### Federal Agencies Sound Alarm on ATG System Compromises A joint advisory from the **Cybersecurity and Infrastructure Security Agency (CISA)**, the **Federal Bureau of Investigation (FBI)**, the **National Security Agency (NSA)**, the **Department of Energy (DOE)**, the **Environmental Protection Agency (EPA)**, the **Transportation Security Administration (TSA)**, the **Department of Transportation (DOT)**, and the **U.S. Department of Agriculture (USDA)** warns of active cyber threats targeting **Automatic Tank Gauge (ATG)** systems. These systems are critical for monitoring storage tank parameters like fuel levels, temperature, and leak detection across the **Energy Sector**, **Chemical Sector**, **Food and Agriculture Sector**, and **Transportation Systems Sector**. The advisory emphasizes that cyber threat actors are actively compromising internet-exposed ATG systems and modifying them through command execution. While no specific nation-state or threat actor group has been attributed, the observed tactics, techniques, and procedures (TTPs) indicate a sophisticated and persistent threat. ### Understanding the Threat Landscape Attackers are exploiting various vulnerabilities to gain unauthorized access and control over ATG systems: * **Authentication Bypass and Hardcoded Credentials**: Threat actors are bypassing authentication mechanisms and exploiting default or hardcoded credentials to access device management interfaces. * **OS Command Execution and SQL Injection**: These techniques allow attackers to execute arbitrary code and manipulate underlying databases, granting them extensive control. * **Privilege Escalation**: Once initial access is gained, threat actors are escalating privileges to achieve full administrator control over the device application and operating system. ### Potential Operational and Safety Impacts A successful compromise of an ATG system can have severe consequences, mimicking legitimate physical access to the system console. Threat actors could: * **Alter system attributes**: This includes network settings, product identifiers, tank volumes, and pump controls, leading to operational chaos. * **Compound operational malfunctions**: Components operating incorrectly could create a "denial of view" condition for tank fill levels, potentially causing permanent damage to the tank system. * **Disable system alerts**: Suppressing critical alerts reduces an operator's ability to detect and mitigate issues, significantly increasing the risk of environmental or physical hazards such, as leaks or relay failures. ### Urgent Mitigation Recommendations The authoring organizations urge ATG owners and operators to immediately implement the following security measures: 1. **Eliminate Public Internet Exposure**: Crucially, **do not expose ATG serial ports** (e.g., default TCP port 8001, 9001, or 10001) or other applicable web interfaces directly to the internet. If remote access is essential, restrict it using a firewall, access control list (ACL), or virtual private network (VPN). 2. **Enforce Credential Security**: Immediately change all default passwords and implement strong, unique security codes and administrative credentials for all interfaces. Where feasible, implement phishing-resistant **Multifactor Authentication (MFA)**. Contact your ATG service provider for assistance if unfamiliar with these procedures. 3. **Apply Patches**: Work with certified ATG service providers to verify compliance, update software, and apply the latest security patches from manufacturers. 4. **Monitor and Report**: Actively monitor networks for unauthorized access. * Enable logging, audit, and monitor logs for exposures of ATG device interfaces, unauthorized connections, suspicious alarms, alarm threshold modifications, tank label changes, and other system modifications. * Report suspected incidents promptly to the **CISA** [portal](https://www.cisa.gov/topics/cyber-threats-and-advisories/information-sharing/cyber-incident-reporting-critical-infrastructure-act-2022-circia/voluntary-cyber-incident-reporting). 5. **Engage Third-Party Service Providers**: Ensure your third-party service providers adopt the primary mitigations to reduce cyber threats to **Operational Technology (OT)**, as outlined by **CISA**, **FBI**, **EPA**, and **DOE**. ### Additional Resources and Reporting For a deeper dive into securing **OT** and **Industrial Control Systems (ICS)**, organizations should review: * **CISA**, **FBI**, **EPA**, and **DOE**'s [Primary Mitigations to Reduce Cyber Threats to Operational Technology](https://www.cisa.gov/sites/default/files/2025-05/fact-sheet-primary-mitigations-to-reduce-cyber-threats-to-operational-technology-508c.pdf) fact sheet. * Information on vulnerabilities affecting ATG systems, such as [Critical Vulnerabilities Discovered in Automated Tank Gauge Systems](https://www.bitsight.com/blog/critical-vulnerabilities-discovered-automated-tank-gauge-systems). * **CISA**'s [Internet Exposure Reduction Guidance](https://www.cisa.gov/resources-tools/resources/exposure-reduction) web page for identifying and removing internet-accessible assets. * The NCSC's [Secure connectivity principles for Operational Technology (OT)](https://www.ncsc.gov.uk/sites/default/files/documents/ncsc-secure-connectivity-for-operational-technology.pdf). U.S. organizations are encouraged to report any suspicious or criminal activity related to these threats: * **CISA**: Contact CISA’s 24/7 Operations Center via [[email protected]](mailto:[email protected]) or 888-282-0870. Provide details like date, time, location, activity type, affected parties, equipment, and a point of contact. More info on [Voluntary Cyber Incident Reporting](https://www.cisa.gov/topics/cyber-threats-and-advisories/information-sharing/cyber-incident-reporting-critical-infrastructure-act-2022-circia/voluntary-cyber-incident-reporting). * **FBI**: File a complaint with the Internet Crime Complaint Center (**IC3**) at [www.ic3.gov](https://www.ic3.gov/). Include incident details as above. * **EPA**: Contact EPA’s Office of National Security via [[email protected]](mailto:[email protected]). * **DOE**: Entities with reporting requirements should follow established procedures. For other energy sector inquiries, contact [[email protected]](mailto:[email protected]).