Now on Demand: Zero Trust Strategies Summit - Access All Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Automatic Tank Gauges Used in Critical Infrastructure Plagued by Critical Vulnerabilities

Bitsight finds critical vulnerabilities in several automatic tank gauge (ATG) products used in various critical infrastructure sectors.

Automatic Tank Gauge vulnerabilities

Nearly a decade has passed since the cybersecurity community started warning about automatic tank gauge (ATG) systems being exposed to remote hacker attacks, and critical vulnerabilities continue to be found in these devices.

ATG systems are designed for monitoring the parameters in a storage tank, including volume, pressure, and temperature. They are widely deployed in gas stations, but are also present in critical infrastructure organizations, including military bases, airports, hospitals, and power plants. 

Several cybersecurity companies showed in 2015 that ATGs could be remotely hacked, and some even warned — based on honeypot data — that these devices have been targeted by hackers.  

Bitsight conducted an analysis earlier this year and found that the situation has not improved in terms of vulnerabilities and exposed devices. The company looked at six ATG systems from five different vendors and found a total of 10 security holes.

The impacted products are Maglink LX and LX4, OPW SiteSentinel, Proteus OEL8000, Alisonic Sibylla, and Franklin TS-550. 

Seven of the flaws have been assigned ‘critical’ severity ratings. They have been described as authentication bypass, hardcoded credentials, OS command execution, and SQL injection issues. The remaining vulnerabilities are high-severity XSS, privilege escalation, and arbitrary file read issues. 

“All these vulnerabilities allow for full administrator privileges of the device application and, some of them, full operating system access,” Bitsight warned.

In a real-world scenario, a hacker could exploit the vulnerabilities to cause a DoS condition and disable devices. A pro-Ukraine hacktivist group actually claims to have disrupted a tank gauge recently. 

Advertisement. Scroll to continue reading.

Bitsight warned that threat actors could also cause physical damage. 

“Our research shows that attackers can easily change critical parameters that may result in fuel leaks, such as tank geometry and capacity. It is also possible to disable alarms and the respective actions that are triggered by them, both manual and automatic ones (such as ones activated by relays),” the company said. 

It added, “But perhaps the most damaging attack is making the devices run in a way that might cause physical damage to their components or components connected to it. In our research, we’ve shown that an attacker can gain access to a device and drive the relays at very fast speeds, causing permanent damage to them.”

The cybersecurity firm also warned about the possibility of attackers causing indirect damage.

“For example, it is possible to monitor sales and get financial insights about sales in gas stations. It is also possible to simply delete an entire tank before proceeding to silently steal the fuel, an increasing trend. Or monitor fuel levels in critical infrastructures to decide the best time to conduct a kinetic attack. Or even plainly use the device as a means to pivot into internal networks,” it explained. 

Bitsight has scanned the web for exposed and vulnerable ATG devices and found thousands, particularly in the United States and Europe, including ones used by airports, government organizations, manufacturing facilities, and utilities. 

The company then monitored exposure between June and September, but did not see any improvement in the number of exposed systems. 

Impacted vendors have been notified through the US cybersecurity agency CISA, but it’s unclear which vendors have taken action and which vulnerabilities have been patched.

UPDATE: CISA has released advisories for these vulnerabilities. The agency’s advisories reveal that while some vendors have released patches and/or mitigations, others have not responded to responsible disclosure attempts.

Learn More at SecurityWeek’s ICS Cybersecurity Conference
The leading global conference series for Operations, Control Systems and OT/IT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.
ICS Cybersecurity Conference
October 21-24, 2024 | Atlanta
www.icscybersecurityconference.com

Related: Number of Internet-Exposed ICS Drops Below 100,000: Report

Related: Study Finds Excessive Use of Remote Access Tools in OT Environments

Related: CERT/CC Warns of Unpatched Critical Vulnerability in Microchip ASF

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Former Darktrace CEO Poppy Gustafsson has joined the UK government as Minister for Investment.

Nupur Goyal has joined cloud identity security and management solutions provider Saviynt as VP of Product Marketing.

Threat intelligence firm Intel 471 has appointed Mark Huebeler as its COO and CFO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.