lucrative. Korean credit card prices have surged 168%, demonstrating the economic drivers behind cyberattacks.

Once the hackers gain access they can change configuration settings, alter the fuel inventory records, or manipulate tank identification information. They can also modify volume readings of the fuel tank, or disable the entire monitoring capabilities the system has.

The backlash of these actions is that there will be no operational visibility and this will make things difficult for operators to know when equipment malfunctions, when there are leaks, or when the inventory calculations are not accurate.

Before this warning, there were reports earlier this year of cyberattacks against ATG deployments at retail fuel operations, raising more concerns about the way through which cybersecurity weaknesses expose operational technology environments to bad actors.

Potential Consequences Go Beyond Cybersecurity

Unlike the normal traditional breaches in IT, if the bad actors successfully compromise the ATG systems the operational consequences will hit directly in the physical environment.

Federal agencies now warn that bad actors who gain this administrative access can easily play tricks by interfering with alarm systems, stop notifications of tank leaks or even change sensor readings. They can also manipulate pump controls connected to these systems.

Such actions from them could delay responses that should come when equipment fails or when any incident takes place in the environment.

Usually operators carry out their work by depending on ATG systems. This reliance helps them to carry out their work within the regulatory scope, find out when there are fuel leaks, plan how to deliver products and even monitor how the storage conditions are.

 If attackers change how these functions work, the organizations could start experiencing disruptions in their operations, start getting inventory reports that are not accurate, face more environmental hazards, and spend more money on maintaining their systems.

The advisory also pointed out that ATG systems are usually part of the broader industrial control system environments. Any device breach by bad actors may give them a leeway for more network activities if there are no proper segmentation controls in place.

Right now, the federal agencies have not linked any particular threat actor or nation-state group to this issue publicly. However, they stress that the tactics which these threat actors are using showcases that their attention has shifted to operational technology systems that were never a concern for experts in cybersecurity before now.

Federal Agencies Urge Immediate Security Measures

To reduce the exposure to this threat, the federal agencies recommend some measures for the sectors to put in place immediately as defensive measures.

The recommended measures are:

• Organizations should remove their ATG systems from the direct internet access that allows easy breach.
• They should use firewalls, VPNs, or any other mechanism that allows remote access to protect the systems.
• Organizations should immediately change the default passwords with alternatives that are strong, and using unique credentials.
• As soon as possible they should enable multifactor authentication wherever it is possible.
• Operators must also apply vendor security patches fast, and carry out configuration reviews regularly.
• Operators should also monitor system logs to know when bad actors are attempting to access the systems.
• There should also be a restriction on administrative privileges to personnel whose work is essential for the operations.
• Also, network segmentation between technologies used in operations and the ones supporting corporate IT environments is also very important to reduce the impact when a breach happens.

Apart from the measures above, the advisory also advises organizations to create a procedure to follow in responding to incidents when they occur in any specific industrial control systems. Also, they should report any suspicious activity they notice to the federal authorities.