Cybersecurity researchers from BitSight TRACE have made a startling discovery of multiple zero-day vulnerabilities in Automated Tank Gauge (ATG) systems. These systems play a crucial role in managing fuel storage tanks across various critical infrastructures. The vulnerabilities found in six ATG systems from five different vendors have raised significant concerns regarding public safety and economic stability.

According to the researchers, these vulnerabilities could potentially be exploited by malicious actors to cause physical damage, environmental hazards, and economic losses. The impact of such attacks could be far-reaching and pose a serious threat to the integrity of critical infrastructures. The flaws identified in the ATG systems have highlighted the urgent need for enhanced security measures to mitigate the risks associated with these vulnerabilities.

Automatic Tank Gauging (ATG) systems are designed to automatically measure and record product level, volume, and temperature in storage tanks. These systems are widely used in gas stations and are prevalent in various critical facilities such as military bases, hospitals, airports, emergency services, and power plants. While ATG systems are essential for ensuring compliance with environmental regulations and optimizing inventory management, their exposure to the internet makes them vulnerable to cyberattacks.

The investigation by BitSight TRACE revealed a total of 11 vulnerabilities across several ATG models, including critical flaws such as OS command injection, authentication bypasses, hardcoded credentials, and SQL injection vulnerabilities. These vulnerabilities could allow attackers to gain full administrative control over the ATG systems, posing a severe risk to the security and integrity of these critical systems.

The exploitation of these vulnerabilities could have devastating consequences, including denial of service attacks, physical damage to tanks, data theft, and network intrusion. These scenarios underscore the urgent need for organizations to implement enhanced security measures to protect ATG systems from exploitation and safeguard critical infrastructure from potential disasters.

In response to these vulnerabilities, BitSight has been working closely with the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) to develop remediation strategies through responsible disclosure. The collaboration between BitSight and affected vendors aims to mitigate the risks associated with these vulnerabilities and enhance the security of ATG systems.

CISA has also published advisories to guide organizations in securing their ATG systems against potential attacks. The discovery of these vulnerabilities has shed light on the critical need for improved cybersecurity practices in industrial control systems like ATGs. Organizations are strongly encouraged to disconnect ATGs from the internet and implement robust security measures to protect against future threats.

As the industry moves towards a “secure by design” philosophy, it is essential for manufacturers and operators to work together to address these vulnerabilities and protect critical infrastructure from cyber threats. The discovery of these vulnerabilities serves as a wake-up call for the industry to prioritize cybersecurity and take proactive measures to enhance the security of ATG systems.

In conclusion, the uncovering of these vulnerabilities has highlighted the critical need for enhanced security measures to protect ATG systems from exploitation and safeguard critical infrastructure from potential disasters. Organizations must prioritize cybersecurity and collaborate with industry stakeholders to address these vulnerabilities and ensure the security and integrity of ATG systems.

Source link