CISA Warns U.S. Automatic Tank Gauge Partners Cyberattacks

Often overlooked, specific infrastructure components are currently experiencing a serious wave of cyberattacks.

Automatic Tank Gauge systems, commonly known as ATG systems, are used across the United States to remotely monitor fuel levels, liquid volumes, temperatures, and potential leaks in storage tanks.

These systems sit quietly in the background, keeping operations running at gas stations, farms, chemical plants, and transportation hubs. Now, threat actors are actively going after them.

ATG systems are deployed across the Energy, Chemical, Food and Agriculture, and Transportation sectors. They are critical because they automate what would otherwise require constant manual oversight.

But that same network connectivity that makes them useful has also made them a target. Attackers are exploiting the fact that many of these systems are left exposed to the open internet, often with weak or default passwords still in place.

CISA, in a report shared with Cyber Security News (CSN), along with the FBI, NSA, DOE, EPA, TSA, DOT, and USDA, confirmed active malicious cyber activity targeting U.S.-based ATG systems.

The agencies noted that threat actors are compromising internet-exposed devices and actively modifying them through direct command execution. The U.S. government has not yet attributed the activity to any specific nation-state or threat group.

The attacks are not theoretical. Threat actors are gaining access, running commands, and in some cases taking full control of these systems as if they were standing right in front of the hardware.

Once inside, they can change network settings, adjust tank volume readings, alter pump controls, and disable the alerts that operators rely on to catch dangerous problems early.

The consequences could reach well beyond a network intrusion. A compromised ATG system can create what experts call a “denial of view” condition, where operators can no longer see accurate fill levels.

Left unchecked, this could lead to physical damage to tank infrastructure, environmental hazards, or spills from relay failures.

CISA and Partners Warns of Cyberattacks

The attack methods described in the advisory are not exotic, but they are effective. Threat actors exploit authentication bypass flaws and hardcoded credentials to slip past device management interfaces without a valid login.

Once they have a foothold, they use operating system command execution and SQL injection to run arbitrary code and manipulate the underlying databases that manage tank data.

From there, privilege escalation gives attackers full administrator control over both the device software and the operating system.

They can make devices report false readings, suppress safety alarms, or cause components to malfunction in ways that are hard to detect until real damage is done. The simplicity of these entry points is especially concerning given how widely ATG devices are deployed across critical industries.

Steps to Protect ATG Systems Now

CISA and its partner agencies have outlined clear steps that ATG owners and operators should take immediately. The most urgent action is removing these systems from direct internet exposure.

The ATG serial port, which defaults to TCP ports 8001, 9001, or 10001, should never be publicly accessible. If remote access is truly needed, it must be protected behind a firewall, an access control list, or a VPN.

Operators should change any default passwords right away and set strong, unique credentials for every interface, including the serial port. Where possible, phishing-resistant multifactor authentication should be enabled.

Keeping software patched and working with certified service providers to apply the latest manufacturer updates is equally important.

Organizations should enable detailed logging and regularly audit those logs for signs of unauthorized access, unusual alarm activity, or unexpected configuration changes.

Any suspected incidents should be reported to CISA at [email protected] or by calling 888-282-0870. The FBI also accepts complaints through the Internet Crime Complaint Center at www.ic3.gov.

The threat to ATG systems is a reminder that industrial control devices are in the crosshairs of attackers. Leaving them exposed and unprotected is no longer an option.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.