### The Vulnerability Unveiled Automatic Tank Gauge (**ATG**) systems are electronic monitoring devices that remotely track liquid levels in storage tanks, automating inventory, environmental leak detection, and regulatory compliance. While frequently found at gas stations, they are also vital in industrial settings for chemical storage. On Tuesday, the Cybersecurity and Infrastructure Security Agency (**CISA**), alongside the **FBI**, the **NSA**, the **Department of Energy**, and other U.S. government partners, issued a joint advisory warning critical infrastructure organizations about ongoing cyberattacks targeting internet-exposed **ATG** systems. ### Attacker Tactics and Potential Impact Federal agencies revealed that threat actors are exploiting various security flaws, including hardcoded credentials, authentication bypasses, SQL injection, OS command execution, and privilege escalation weaknesses. These vulnerabilities allow attackers to compromise **ATG** systems and modify settings through command execution attacks. “The recent malicious cyber activity observed by the authoring organizations—which the U.S. government has not yet attributed to a nation-state or threat actor group—involves cyber threat actors compromising internet-exposed ATG systems and subsequently modifying them through command execution,” the joint advisory warned. **CISA** cautioned that successful compromises could lead to attackers disabling system alerts, increasing the risk of undetected leaks, equipment failures, and even permanent damage to tank systems. ### Widespread Exposure Confirmed Reinforcing **CISA**'s warning, Internet security watchdog **Shadowserver** reported that over 1,000 **ATG** systems globally were exposed online as of 2026-06-05, with a staggering 909 devices located within the United States. **Shadowserver** added **ATG** systems to its Accessible ICS reporting, noting, "We added scanning of Automatic Tank Gauge (**ATG**) systems to our Accessible ICS reporting with 1061 IPs seen on 2026-06-05 (on port 10001/tcp). This is after weeding out vast majority which appear to be honeypots (including ports 8001/9001)."  ### The Iranian Connection This advisory follows a May **CNN** report detailing incidents where Iranian hackers reportedly breached internet-connected **ATG** systems at multiple U.S. gas stations. These groups have a history of targeting fuel management systems and other industrial control technologies. Attackers exploited weak or nonexistent passwords to manipulate display readings, though actual fuel levels remained unaltered. While these specific incidents caused no physical damage, they highlight the potential for disrupting automated leak detection and other safety functions. In April, another joint advisory from U.S. federal agencies linked Iranian state-backed hackers to attacks targeting **Rockwell Automation/Allen-Bradley** PLC devices since March 2026, resulting in financial losses and operational disruptions. Cybersecurity firm **Censys** later reported that 74.6% (3,891 hosts) of such exposed industrial control systems globally were in the United States. ### Urgent Mitigation Strategies Critical infrastructure organizations are strongly advised to restrict remote access to **ATG** systems from the Internet immediately. Implementing controlled access via firewalls, VPNs, or access control lists is crucial. Other vital steps include replacing default passwords with strong, unique credentials, applying security updates promptly, continuously monitoring systems for unauthorized changes, and deploying multi-factor authentication wherever possible.