Iranian Cyber Offensive Targets Critical Fuel Tank Gauge Systems

The recent escalation in cyber-physical attacks attributed to Iranian threat actors highlights a significant shift in targeting priorities within the Middle East and beyond. According to Dark Reading, security researchers have identified an uptick in the exploitation of Automatic Tank Gauge (ATG) systems. These systems, which monitor fuel levels, temperature, and volume in underground storage tanks, are often exposed to the public internet without adequate security controls, making them prime targets for state-sponsored disruption.

Overview of ATG Vulnerabilities in Critical Infrastructure

Automatic Tank Gauges are essential components in the fuel supply chain, found at gas stations, airports, and emergency power facilities. Historically, these devices were designed for serial communication and were never intended to be directly accessible via the internet. However, the adoption of serial-to-Ethernet converters has inadvertently placed thousands of these devices online. When an APT identifies an exposed ATG, they can gain control over the device’s administrative functions, which often lack any form of password protection.

While no specific CVE is currently tied to this wave of attacks, the threat stems from the inherent lack of authentication in the protocols used by legacy ATG hardware. This allows attackers to send unauthenticated commands to the device. The impact of such a breach is not limited to data theft; it extends to physical consequences, such as shutting down fuel pumps or spoofing leak detection alarms to trigger emergency responses.

Technical Analysis of Iranian TTPs Targeting Fuel Systems

The TTP observed in these campaigns involve scanning for common ports used by ATG manufacturers, such as TCP port 10001. Once a connection is established, the attackers can issue commands to the tank monitor. Security professionals tasked with protecting industrial environments must understand how to detect Iranian ATG tampering before kinetic damage occurs. Common indicators of compromise include unauthorized changes to tank labels, frequent ‘High Level’ or ‘Leak’ alarms with no physical cause, and unusual traffic originating from known Iranian IP ranges directed at OT assets.

Securing Automatic Tank Gauge Systems from Remote Exploitation

The primary defensive failure in these incidents is the direct exposure of the ATG to the public internet. To bolster OT security for fuel infrastructure, asset owners should immediately audit their network perimeter to ensure no industrial control components are reachable via public IPv4 addresses. Implementing a Zero Trust architecture for remote maintenance is a necessary step to prevent unauthorized command execution.

Actionable Recommendations for OT Asset Owners

To mitigate the risk of compromise, organizations should prioritize the following defensive measures:

• Network Isolation: Disconnect ATGs from the public internet. Use a cellular gateway with a private APN or a hardened VPN for remote monitoring.
• Command Filtering: If the ATG must remain networked, use an industrial firewall to filter incoming traffic, allowing only specific commands from authorized SOC monitoring stations.
• Monitoring and Logging: Integrate ATG system logs into a SIEM to monitor for unusual configuration changes or repetitive unauthenticated access attempts.
• Physical Verification: In the event of a suspected breach, perform physical dips of fuel tanks to verify that the digital readings match the actual inventory levels, as attackers may provide false IoC data to mask their activity.

By addressing these fundamental security gaps, defenders can significantly reduce the success rate of Iranian cyber-physical operations targeting the energy sector.