Dark ReadingArchived Jun 06, 2026✓ Full text saved
Threat actors are taking advantage of Internet-exposed tank gauges by breaching gas stations, opening the door to disruption.
Full text archived locally
✦ AI Summary· Claude Sonnet
CYBERATTACKS & DATA BREACHES
CYBER RISK
VULNERABILITIES & THREATS
ICS/OT SECURITY
NEWS
Exposed Fuel Tank Gauges Under Attack in the US
Threat actors are taking advantage of Internet-exposed tank gauges by breaching gas stations, opening the door to disruption.
Nate Nelson,Contributing Writer
June 5, 2026
5 Min Read
SOURCE: YAUHEN AKULICH VIA GETTY IMAGES
Cyberattackers are targeting Internet-exposed automatic tank gauge (ATG) systems in the United States, and the feds are urging site owners to take swift action.
ATGs are the electronic gauges that industrial sites use to monitor liquid storage tanks, whether they contain dangerous chemicals, fuel, or whatever else. Compared to some more elaborate machinery, they're rather straightforward things: probes that feed displays, which feed data to broader supervisory control and data acquisition (SCADA) systems so that plant operators can monitor their readings at a distance. Perhaps most folks give them little thought, especially in a cybersecurity context, but they're arguably as grave of a potential risk as any other equipment at any industrial facility anywhere.
This week, the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), National Security Agency (NSA), Department of Energy (DoE), Environmental Protection Agency (EPA), Transportation Security Administration (TSA), Department of Transportation (DOT), and US Department of Agriculture (USDA) published a joint notice urging industrial organizations to harden their ATGs from cyberattack.
Related:Rust-Written IronWorm Hits NPM Supply Chain
The agencies said they're "aware of malicious cyber activity" targeting these systems in the US, but didn't attribute it to any one particular threat group; the statement might be in reference to reports last month that threat actors loosely linked to Iran have been attacking ATGs at gas stations around the country.
The notice highlighted how, by compromising vulnerabilities in ATGs, threat actors could conceivably alter tank readings, pump controls, and other settings. If plant operators aren't wise to being infiltrated, and especially if the readings concern safety-critical systems, the consequences could be dire. ATGs also perform functions besides bare readings, like alerting operators about abnormal conditions in a tank. Attackers could theoretically disable such alerts, raising the chances for something very dangerous occurring.
Fuel Gauge Risk Exposure Concentrated in the US
It's only fitting that the US government would be the one conveying the message. Putting the recent Iran-linked campaign aside, the overwhelming majority of vulnerable ATGs today are located in the States, according to recent data.
Following the joint notice, The Shadowserver Foundation ran widespread scans looking for ATGs exposed to the open Web. The vast majority of discoverable devices were honeypots, but after those were filtered out, the lion's share of under-protected ATGs out in the wild were found to be concentrated in a single country: specifically, there were 909 discoverable devices in the US as of the time of publication. The next most-exposed countries were Canada (with 30 exposed ATGs), Australia (22), and then the UK (four) and Brazil (four).
Related:Pakistan Spies on Afghan Finance Ministry With Xeno RAT
Dark Reading reached out to Shadowserver for a possible explanation for the massive disparity in exposure levels, but didn't receive an answer by press time.
Even if the US constitutes 90% or more of the vulnerable ATGs on the planet, those 909 instances actually represent an improvement for stateside organizations. A decade ago, Dark Reading reported that nearly 6,000 ATGs across the nation were exposed on the Web.
ATGs Carry Legacy Cyber Risk, Unpatched Bugs
Like other industrial devices, ATGs are vulnerable almost by design. They're built to last in the field for years, often without downtime, with a focus on reliability more than security. That leaves lots of them old and unpatched, running legacy stacks, and they're certainly not complex enough to run security software.
It should come as no surprise, then, that these devices can contain serious vulnerabilities. A couple of years ago, researchers at Bitsight did a study that found seven critical zero-day vulnerabilities across six of the most popular models. They included command-injection vulnerabilities with CVSS scores of 10 out of 10, a few authentication bypass issues, hardcoded credentials, and more.
Related:Tropical Blend: Cyber & Politics Ramp Up Across Latin America
Were a high-level or even nation-state threat actor — like, say, an advanced persistent threat (APT) from Iran — able to reach an ATG over the Internet, they could exploit it for useful intelligence to support follow-on cyberattacks or for other purposes. But another real risk is if attackers are able to cut off industrial operators from the data they rely on, especially when that data concerns critical systems.
What Organizations Should Do About ATG Attacks
The first, most important, and most obvious line item in the US government's recommendations to operators is to rip ATGs off the open Web.
Andrew Ginter, vice president of industrial security at Waterfall Security Solutions, recalls how "years ago, I thought the first thing to do to launch an operational technology (OT) security program was segmentation. A firewall or three. I was recently corrected: the first step is to get your devices and human machine interfaces (HMIs) off the Internet. Do it on an emergency basis."
If for some inexplicable reason an ATG has to be on the Internet, he adds, "Harden it nine ways to Sunday. Auto update. Long passwords. Encrypt everything. If you can't do that either, you have intrinsically bad design."
US authorities also recommend enforcing credential security, applying patches — which at always-on industrial sites that can't afford downtime may be more difficult than it sounds — and closely monitoring unauthorized network access.
At a higher level, Ginter points out that organizations can protect themselves against worst-case scenarios by "deploying cyber-informed engineering (CIE)-style analog and other 'unhackable' digital mitigations to prevent unacceptable consequences." These could include over-pressure release valves and float valves that preempt dangerous tank conditions, and unidirectional gateways that prevent malicious information from reaching even the most vulnerable equipment.
About the Author
Nate Nelson
Contributing Writer
Nate Nelson is a journalist and award-winning scriptwriter. In addition to Dark Reading he writes for Darknet Diaries, the most popular show in cybersecurity across all media.
He began his career as a freelancer, ghostwriting Forbes and CNBC op-eds for executives in tech and finance. Then he transitioned to journalism at Threatpost, where he covered cybersecurity news and trends. Throughout those years he co-created a cybersecurity podcast, Malicious Life, which in its day climbed into the Top 20 technology podcasts charts on Apple Podcasts and Spotify.
He holds degrees from New York University and Bard College. As a born and bred New Yorker, he enjoys a superiority complex, but is polite enough to keep it to himself.
Want more Dark Reading stories in your Google search results?
ADD US NOW
More Insights
Industry Reports
How Organizations Are Managing Incident Response
How Enterprises Are Developing Secure Applications
Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy
Essential News & Insights from Black Hat USA 2025
How Enterprises Are Harnessing Emerging Technologies in Cybersecurity
Access More Research
Webinars
Advanced Persistent Threats: A Practical Guide to Detection and Response
The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed
Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack
Defending in the Shadow Era: When the CVE Feed Goes Dark
Building SecOps That Make the Most of Every Dollar
More Webinars
You May Also Like
CYBERATTACKS & DATA BREACHES
Critical Fortinet Flaws Under Active Attack
by Jai Vijayan, Contributing Writer
DEC 17, 2025
CYBERATTACKS & DATA BREACHES
CISA Warns of 'Ongoing' Brickstorm Backdoor Attacks
by Rob Wright
DEC 04, 2025
CYBERATTACKS & DATA BREACHES
F5 BIG-IP Environment Breached by Nation-State Actor
by Alexander Culafi
OCT 15, 2025
CYBERATTACKS & DATA BREACHES
Jaguar Land Rover Shows Cyberattacks Mean (Bad) Business
by Robert Lemos, Contributing Writer
OCT 03, 2025
Editor's Choice
CYBERSECURITY OPERATIONS
20 Leaders Who Built the CISO Era: 2 Decades of Change
byDark Reading Editorial Team
MAY 12, 2026
41 MIN READ
APPLICATION SECURITY
It's Patch Tuesday for Microsoft & Not a Zero-Day In Sight
byJai Vijayan
MAY 12, 2026
5 MIN READ
CYBERATTACKS & DATA BREACHES
Instructure Breach Exposes Schools' Vendor Dependence
byAlexander Culafi
MAY 6, 2026
4 MIN READ
Want more Dark Reading stories in your Google search results?
Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.
SUBSCRIBE
Webinars
Advanced Persistent Threats: A Practical Guide to Detection and Response
TUESDAY, JUNE 30, 2026 @ 1:00 PM EASTERN DAYLIGHT TIME
The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed
TUESDAY, JUNE 23, 2026 1:00 PM EDT
Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack
THURS, JUNE 25, 2026, AT 1PM EST
Defending in the Shadow Era: When the CVE Feed Goes Dark
TUES, JUNE 16, 2026 AT 1PM EST
Building SecOps That Make the Most of Every Dollar
THURS, JULY 9, 2026 AT 1PM EST
More Webinars
BLACK HAT USA | MANDALAY BAY, LAS VEGAS
The premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑day program built to ignite innovation, push boundaries, and bring the global security community together like never before. Use code: DARKREADING to save $200 on a Briefings pass or $100 on a Business pass.
GET YOUR PASS
GISEC GLOBAL 2026
GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills.
📌 BOOK YOUR SPACE