A coalition of U.S. federal agencies has issued an urgent warning to operators of critical infrastructure: immediately secure automatic tank gauge (ATG) systems that are exposed to the internet. The joint advisory—released by CISA, the FBI, NSA, Department of Energy (DOE), Environmental Protection Agency (EPA), Transportation Security Administration (TSA), Department of Transportation (DOT), Department of Agriculture (USDA), and other partners—highlights active exploitation of these devices by malicious actors. Left unaddressed, the flaws could lead to operational disruptions, environmental spills, and even physical damage at facilities handling fuel, chemicals, and agricultural products.

The Target: What Are Automatic Tank Gauges?

Automatic tank gauges are the nerve center of bulk liquid storage. Found at gas stations, fuel depots, chemical plants, and farms, ATGs continuously measure the level, temperature, and volume of stored products. They also perform critical safety functions like leak detection and inventory reconciliation. Modern ATGs connect to corporate networks and sometimes directly to the internet for remote monitoring, making them a prime target for cyberattacks.

The systems typically run on embedded controllers with proprietary or outdated operating systems. Many were installed years ago with little thought given to cybersecurity. Default passwords, unencrypted protocols, and web-based management interfaces are common. Once an attacker gains access, they can spoof sensor readings, disable alarms, or manipulate transfers—actions that could cause fuel spills, chemical releases, or supply chain chaos.

Who Issued the Warning?

This is not a routine advisory. The sheer number of agencies involved underscores the seriousness of the threat. CISA, the FBI, and the NSA represent the government’s top cybersecurity and intelligence arms. The inclusion of sector-specific regulators like the EPA (environmental safety), TSA (pipeline security), and USDA (agriculture) signals that attackers are casting a wide net. The advisory, published under CISA’s Known Exploited Vulnerabilities (KEV) program, reflects confirmed real-world attacks—not theoretical risks.

The Threat Landscape

According to the advisory, threat actors are actively scanning the internet for exposed ATG interfaces, then exploiting known vulnerabilities to gain unauthorized access. The motivations vary: some aim to steal operational data for competitive intelligence, others seek to extort operators by threatening to disrupt fuel supplies or trigger safety incidents. In at least one documented case, an attacker manipulated tank level readings to cause a spill during an automated refill cycle, according to incident reports shared with CISA.

The vulnerabilities themselves are not new. Many ATGs use default administrative credentials that are widely published in installation manuals. Others contain hard-coded backdoors or unpatched software flaws dating back years. Because these devices often sit outside traditional IT security perimeters, they rarely receive firmware updates or active monitoring. Once compromised, an ATG can serve as a pivot point to deeper operational technology (OT) networks that control pumps, valves, and loading systems.

Industries at Risk

Any facility using internet-connected ATGs is a potential victim. The advisory specifically highlights:

  • Fuel storage and distribution: Gas stations, tank farms, and pipeline terminals. A ransomware attack on a regional distributor could cause shortages and panic buying.
  • Chemical manufacturing: Tampering with tank gauges could lead to dangerous chemical mixtures or releases.
  • Agriculture: Farms storing fuel, fertilizers, or pesticides rely on ATGs. A compromise during planting or harvest season could be devastating.
  • Government and military: Fuel depots supporting critical national functions are equally exposed.

How Attackers Exploit ATG Systems

Attackers don’t need zero‑days. Most compromises follow a depressingly simple recipe:

  1. Scanning: Using tools like Shodan, attackers locate ATGs with web interfaces or Telnet/FTP ports open to the public internet.
  2. Credential stuffing: They try default passwords or commonly used credentials obtained from previous data breaches.
  3. Firmware exploitation: Known vulnerabilities (e.g., buffer overflows, command injection) in legacy ATG software are exploited if the device is unpatched.
  4. Lateral movement: From the ATG, attackers pivot to the facility’s internal network, seeking SCADA systems, databases, or corporate IT.

Once inside, the damage can take many forms. Attackers may:

  • Silence leak detection alarms, causing unnoticed spills.
  • Alter inventory data, leading to financial losses or overfills.
  • Disable safety interlocks, creating explosion risks.
  • Encrypt the ATG’s firmware and demand a ransom.

Official Recommendations

The advisory provides clear, actionable steps for organizations:

  • Disconnect from the public internet. If remote access is required, use a VPN with multi‑factor authentication. Never expose an ATG’s management interface directly to the internet.
  • Change default credentials. Immediately replace factory‑set passwords with strong, unique passphrases.
  • Segment networks. Isolate ATGs from the corporate IT network and other OT systems using firewalls and VLANs.
  • Apply updates. Work with vendors to patch known vulnerabilities. If no patch is available, implement compensating controls like access restrictions.
  • Monitor traffic. Deploy intrusion detection systems tuned for OT protocols. Watch for suspicious outbound connections or unusual commands.
  • Inventory all ATGs. Many organizations don’t even know how many of these devices they own. Conduct a thorough audit.

CISA also urges operators to report any suspected compromises immediately. The advisory includes resources for incident response and encourages participation in information-sharing programs like the Joint Cyber Defense Collaborative (JCDC).

A Pattern of Critical Infrastructure Warnings

This is not the first time U.S. agencies have sounded the alarm about internet‑exposed OT. In recent years, similar warnings covered water treatment systems, building controllers, and remote terminal units in the energy sector. The ATG advisory follows a familiar pattern: low‑hanging fruit, widespread impact, and adversaries willing to exploit any gap.

“Attackers are systematically scanning for these devices because they know they’re often unprotected,” said a CISA spokesperson in a briefing. “It takes only minutes to find and compromise a vulnerable gauge, but the consequences can last for weeks or months.”

The advisory also aligns with global efforts to reduce OT exposure. The Five Eyes intelligence partnership (U.S., UK, Canada, Australia, New Zealand) has consistently highlighted the risks of directly connecting industrial devices to the internet. In 2023, the Australian Cyber Security Centre reported that nearly 80% of all OT‑related incidents involved internet‑facing assets.

Real‑World Impact

Consider a typical gas station. Its ATG may manage five underground fuel tanks, each holding 20,000 gallons. If an attacker alters the tank‑level readings, the station might overfill a tank during delivery, spilling thousands of gallons of gasoline. Cleanup costs, environmental fines, and reputational damage could run into millions. If the same attacker targets a chain of stations simultaneously, the regional fuel supply could be disrupted for days—a scenario that plays out like a simplified Colonial Pipeline rerun.

In agriculture, a compromised ATG at a fuel depot could halt harvesting operations. A grain elevator dependent on propane for drying might shut down, cascading into food supply delays. The USDA’s presence on the advisory signals these very real farm‑to‑fork risks.

From the OT Security Community

Security researchers have long warned about ATG vulnerabilities. At DEF CON 2022, a researcher demonstrated how he could remotely hack a popular ATG model and cause a simulated tank overflow. “The problem is that these devices were designed for reliability, not security,” said the researcher. “Manufacturers assumed they’d be on closed networks, but the drive for remote access put them online without basic protections.”

Vendor responsiveness varies. Some ATG suppliers have issued firmware updates and hardened configurations. Others lag, leaving thousands of devices perpetually exposed. The advisory pressures manufacturers to accelerate patching and provide clear hardening guides.

What Organizations Should Do Right Now

The window for action is now. CISA recommends a four‑phase approach:

  1. Immediate containment: Find and disconnect any ATG directly accessible from the internet. This may cause some operational inconvenience, but it’s the only sure way to stop ongoing attacks.
  2. Short‑term remediation: Within 48 hours, change all default passwords, enable logging, and apply available patches.
  3. Long‑term hardening: Over the next 30 days, implement network segmentation, deploy OT‑specific monitoring tools, and integrate ATGs into the asset management and vulnerability tracking system.
  4. Continuous improvement: Establish a recurring review cycle. OT environments evolve, and new devices are constantly added. Regular audits and penetration tests will catch exposure before adversaries do.

The advisory also emphasizes the human element. Training staff to recognize phishing attempts—often the initial vector for internal network access—is essential. Even if the ATG itself isn’t the direct target, a compromised corporate workstation can provide a path to the OT network.

The Bigger Picture

The ATG alert is a microcosm of a larger challenge: securing the Industrial Internet of Things (IIoT). As more operational technology becomes connected, the attack surface expands exponentially. Each internet‑facing sensor or controller represents a potential entry point. Without a concerted effort from asset owners, vendors, and regulators, these blind spots will persist.

CISA’s advisory is not just a warning—it’s a call to action. The tools to protect these systems exist, but they require immediate implementation. Ignoring the problem is becoming increasingly costly, both in dollars and in public safety.

For detailed technical recommendations and indicators of compromise, see the full advisory on CISA’s website. Operators are encouraged to share their experiences and mitigation strategies through the Joint Cyber Defense Collaborative portal.