Exposed Fuel Tank Gauges Under Attack in the US

Threat actors are targeting Internet-exposed Automatic Tank Gauges (ATGs) at US gas stations and fuel depots, exploiting the fact that these critical industrial devices are routinely left exposed to the public internet with no authentication. Researchers and incident responders have documented a surge in attacks against fuel monitoring infrastructure, opening the door to operational disruption and potential safety hazards.

What Are Automatic Tank Gauges?

Automatic Tank Gauges (ATGs) are electronic monitoring systems installed in underground fuel storage tanks at gas stations, fuel depots, and fleet fueling facilities. They continuously measure fuel levels, water accumulation, temperature, and leak detection data — feeding this information to site management software and environmental compliance systems.

Vendors like Veeder-Root (TLS-series), OPW, and Franklin Fueling manufacture ATGs used across hundreds of thousands of sites in the United States. Many of these devices communicate over TCP/IP using legacy protocols with no built-in authentication — a design choice from an era when these systems were assumed to be isolated on private networks.

The Exposure Problem

Security researchers have long warned that a significant number of ATGs are directly reachable from the public internet. Shodan and Censys scans routinely surface thousands of ATGs globally with exposed management interfaces, many running on TCP port 10001 (the standard Veeder-Root TLS port).

Once an attacker reaches an exposed ATG:

• No authentication is required to issue commands
• The device responds to raw protocol commands over TCP
• Readings can be queried, altered, or reset
• Alarm thresholds can be modified to suppress leak or overflow alerts
• Some models allow firmware interaction over the same interface

Active Attacks Documented

Researchers at Dark Reading documented active exploitation campaigns where threat actors are:

1. Enumerating ATGs at scale using automated scanners targeting port 10001
2. Issuing commands to manipulate fuel level readings — potentially causing overfills or triggering false shutoffs
3. Resetting or suppressing environmental alarms — a serious compliance and safety risk under EPA and state regulations
4. Using ATG access as a pivot point to probe connected site networks for POS (point-of-sale) systems and back-office infrastructure

The campaigns appear to target US sites specifically, though similar ATG exposure exists internationally.

Why This Is a Critical Infrastructure Threat

Fuel infrastructure is classified as critical infrastructure under the US Department of Homeland Security framework. Disruption to fuel supply chains can have cascading effects on emergency services, transportation, and national logistics.

Specifically, ATG attacks can:

• Cause fuel spills or overfills by falsifying tank levels and suppressing overflow alarms
• Trigger regulatory violations — environmental agencies require accurate leak detection; manipulated readings can mask real leaks
• Disrupt operations — forcing stations to halt fuel dispensing pending manual inspection
• Enable downstream intrusion — ATGs are often on the same network as POS terminals and payment processing systems
• Create physical safety hazards — gasoline overfills and undetected leaks create fire and explosion risks

Recommended Mitigations

For Fuel Station Operators and IT Teams

1. Remove ATGs from direct internet exposure immediately — These devices should never be internet-accessible. Place them behind firewalls and allow access only from authorized management IPs.

2. Conduct an ATG inventory audit — Identify every ATG on your network and verify none are publicly reachable via Shodan or Censys (search for your public IP ranges against port 10001).

3. Segment ATG networks — Place ATG devices on isolated OT/ICS network segments, separated from corporate IT, POS systems, and the internet.

4. Deploy a VPN or jump server for all remote ATG management — Remote access to ATGs should require authenticated VPN sessions, not direct internet exposure.

5. Apply vendor-available firmware updates — Check with Veeder-Root, OPW, and other ATG vendors for any available firmware updates that add authentication or restrict remote access.

6. Enable alerting on unauthorized ATG commands — Deploy network monitoring capable of detecting unexpected command sequences to ATG ports.

For Critical Infrastructure Security Teams

• Report any suspected ATG compromise to CISA via their 24/7 reporting line: 1-888-282-0870 or report@cisa.gov
• Review ICS-CERT advisories for affected ATG product lines
• Conduct threat hunting on any network segment containing ATG devices for signs of lateral movement

The Broader ICS Exposure Problem

This campaign reflects a persistent problem in industrial control system (ICS) security: legacy devices designed for isolated networks are now routinely internet-connected without the security controls this exposure demands. The same pattern that enabled attacks on water treatment SCADA systems, building automation controllers, and industrial PLCs is now playing out at fuel infrastructure scale.

The solution is not new technology — it is enforcing the network isolation these devices were always designed to operate within.

References

• Dark Reading — Exposed Fuel Tank Gauges Attack US
• CISA ICS Advisory — Automatic Tank Gauges
• Shodan — ATG Device Exposure Research
• EPA Underground Storage Tank Regulations