There’s a device sitting underneath nearly every gas station, farm fuel depot, and industrial storage facility in the country. It monitors liquid levels, tracks temperature, detects leaks, and in many cases — accepts remote connections from the open internet with no authentication required.
Most operators have never thought about it from a security standpoint. Most IT providers haven’t either.
That oversight is getting expensive.
The Device Nobody Audits
Automatic Tank Gauge systems (or ATG’s) have been the operational backbone of bulk liquid storage for decades. They do exactly what the name suggests: automatically measure what’s inside a tank and report it back. For fuel retailers, agricultural operators, food processors, and transportation fleets, they’re as essential and unremarkable as the tanks themselves.
Which is precisely why they’ve flown under the radar as a cybersecurity risk. Opportunistic hackers love this.
ATGs were engineered for reliability in physically isolated environments. Cybersecurity wasn’t a design consideration because the internet wasn’t part of the picture. Then remote monitoring became a business expectation, and these legacy devices got quietly connected to networks they were never built to defend themselves on.
The result is a massive installed base of internet-exposed hardware running outdated firmware, protected by factory-default passwords, generating logs that nobody reads… and in many cases, nobody even knows are there.
Sound familiar? It should. This is the same story that played out with industrial SCADA systems, building management controllers, and IP cameras over the last two decades. ATGs are simply the next in line security afterthought.
What an Attacker Can Actually Do
The security vulnerabilities affecting ATG systems aren’t exotic. They’re the same categories of weaknesses that appear on every penetration tester’s checklist:
Default and hardcoded credentials
A significant portion of deployed ATG systems still authenticate — or fail to authenticate — using factory-default usernames and passwords. Some use hardcoded credentials baked into firmware that can’t be changed at all. For an attacker, this means access without any real effort.
Command injection
Once inside a management interface, many ATG platforms are vulnerable to OS-level command execution. An attacker isn’t just reading data — they’re running arbitrary code on the device.
Privilege escalation
From a foothold, achieving full administrative control over the device’s application layer and underlying operating system is often a matter of exploiting a known, unpatched vulnerability. Tools like Shodan make identifying exposed ATG ports (commonly TCP 8001, 9001, or 10001) a minutes-long exercise.
Put those pieces together and you have a threat actor who can, without ever setting foot on your property:
- Change what the system reports as the actual tank volume – masking overflows or artificially triggering pump shutdowns
- Disable leak detection alerts – silencing the alarm that stands between a slow leak and an environmental incident
- Modify pump controls and network settings – causing operational disruptions that look like equipment failure rather than an intrusion
- Create a “denial of view” condition – making it impossible for operators to know the true state of their tanks until physical damage has already occurred
This isn’t theoretical. Federal cybersecurity agencies confirmed active exploitation of these attack vectors this week, describing observed intrusions where threat actors compromised ATG systems and modified them through direct command execution, without attribution to any specific nation-state or criminal group yet established. Scary right?
Who’s at Risk?
ATG systems span a wider slice of the economy than most people realize. If your business or any of your clients operate in the following areas, there’s a reasonable chance an ATG is in scope, and almost certainly hasn’t been security-assessed:
Fuel retail and distribution — Every commercial gas station. Every heating oil or propane depot. Fleet fueling operations. The ATG is standard equipment.
Agriculture — Farms with on-site diesel storage for equipment. Chemical and fertilizer liquid storage. Operations that rely on automated inventory monitoring.
Food and beverage processing — Large-scale liquid ingredient storage. CO2 and refrigerant systems. Bulk fluid handling in production environments.
Transportation and logistics — Bus depots, trucking terminals, rail yards, airports. Any operation maintaining its own fuel reserves.
Municipal and government — Public works departments with vehicle fuel storage. Emergency generator fuel reserves at government facilities. Fire stations.
For any MSP or IT provider serving these sectors, the question isn’t whether your clients have public internet facing ATG exposure, it’s whether you’ve ever looked.
Why This Keeps Happening
The pattern here is worth understanding because ATGs won’t be the last legacy OT device to make headlines this way.
Industrial and operational technology has always prioritized uptime over security. A device that works reliably for 20 years without being touched is a success story in OT terms. In cybersecurity terms, it’s a 20-year accumulation of unpatched vulnerabilities running on hardware that was never designed to be defended.
The operational teams responsible for these systems are experts in what the systems do, not in how to protect them from adversaries who understand networks better than tank fluid dynamics. And the IT teams brought in to manage connectivity often don’t know enough about OT environments to ask the right questions.
The result is a gap. Operational systems get connected to networks. Network access never gets properly secured. No one builds a process for reviewing ATG logs because no one knew there were logs worth reviewing. Years pass. Then a new advisory drops.
Closing the Gap: What Hardening Actually Looks Like
Getting ATG security to a defensible baseline isn’t a six-month project. The fundamentals are straightforward:
Remove internet exposure
If the ATG serial interface is reachable from a public IP, that needs to end. Place it behind a firewall with explicit deny rules for external traffic. If remote access is operationally necessary, require a VPN with strong authentication, not just an open port. Open ports make things easy; for you and the attacker. Tighten it up.
Rotate every default credential
Audit all management interfaces and change factory passwords immediately. This sounds obvious but it’s frequently skipped.
Apply available patches
Work with your ATG service provider to identify the current firmware version and apply manufacturer updates. Legacy hardware may have limited patch availability, but anything that can be updated should be especially if recommended by the manufacturer.
Enable and monitor logging
Turn on audit logging and build a review process around it. You’re watching for unauthorized access attempts, alarm threshold changes, tank label modifications, and configuration changes that nobody on your team initiated.
Assess your third parties
If a managed service provider or ATG vendor has remote access to your systems, they need to meet the same security baseline you hold yourself to. Access credentials for third parties should be unique, logged, and revocable.
Get a proper risk assessment
A qualified IT security provider can identify exposed ATG interfaces on your network, review your current configuration against best practices, and document your posture in a format that’s useful for insurance, compliance, and incident response.
The Business Case for Acting Now
Federal advisories tend to have a short window of attention before the next news cycle takes over. But the underlying risk doesn’t expire when the advisory does.
For operators in regulated industries – fuel distribution under EPA oversight, food processing under FDA, agriculture with environmental compliance obligations – an ATG compromise doesn’t just create operational disruption. It creates liability. An undetected leak enabled by a disabled alert system is a very different conversation with a regulator than a hardware failure.
Cyber insurance underwriters are also paying attention. The same carriers tightening coverage requirements around MFA and endpoint protection are beginning to ask questions about OT and ICS exposure. Getting ahead of that conversation with documented controls is worth real money at renewal.
The advisory published by CISA this week is a useful forcing function. It creates a clear, current reference point for conversations with facility managers, operations directors, and ownership groups who might otherwise deprioritize infrastructure security they can’t see.
If you’re an MSP serving any of these sectors, this is the week to pick up the phone.
NCyber LLC provides managed IT and cybersecurity services to small businesses and critical infrastructure operators across New Hampshire, Massachusetts, Maine, and the East Coast. If you have facilities with ATG systems and want to understand your current exposure, we’d be glad to help — reach us at support@ncyber.io.
