Security researchers have identified over 900 automatic tank gauge (ATG) systems across the United States that are directly accessible over the internet and vulnerable to ongoing attacks. These devices, used to monitor fuel and chemical storage at gas stations and critical infrastructure facilities, expose critical operational data and control functions to any attacker who can reach them — with no authentication required in many cases.
What Are Automatic Tank Gauges?
Automatic Tank Gauges (ATGs) are industrial monitoring systems installed at fuel storage facilities — primarily gas stations, but also airports, military installations, hospitals, and other facilities that maintain fuel reserves. Their core functions include:
- Fuel level monitoring — Tracking how much fuel remains in underground storage tanks
- Leak detection — Identifying potential fuel leaks that could cause environmental damage or fire hazards
- Temperature measurement — Compensating readings for thermal expansion/contraction of fuel
- Delivery confirmation — Verifying that fuel deliveries match expected volumes
- Regulatory compliance — Many jurisdictions require ATG systems as part of environmental protection regulations for underground storage tanks (USTs)
Popular ATG vendors include Veeder-Root (a subsidiary of Gilbarco Veeder-Root, now Dover Corporation), Franklin Fueling Systems, and OPW (part of Dover). These devices are often connected to facility management networks and, increasingly, to the internet for remote monitoring by fuel distributors and station operators.
The Exposure Problem
The critical flaw identified by researchers is not primarily a software vulnerability — it is a configuration and deployment failure. A significant number of ATG systems are:
- Directly internet-accessible via their management ports (typically TCP/10001 for Veeder-Root TLS-350/450 series)
- Unprotected by authentication, or using only default/well-known credentials
- Discoverable via Shodan and similar internet-of-things search engines, making them trivially identifiable by attackers
Once an attacker can reach an ATG system's management interface, they can typically:
| Capability | Impact |
|---|---|
| Read real-time fuel levels | Intelligence on supply chain, theft optimization |
| View alarm and leak history | Identify vulnerable or poorly maintained sites |
| Modify configuration settings | Falsify readings, disable leak alarms, change threshold alerts |
| Trigger or suppress alarms | Cause operational disruption or mask environmental incidents |
| Access site information | Address, station ID, tank product types |
The ability to disable leak detection alarms is particularly concerning from an environmental and safety standpoint. A falsified "no leak" reading could allow a slow fuel leak to go undetected for extended periods, potentially causing significant groundwater contamination.
Scale of Exposure: 900+ Systems
The figure of 900+ exposed ATG systems across the United States represents a substantial attack surface when considered in the context of critical infrastructure protection. While individual gas stations may seem like low-value targets, the aggregate exposure creates several concerning scenarios:
Scenario 1: Targeted Disruption of Fuel Supply
A coordinated campaign targeting a cluster of exposed ATG systems in a specific geographic area could trigger widespread fuel station closures through falsified alarm states or operational disruptions. During a crisis or high-demand period (storm season, political events, infrastructure incidents), this could amplify an emergency.
Scenario 2: Environmental Sabotage
Disabling or manipulating leak detection on multiple sites could enable deliberate environmental contamination — a recognized vector for environmental terrorism or competitive sabotage.
Scenario 3: Intelligence Collection for Physical Crime
Real-time fuel level data provides actionable intelligence for fuel theft operations. Criminal organizations have historically targeted fuel storage at commercial sites; ATG access eliminates the need for physical reconnaissance.
Scenario 4: Jumping to Connected Networks
In facilities where ATG systems share network segments with point-of-sale (POS) systems, office networks, or fuel management platforms, a compromised ATG could serve as a lateral movement pivot point into higher-value systems.
Historical Precedent
This is not the first time ATG vulnerabilities have been documented. Researchers have been raising alarms about exposed ATG systems for nearly a decade:
- 2015: HD Moore (Rapid7) documented widespread Veeder-Root ATG exposure via Shodan scans, finding thousands of exposed systems globally
- 2018: CISA issued an advisory warning about ATG vulnerabilities, noting that some systems had no authentication mechanisms whatsoever
- 2020–2023: Multiple incident reports documented attackers accessing ATG systems to manipulate fuel level readings and disable alarms
- 2026: The persistent exposure of 900+ US systems demonstrates that despite years of advisories and public disclosure, remediation has been slow and incomplete
The stubborn persistence of this exposure reflects a broader challenge in operational technology (OT) security: these devices are often installed and forgotten, with no clear ownership for security updates, no monitoring for unauthorized access, and no organizational awareness that they are internet-accessible at all.
Why Remediation Is So Slow
Several factors contribute to the slow remediation of exposed ATG systems:
Ownership ambiguity: ATG systems are often installed by fuel distributors but operated by station franchisees. Neither party has clear responsibility for cybersecurity.
Legacy hardware: Many ATG systems in the field are 10–20+ years old and lack the capability to enforce strong authentication or receive security updates.
"It works, don't touch it" mentality: Operational technology environments prioritize uptime. Network changes that could disrupt ATG functionality — even security improvements — are often deferred indefinitely.
No direct financial consequence (until a breach): Without a cyber insurance mandate, regulatory requirement, or visible incident, there is limited business pressure to invest in ATG security.
Third-party monitoring contracts: Many ATG systems are maintained by fuel service providers who have network access for remote monitoring. Security ownership in these arrangements is rarely clear.
Recommended Mitigations
For organizations responsible for ATG systems at any type of fuel storage facility:
Immediate Actions
- Run a Shodan search for your organization's IP ranges to identify any ATG systems with internet-facing management interfaces (search for
port:10001 "Veeder-Root"or similar). - Block direct internet access to ATG management ports via firewall rules. ATG systems should never be directly internet-accessible.
- Change default credentials on all ATG systems immediately if they are still set to factory defaults.
Short-Term Improvements
- Network segmentation: Place ATG systems on an isolated OT network segment with no direct routes to the internet or corporate IT networks.
- Remote access via VPN: If remote monitoring is required by a service provider, mandate VPN-only access with multi-factor authentication.
- Audit access logs: Review who has been connecting to ATG management interfaces and investigate any unexpected connection sources.
Long-Term Strategy
- Engage your ATG vendor about available firmware updates and authentication improvements for deployed hardware.
- Include ATG systems in asset inventory and vulnerability management programs — OT assets are frequently missed in standard IT vulnerability scans.
- Establish an OT security policy that explicitly covers fuel management systems, including incident response procedures for ATG compromise.
Regulatory Landscape
The Environmental Protection Agency (EPA) regulates underground storage tanks (USTs) under the Resource Conservation and Recovery Act (RCRA), which requires leak detection systems — but does not currently impose specific cybersecurity requirements on ATG systems. The TSA Pipeline Security Guidelines and CISA cross-sector guidance provide relevant frameworks, but enforcement of ATG-specific cybersecurity has historically been limited.
Pending regulatory developments in the OT/ICS security space — including proposed rules from CISA and sector-specific agencies — may eventually impose mandatory security baselines on internet-connected industrial monitoring systems, including ATGs. Organizations should proactively engage these frameworks rather than waiting for mandate.