Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Benedict Collins

Fuel storage tanks put at risk by worrying security flaws

Aerial view or oil terminal is industrial facility for storage tank of oil and LPG Petrochemical. oil manufacturing products ready for transport and business transportation, LPG Tank, CNG tank.

Fuel storage is an essential part of worldwide logistics, marking it as critical infrastructure and therefore a target for state-sponsored cyber attacks.

As with most things today, many fuel depots have some form of internet facing technology to help manage fuel levels remotely using automated tank gauges (ATG), and research from Bitsight has warned these systems have multiple critical vulnerabilities that could give an attacker full control over the fuel storage, allowing for the possibility of physical and environmental damage as well as economic loss.

The company identified multiple critical zero day vulnerabilities across six different ATG systems produced by five different companies. Despite multiple warnings about the potential for these systems to be easily attacked over the internet, many remain online and unpatched, making them prime targets for hacktivists and state-sponsored attackers.

ATG vulnerabilities

The Bitsight research outlines legacy vulnerabilities, such as those relating to a certain protocol in ATG systems known as Veeder-Root, Gilbarco, or TLS protocol. These protocols use an interface for communicating functions to the ATG, with many of the operational manuals detailing different protocols that can be used. Some such protocols could be abused by an attacker to change network configurations, change volume and fill limit configurations, stop leak or pressure detection tests, and put the ATG into a denial of service (DoS) loop by repeating a remote reboot. DoS attacks can be highly disruptive if done en-mass, potentially putting the fuel distribution infrastructure of entire regions offline affecting both civilian, logistical and military function.

As for new vulnerabilities, Bitsight discovered 10 unique vulnerabilities in one week relating to OS command injection, hardcoded credentials, authentication bypass, SQL injection, cross site scripting (XSS), privilege escalation, and arbitrary file read, with CVSS scores ranging from 7.5 to 10.

Using one of the protocol vulnerabilities the researchers discovered in Maglink LX4, they were able to force a relay to turn on and off 50 times per second, which is fast enough for the relay to damage itself and potentially the components around it. A relay damaged in this way could prevent detection and warning systems from operating properly, such as ventilation systems, alarms and pumps.

A further potential use of ATG vulnerabilities is intelligence gathering. By monitoring the volume of fuel storage through ATGs, state-sponsored attackers can gain valuable information into fuel sales, delivery times, and when is best to strike a fuel tank with a kinetic attack to cause the most damage.

More from TechRadar Pro

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.