A coalition of eight US government agencies — CISA, the FBI, NSA, DOE, EPA, TSA, DOT, and USDA — has issued a joint advisory confirming that threat actors are actively targeting Automatic Tank Gauge (ATG) systems deployed across critical American infrastructure. The warning represents one of the most significant alerts to the industrial control system (ICS) community in recent months.
ATG systems are used across the Energy, Chemical, Food and Agriculture, and Transportation sectors to remotely monitor fuel levels, liquid volumes, temperatures, and potential leaks in storage tanks. They sit quietly in the background at gas stations, farms, chemical plants, and transportation hubs — essential to safe operations, but often overlooked from a cybersecurity perspective.
What Attackers Are Doing
According to the advisory, threat actors are exploiting the fact that many ATG systems are left directly exposed to the public internet, often still running with weak or default passwords. Once inside, they are not simply scanning or probing — they are actively modifying device configurations through direct command execution.
Attackers can:
- Change network settings and tank volume readings
- Alter pump controls and relay configurations
- Disable the safety alarms operators rely on to catch dangerous conditions early
- Create a “denial of view” condition — operators can no longer see accurate fill levels
- Cause physical damage to tank infrastructure through relay failures
- Create environmental hazards or spills
The US government has not yet attributed the activity to any specific nation-state or threat group. However, the multi-agency response and out-of-band advisory format indicate a high level of concern about the ongoing and potentially escalating nature of these attacks.
How the Attacks Work
The attack techniques described in the advisory are straightforward but effective. Threat actors are exploiting several categories of weakness:
- Authentication bypass flaws and hardcoded credentials to access device management interfaces without a valid login
- Operating system command execution once inside, to run arbitrary commands on the underlying system
- SQL injection to manipulate the databases managing tank data
- Privilege escalation to gain full administrator control over both device software and the OS
The simplicity of these entry points is particularly alarming given how widely ATG devices are deployed. These are not exotic, targeted attacks — they are opportunistic exploits against internet-facing systems with poor baseline security configurations.
Immediate Defensive Actions Required
CISA and its partner agencies have outlined clear steps that ATG owners and operators should take without delay:
- Remove ATG systems from direct internet exposure. The ATG serial port — which defaults to TCP ports 8001, 9001, or 10001 — should never be publicly accessible. If remote access is required, it must go through a firewall, access control list, or VPN.
- Change all default passwords immediately. Set strong, unique credentials for every interface, including the serial port.
- Enable phishing-resistant multifactor authentication wherever possible.
- Keep software patched and work with certified service providers to apply the latest manufacturer updates.
- Enable detailed logging and regularly audit logs for signs of unauthorized access, unusual alarm activity, or unexpected configuration changes.
- Report suspected incidents to CISA at report@cisa.gov or 888-282-0870, or file a complaint with the FBI via ic3.gov.
Why This Matters
The targeting of ATG systems is part of a broader trend of threat actors moving beyond traditional IT targets toward operational technology (OT) and industrial control systems. Unlike a compromised workstation or server, a manipulated ATG system can cause real-world physical consequences — environmental damage, safety incidents, and infrastructure disruption.
This advisory is a direct call to action for every organization operating ATG systems in the US. Leaving these devices internet-exposed and running default credentials is no longer an acceptable risk posture. Security teams in the energy, transportation, chemical, and agriculture sectors should treat this as an urgent remediation priority.