BitSight Technologies has revealed alarming zero-day vulnerabilities in Automatic Tank Gauge (ATG) systems used across critical infrastructure sectors. An investigation by BitSight’s TRACE researchers identified multiple critical flaws in systems from five different vendors, which could potentially be exploited by cybercriminals to inflict extensive physical damage, create environmental hazards, and cause significant economic losses. The findings underscore the urgent need for enhanced cybersecurity measures, especially as many of these ATG systems remain online and accessible over the Internet, making them prime targets for malicious attacks.
The vulnerabilities disclosed by BitSight have been under scrutiny since March 21, 2024. The company has been working closely with the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and the affected vendors to remediate these critical issues. CISA has published advisories aimed at informing stakeholders about the risks and necessary steps to mitigate them. Despite the proactive approach, many ATG systems continue to be vulnerable, raising serious concerns about their security, especially given the potential consequences of a successful cyberattack.
ATG systems play a crucial role in monitoring and controlling the storage of fuels in facilities such as gas stations, airports, and hospitals. They measure levels, volumes, and temperatures while also managing alarms and emergency shutdowns. However, the inherent vulnerabilities associated with these systems could lead to disastrous scenarios, including unauthorized access to critical controls, disruption of operations, and even catastrophic accidents resulting from tampering with fuel storage parameters. These risks are exacerbated by the fact that many ATG systems were designed without considering the cybersecurity challenges posed by Internet connectivity.
BitSight emphasizes the need for organizations to take immediate action by identifying and securing any ATG systems they manage or use. It is essential to remove these systems from public access and employ protective measures such as firewalls to prevent unauthorized access. Additionally, manufacturers of ATG systems must prioritize cybersecurity in their development processes and throughout the supply chain. As critical infrastructure continues to face increasing cyber threats, addressing these vulnerabilities is paramount to ensure national and economic security.
