CISA, FBI, and NSA Warn of Active Attacks on Internet-Exposed Fuel Tank Monitors

A coordinated advisory from CISA, the FBI, the NSA, the Department of Energy, and several other U.S. government agencies is warning that threat actors are actively targeting internet-exposed automatic tank gauge (ATG) systems — the hardware used to monitor fuel levels, temperature, and leak conditions in storage tanks across gas stations, airports, military installations, and industrial sites.

What Happened

According to BleepingComputer's reporting on the advisory, the multi-agency warning documents attacks against ATG systems that are reachable directly from the public internet — a configuration that is far more common than it should be. ATGs were designed for serial or proprietary-network connectivity; many were later exposed via cheap cellular or IP gateways with little or no authentication in front of them. Attackers are now systematically scanning for and exploiting that exposure.

The advisory does not name specific threat actors, but the involvement of NSA and DOE alongside CISA and the FBI signals the agencies consider the activity sophisticated enough to warrant a national-level warning.

Why It Matters

ATG compromise is not just a data problem — it is a physical-consequence problem. An attacker with write access to a tank gauge can silence alarms, spoof level readings, disable overfill protection, or trigger false leak events that force facility shutdowns. At airports and fuel depots, falsified sensor data can delay refueling operations or, in a worst-case scenario, create conditions for an actual spill or fire without triggering safety interlocks.

The systems themselves are often running legacy firmware, updated infrequently if ever, and managed by facilities staff rather than security teams. That combination — internet reachability, physical consequence, and low patch cadence — is exactly what makes them attractive targets. The breadth of the advisory (five agencies) suggests this is not a theoretical risk: activity is ongoing.

What to Do

If you manage, own, or audit any facility with ATG hardware, the immediate checklist is short:

1. Find your exposure. Query Shodan or Censys for your IP ranges and filter for common ATG ports (10001, 10002, 4000, and vendor-specific ports). If anything responds, it is reachable.
2. Take ATGs off the public internet now. Place them behind a VPN or restrict access to a specific management IP. There is no operational reason an ATG needs to be directly internet-routable.
3. Change default credentials. Most ATG management interfaces ship with well-known default usernames and passwords that are documented in public manuals.
4. Apply available firmware updates. Contact your ATG vendor (Veeder-Root, Franklin Fueling, OPW, etc.) for current firmware and apply it during the next maintenance window.
5. Enable logging and alert on authentication failures. If you cannot immediately take the system offline, at minimum instrument it so you know when someone is trying to log in.

This advisory follows years of public research demonstrating that tens of thousands of ATGs are internet-exposed worldwide. The difference now is that government agencies are saying attacks are actively happening — not that they could happen. Treat this as an emergency change ticket, not a backlog item.