CISA Warns: Critical Infrastructure ATG Systems Under Attack

Overview of the Threat

The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), National Security Agency (NSA), and the Department of Energy (DOE), alongside other U.S. government partners, have issued a joint warning regarding ongoing cyberattacks. These attacks specifically target internet-exposed Automatic Tank Gauge (ATG) systems, which are crucial for monitoring fuel and liquid storage tanks across various critical infrastructure sectors. This advisory highlights a significant threat to the operational integrity and security of vital services, according to BleepingComputer.

ATGs are integral to the safe and efficient operation of facilities that store hazardous liquids, including fuel depots, chemical plants, and water treatment facilities. Their primary function involves measuring tank levels, detecting leaks, and providing critical operational data. Direct exposure to the internet without adequate protective measures creates a substantial attack surface that threat actors are actively exploiting.

Technical Analysis: Internet-Exposed Automatic Tank Gauge Vulnerabilities

Attackers are actively scanning for and attempting to exploit publicly accessible ATG devices. The primary concern with internet-exposed Automatic Tank Gauge vulnerabilities is that these systems often lack robust security controls found in enterprise IT environments. Many ATGs were designed for closed, internal networks and may feature default credentials, unpatched software, or exposed management interfaces, making them easy targets for reconnaissance and direct manipulation.

Attack Vectors and Potential Impact

Threat actors can leverage internet exposure through several vectors:

• Exploitation of Known Vulnerabilities: Attackers may identify and exploit software vulnerabilities in the ATG firmware or associated management applications, potentially leading to unauthorized access or RCE.
• Default or Weak Credentials: Many OT Security devices are deployed with default passwords that are rarely changed, offering a straightforward path to compromise.
• Unprotected Management Interfaces: Web-based or remote desktop interfaces, when exposed to the internet, provide a direct entry point for malicious actors to interact with the system.

Successful compromise of an ATG system could lead to a range of malicious outcomes, from data manipulation to service disruption. Attackers could alter reported tank levels to conceal theft, trigger false alarms, or even disable leak detection systems. In severe scenarios, unauthorized control could facilitate physical damage, environmental hazards due to spills, or significant disruption to fuel and liquid supply chains. The TTPs employed may include initial access, data manipulation, and denial-of-service, all aimed at impacting the availability and integrity of these critical systems.

Mitigations and Recommendations for CISA Critical Infrastructure OT Security Guidance

For organizations managing fuel and liquid storage, a proactive approach to mitigating cyber risks for fuel tank monitoring is essential. The immediate priority is to identify and address any ATG systems that are directly exposed to the internet. This requires a comprehensive understanding of an organization’s asset inventory and network architecture.

Immediate Actions

• Identify and Isolate: Conduct thorough network scans and asset inventories to locate all ATG devices. Immediately remove direct internet connectivity for any exposed systems. Place them behind firewalls and, ideally, within segregated network segments that restrict access to authorized personnel and systems only.
• Patch and Update: Ensure all ATG firmware and associated software are updated to the latest vendor-provided versions. Regularly apply security patches to address known vulnerabilities.
• Strong Authentication: Change all default passwords immediately. Implement strong, unique passwords for all accounts and enforce multi-factor authentication (MFA) where supported.
• Network Segmentation: Implement robust network segmentation to separate OT Security networks from IT networks and other public-facing infrastructure. Limit traffic between these segments to only what is absolutely necessary.

Long-Term Security Posture

• Zero Trust Principles: Adopt a Zero Trust security model, even for OT Security components, where no user or device is trusted by default, regardless of whether they are inside or outside the network perimeter.
• Continuous Monitoring: Deploy SIEM and EDR solutions, where applicable, to monitor network traffic and system logs for anomalous activity. Pay close attention to connections originating from or destined for ATG systems.
• Vulnerability Management: Establish a rigorous vulnerability management program that includes regular assessments, penetration testing, and timely remediation for all operational technology assets.
• Incident Response Planning: Develop and regularly test an incident response plan specifically for OT Security incidents, focusing on the unique challenges posed by these environments.
• Employee Training: Educate personnel on cybersecurity best practices, including recognizing phishing attempts and the importance of secure password hygiene.