- Agencies warn of attacks on ATG systems
- Attackers exploit weak credentials and SQL injection
- Mitigation includes stronger passwords and removing internet exposure
Critical infrastructure organizations should move to harden their Automatic Tank Gauge (ATG) systems to defend against ongoing attacks. This is the warning given earlier this week by the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), and other agencies.
In a joint press release, these agencies said they were “aware of malicious cyber activity targeting US-based automatic tank gauge systems.”
“The authoring organizations urge ATG owners and operators to defend against this malicious activity by securing their ATG systems with strong passwords and by removing them from the internet to reduce public exposure.”
A list of mitigations
ATG systems are monitoring devices used in fuel storage tanks that automatically measure fuel levels, temperature, potential leaks, and other vitals, helping operators manage inventory and detect problems early.
The agencies could not attribute the ongoing attacks to any specific threat actor or nation-state but did say what the companies should pay attention to. Apparently, the attackers are either using hardcoded credentials, command execution and SQL Injection attacks, or privilege escalation, to access the devices.
Once they are inside, the attackers usually change system attributes (network settings, product identifiers, tank volumes, pump controls), compound operational malfunctions, and disable system alerts.
The advisory lists a number of things organizations can do to mitigate the risk, including eliminating public internet exposure, restricting access, and enforcing tougher credential security. The full list of mitigation suggestions can be found on this link.
Securing critical infrastructure has always been a challenge for nation-states, and now with the advent of AI, it has only gotten more difficult. To that end, earlier this week, the UK GCHQ debuted the world’s first AI cyber-defense system
In an annual lecture held earlier this week at Bletchley Park, GCHQ director Anne Keast-Bulter laid out the plans for the shield, mentioning that Russia and China are posing an ever-increasing cyber-threat to the UK’s national interests and way of life.
