Researchers are issuing warnings about multiple critical security vulnerabilities in automatic tank gauge (ATG) systems that could pose serious threats to critical infrastructure facilities, including the risk of disruption and physical damage. ATGs are essential sensor systems used to monitor and manage fuel storage tanks, ensuring proper fill levels, leak detection, and inventory management. While commonly found at gas stations and airports, these systems are also utilized in other critical installations such as hospitals, military bases, and airports.
According to Pedro Umbelino, a principal research scientist at Bitsight’s TRACE unit, the significant concern is that many new vulnerabilities discovered in ATGs could enable an attacker to gain full administrative control over the system. These vulnerabilities, totaling 11 bugs across six ATG systems from five different vendors, could lead to various malicious activities, from rendering fueling services unavailable to causing environmental disasters.
One alarming aspect highlighted by Umbelino is that despite previous warnings, thousands of ATGs are still accessible over the internet, making them prime targets for cyberattacks, particularly in scenarios involving sabotage or cyberwarfare. In a recent analysis released on Sept. 24, Umbelino emphasized the urgent need to disconnect these devices from public internet access to mitigate risks effectively.
While efforts have been made to address the vulnerabilities, including the release of patches by Maglink and Franklin, some vendors have not engaged in the disclosure process to resolve the issues. Umbelino stressed the importance of not relying solely on patching but also emphasizing the need to disconnect these devices from public internet access due to their inherent lack of security designed for online connectivity.
The security implications of ATG vulnerabilities extend beyond cyber risks to potential physical harm. Attackers could exploit these vulnerabilities to tamper with critical functions such as tank capacity, overflow alarms, and system components, leading to gas spills and other environmental disasters. In some cases, attackers could cause permanent damage to the devices by manipulating relay speeds, highlighting the severity of the risks involved.
The broader context of critical infrastructure security underscores the growing cyber threats facing ICS systems and operational technology (OT). These systems, prioritizing reliability and efficiency over security, are increasingly targeted by threat actors seeking to disrupt essential services and infrastructure. With APTs and ransomware gangs targeting critical infrastructure assets globally, the importance of securing these systems against cyber threats cannot be overstated.
As the cybersecurity landscape evolves, stakeholders must prioritize the security of critical systems to prevent catastrophic outcomes. Umbelino emphasized the need for organizations to adopt stringent security practices, conduct risk assessments, and limit exposure of critical systems to the internet. Additionally, security researchers play a crucial role in identifying and addressing vulnerabilities in ICS systems to mitigate risks proactively.
In conclusion, the ATG vulnerabilities serve as a stark reminder of the complex challenges facing critical infrastructure security. By addressing these vulnerabilities, adopting best practices, and collaborating across sectors, stakeholders can enhance the resilience of critical systems against evolving cyber threats and safeguard essential services for the future.