Hardening Automatic Tank Gauge Systems Against Cyber Threats

CISA and Partners Urge Hardening Automatic Tank Gauge Systems

The Cybersecurity and Infrastructure Security Agency (CISA), alongside the FBI, NSA, DOE, EPA, TSA, DOT, and USDA, has issued an urgent advisory regarding observed malicious cyber activity targeting U.S.-based Automatic Tank Gauge (ATG) systems. These systems are pivotal for automated and remote monitoring of storage tank parameters, including fuel levels, temperature, and leak detection, across critical sectors such as Energy, Chemical, Food and Agriculture, and Transportation Systems. The advisory emphasizes that threat actors are actively compromising internet-exposed ATG systems and modifying them through command execution, underscoring the immediate need for robust security enhancements. This advisory serves as a critical call to action for owners and operators to implement foundational cybersecurity measures.

Understanding the Threat to Automatic Tank Gauge Systems

The recent malicious cyber activity observed by the authoring organizations involves cyber threat actors exploiting vulnerabilities in ATG systems. While specific attribution to a nation-state or particular threat actor group has not yet been made, the identified TTPs highlight common attack vectors. These include:

• Authentication Bypass and Hardcoded Credentials: Threat actors are gaining unauthorized access to device management interfaces, often by exploiting weak or default authentication mechanisms.
• OS Command Execution (RCE) and SQL Injection: Attackers are executing arbitrary code and manipulating underlying databases, indicating severe control over the compromised systems.
• Privilege Escalation: Upon initial compromise, actors are achieving full administrator privileges over the device application and operating system, allowing for extensive manipulation.

Should a cyber threat actor successfully exploit these vulnerabilities and compromise an ATG system, the implications are severe. Attackers could directly interface with tank management as if they had legitimate physical access. Potential impacts include altering critical system attributes like network settings, product identifiers, tank volumes, and pump controls. This could lead to compounding operational malfunctions, creating a denial of view for tank fill levels, potentially causing permanent damage to the tank system. Furthermore, threat actors could disable system alerts, drastically reducing an operator’s ability to detect and mitigate issues, thereby increasing the risk of environmental or physical hazards such as leaks or relay failures. The gravity of these potential outcomes underscores the importance of promptly hardening automatic tank gauge systems.

Actionable Guidance for Hardening Automatic Tank Gauge Systems

The authoring organizations recommend immediate implementation of the following mitigations to defend against this malicious activity and enhance the security posture of ATG systems:

Eliminating Public Internet Exposure & Secure Remote Access to ATG Systems

It is imperative to remove ATG serial ports (e.g., default TCP port 8001, 9001, or 10001) and other applicable web interfaces from direct public internet exposure. If remote access is necessary, prioritize options that restrict access, such as firewalls, Access Control Lists (ACLs), or Virtual Private Networks (VPNs). This is a critical step to achieve secure remote access to ATG systems without exposing them to the global threat landscape.

Enforcing Robust Credential Security

Immediately change any default passwords and implement strong, unique security codes and administrative credentials for all interfaces, including the serial port. Where feasible, deploy phishing-resistant multifactor authentication (MFA) to further bolster access controls. If unsure about these procedures, consult with your ATG service provider.

Applying Security Patches

Collaborate with certified ATG service providers to verify compliance, update software, and apply the latest security patches released by manufacturers. Regular patching is fundamental to addressing known vulnerabilities that threat actors may exploit.

Monitoring and Incident Reporting

Organizations must actively monitor their networks for unauthorized access. Enable logging and consistently audit and monitor logs for exposures of ATG device interfaces, unauthorized connections, suspicious alarms, alarm threshold modifications, tank label changes, and other system modifications. Suspected incidents should be promptly reported to the CISA portal.

Engaging Third-Party Service Providers & Mitigating Cyber Threats to Operational Technology

Engage your third-party service providers to adopt the recommendations outlined in CISA, FBI, EPA, and DOE’s “Primary Mitigations to Reduce Cyber Threats to Operational Technology” fact sheet. This collaborative approach is vital for effectively mitigating cyber threats to operational technology and enhancing overall resilience within critical infrastructure sectors.