The NSA warns that cybercriminals are targeting this essential component on which the energy, chemical, food, agriculture and transportation sectors depend. Here’s what we know

Agencies warn of attacks on ATG systems
Attackers exploit weak credentials and SQL injection
Mitigation includes stronger passwords and removing internet exposure

Critical infrastructure organizations should harden their automatic tank gauge (ATG) systems to defend against ongoing attacks. That’s the warning issued earlier this week by the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), the Federal Bureau of Investigation (FBI) and other agencies.

In a joint press release, these agencies said they were “aware of malicious cyber activity targeting U.S.-based automatic tank gauge systems.”

“The author organizations urge ATG owners and operators to defend against this malicious activity by securing their ATG systems with strong passwords and removing them from the Internet to reduce their exposure to the public.”

A list of mitigations

ATG systems are monitoring devices used in fuel storage tanks that automatically measure fuel levels, temperature, potential leaks and other vital parameters, helping operators manage inventory and quickly detect problems.

The agencies could not attribute the ongoing attacks to a specific threat actor or nation-state, but indicated what companies should pay attention to. Apparently, attackers either use hardcoded credentials, command execution and SQL injection attacks, or privilege escalation to gain access to devices.

Once inside, attackers typically modify system attributes (network settings, product identifiers, tank volumes, pump controls), exacerbate operational malfunctions, and disable system alerts.

The advisory lists a number of steps organizations can take to mitigate risks, including eliminating public exposure to the Internet, restricting access, and strengthening credential security. The full list of mitigation suggestions is available at this link.

Securing critical infrastructure has always been a challenge for nation states, and today, with the advent of AI, it becomes even more difficult. To this end, earlier this week the UK’s GCHQ launched the world’s first AI cyber defense system.

At an annual conference held earlier this week at Bletchley Park, GCHQ Director Anne Keast-Bulter outlined the shield’s plans, mentioning that Russia and China pose an ever-increasing cyber threat to the UK’s national interests and way of life.