CISA and Partners Urge Hardening Automatic Tank Gauge Systems (2026-06-02)
CISA and partner agencies have observed unattributed malicious cyber activity targeting internet-exposed Automatic Tank Gauge (ATG) systems across multiple U.S. critical infrastructure sectors. Threat actors are leveraging authentication bypass, hardcoded credentials, and command execution vulnerabilities to gain administrative control, enabling them to manipulate tank parameters, disable safety alerts, and create denial-of-view conditions.
Detection / HunterGoogle
What Happened
Government agencies are warning that hackers are targeting Automatic Tank Gauge (ATG) systems, which are used to monitor fuel and liquid levels in critical industries like energy and agriculture. The attackers are breaking into systems that are connected to the internet by exploiting weak passwords and software flaws. If successful, they can change tank settings, hide dangerous conditions, and turn off safety alarms, which could lead to physical damage or environmental leaks. Organizations using these systems should immediately disconnect them from the public internet, change default passwords, and apply security updates.
Key Takeaways
- Unattributed threat actors are actively targeting internet-exposed Automatic Tank Gauge (ATG) systems in U.S. critical infrastructure.
- Attackers exploit authentication bypass, hardcoded credentials, OS command execution, and SQL injection to compromise devices.
- Compromise can lead to altered tank attributes, denial of view conditions, and disabled safety alerts, risking environmental or physical hazards.
- Organizations must immediately remove ATG serial ports (e.g., TCP 8001, 9001, 10001) from public internet exposure.
Affected Systems
- Automatic Tank Gauge (ATG) systems
- Energy Sector OT systems
- Chemical Sector OT systems
- Food and Agriculture Sector OT systems
- Transportation Systems Sector OT systems
Attack Chain
Threat actors identify internet-exposed Automatic Tank Gauge (ATG) systems. They gain initial access by exploiting authentication bypass vulnerabilities, hardcoded credentials, or SQL injection flaws. Once authenticated, the attackers escalate privileges to full administrator and execute arbitrary OS commands to modify system attributes, disable alerts, and manipulate tank management functions.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
The article does not provide specific detection rules or queries.
Detection Engineering Assessment
EDR Visibility: None — ATG systems are embedded Operational Technology (OT) devices that typically do not support standard EDR agent installation. Network Visibility: Medium — Network monitoring can detect unauthorized access attempts to common ATG serial ports (e.g., 8001, 9001, 10001) if traffic traverses monitored chokepoints. Detection Difficulty: Moderate — Detecting this activity requires OT network visibility and specific monitoring of ATG device logs, which are often not centralized in standard IT SIEM deployments.
Required Log Sources
- Network flow logs
- Firewall logs
- Application audit logs (ATG device)
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Consider hunting for inbound connections from external IP addresses to internal ATG serial ports (e.g., TCP 8001, 9001, 10001) in firewall logs. | Firewall logs | Initial Access | Low |
| If you have visibility into ATG device logs, consider hunting for unauthorized configuration changes, such as tank label modifications or alarm threshold adjustments. | Application audit logs (ATG device) | Impact | Medium |
Control Gaps
- Lack of network segmentation for OT devices
- Default credentials on embedded systems
- Inadequate logging and monitoring on IoT/OT devices
Key Behavioral Indicators
- Unexpected connections to TCP ports 8001, 9001, or 10001
- Suspicious alarms or alarm threshold modifications on ATG systems
- Unauthorized tank label changes
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting.
- Immediately eliminate public internet exposure for ATG serial ports (e.g., TCP 8001, 9001, 10001) and web interfaces.
- Change all default passwords and implement strong, unique administrative credentials for all ATG interfaces.
Infrastructure Hardening
- Implement network segmentation to isolate ATG systems from the corporate network and the public internet.
- Enforce access controls using firewalls, ACLs, or VPNs if remote access to ATG systems is strictly necessary.
- Implement phishing-resistant multifactor authentication (MFA) for remote access to OT networks.
User Protection
- Work with certified ATG service providers to apply the latest security patches and firmware updates.
Security Awareness
- Ensure OT operators are trained to recognize and report anomalous system behavior, such as disabled alerts or denial of view conditions.
MITRE ATT&CK Mapping
- T1190 - Exploit Public-Facing Application
- T1078.001 - Valid Accounts: Default Accounts
- T1068 - Exploitation for Privilege Escalation
- T0806 - Exploit Public-Facing Application
- T0812 - Default Credentials
- T0831 - Manipulation of Control
- T0832 - Manipulation of View
- T0880 - Loss of View
