Federal cyber agencies are warning that threat actors are actively targeting internet-exposed automatic tank gauge (ATG) systems used to monitor fuel and liquid storage tanks. That may sound niche, but it is exactly the kind of overlooked operational technology that can create real-world risk for gas stations, farms, logistics yards, chemical sites, transportation operators, and small critical-infrastructure suppliers.
According to BleepingComputer’s reporting and the underlying NSA/CISA joint guidance, the activity involves attackers compromising exposed ATG systems and modifying them through command execution. The U.S. government has not publicly attributed the activity to a specific group.
What happened
ATG systems are commonly used across the energy, chemical, food and agriculture, and transportation sectors to remotely track storage tank levels, temperature, and potential leaks. The warning says attackers are going after systems that are reachable from the public internet, then abusing weaknesses such as weak or default credentials, authentication bypass, hardcoded credentials, command-execution flaws, SQL injection, and privilege escalation.
Once inside, an attacker may be able to modify configuration values, labels, tank volumes, alerts, network settings, or other operational parameters. Even if an intrusion does not directly change physical fuel levels, manipulating the monitoring layer can blind operators, delay response, interfere with compliance processes, and create unsafe assumptions about inventory or leak status.
Why it matters for smaller operators
This is the part that should get attention: ATG systems often sit outside the traditional IT security program. They may be installed by a vendor, monitored by a third party, connected for convenience, and forgotten until a compliance event or maintenance call. That makes them attractive targets.
For SMBs and government contractors, this is not just a “big critical infrastructure” problem. If your business depends on fuel, fleet operations, agricultural storage, backup generators, bulk liquids, or contracted facility support, an exposed monitoring system can become an operational liability. Attackers do not need a sophisticated zero-day if the device is reachable, under-patched, and protected by weak credentials.
Defensive takeaways
- Remove ATG systems from direct internet exposure. Inventory public-facing services and close exposed ATG ports and web interfaces wherever possible.
- Use controlled remote access. If remote vendor or operator access is required, place it behind a VPN, firewall rule, allowlist, or managed remote-access gateway with logging.
- Replace default and shared credentials. Use strong, unique administrative credentials and multifactor authentication where the platform supports it.
- Patch with vendor support. Coordinate with certified ATG service providers to validate firmware/software versions and apply manufacturer updates safely.
- Monitor for configuration drift. Alert on unexpected changes to tank labels, thresholds, alarms, network settings, serial-port exposure, user accounts, and remote connections.
- Put OT assets in the asset inventory. If it measures, controls, alerts, or supports operations, it belongs in the risk register—not just the maintenance binder.
Bulwark Black assessment
The real lesson is exposure management. Small OT devices tend to fall between IT, vendors, facilities, and operations. That gap is where attackers live. Organizations should treat ATG systems like any other operational control point: identify them, restrict access, harden credentials, monitor changes, and verify that vendors are following the same rules.
For teams with limited resources, start with the highest-value question: “Can this device be reached from the internet?” If the answer is yes, fix that first. Everything else gets easier once the device is no longer casually discoverable and reachable by anyone on the public network.
Sources: BleepingComputer; NSA/CISA joint guidance.
