Executive Summary
In June 2026, U.S. critical infrastructure sectors, including energy and transportation, faced cyberattacks targeting internet-exposed Automatic Tank Gauge (ATG) systems. These systems, essential for monitoring fuel and liquid levels, were compromised by threat actors exploiting vulnerabilities such as default passwords and command execution flaws. The attackers manipulated system settings, altered tank readings, and disabled alerts, posing significant operational and safety risks. In response, agencies like CISA, NSA, and FBI issued joint advisories urging organizations to secure ATG systems by removing them from public internet access, enforcing strong credentials, and applying necessary patches. This incident underscores the escalating threat to industrial control systems and the urgent need for enhanced cybersecurity measures to protect critical infrastructure from sophisticated cyber threats.
Why This Matters Now
The recent targeting of ATG systems highlights a growing trend of cyberattacks on critical infrastructure, emphasizing the need for immediate action to secure vulnerable systems and prevent potential operational disruptions and safety hazards.
Attack Path Analysis
Attackers exploited internet-exposed automatic tank gauge (ATG) systems to gain initial access. They then escalated privileges by exploiting vulnerabilities in the ATG firmware. Lateral movement was achieved by accessing connected industrial control systems (ICS). Command and control were established through persistent access to compromised devices. Data exfiltration involved siphoning operational data from ATGs and ICS. The impact included manipulation of fuel levels and potential disruption of operations.
Kill Chain Progression
Initial Compromise
Description
Attackers exploited internet-exposed automatic tank gauge (ATG) systems to gain initial access.
Related CVEs
CVE-2025-58428
CVSS 9.9A command injection vulnerability in the SOAP interface of Veeder-Root TLS4B Automatic Tank Gauge Systems allows authenticated remote attackers to execute arbitrary system commands.
Affected Products:
Veeder-Root TLS4B Automatic Tank Gauge System – All versions with SOAP interface exposed via Web Service Processor
Exploit Status:
proof of conceptReferences:
CVE-2025-2567
CVSS 9.8A missing authentication vulnerability in certain Automatic Tank Gauge (ATG) systems allows unauthenticated remote attackers to modify or disable device settings, potentially disrupting fuel monitoring operations.
Affected Products:
Various Automatic Tank Gauge Systems – Specific versions affected; refer to vendor advisories
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Command-Line Interface
Loss of Control
Brute Force I/O
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
NIST SP 800-53 – Boundary Protection
Control ID: SC-7
PCI DSS 4.0 – Restrict Inbound and Outbound Traffic
Control ID: 1.2.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Identity
Control ID: Pillar 1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Oil/Energy/Solar/Greentech
Critical exposure through fuel tank ATG systems vulnerable to Iranian threat actors exploiting unpatched industrial control systems for operational disruption.
Utilities
High-risk targeting of Internet-exposed automatic tank gauges enabling attackers to manipulate SCADA systems and disable critical safety alerts infrastructure-wide.
Transportation
Significant vulnerability through gas station ATG compromises allowing fuel system manipulation, potentially disrupting transportation networks and supply chain operations.
Chemicals
Severe safety risks from ATG system breaches enabling manipulation of dangerous chemical storage monitoring and disabling emergency alert systems.
Sources
- Exposed Fuel Tank Gauges Under Attack in the UShttps://www.darkreading.com/cyberattacks-data-breaches/exposed-fuel-tank-gauges-attack-usVerified
- NSA Joins CISA and Partners to Release Guidance on Hardening Automatic Tank Gauge Systemshttps://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/4507204/nsa-joins-cisa-and-partners-to-release-guidance-on-hardening-automatic-tank-gau/Verified
- CISA and Partners Urge Hardening Automatic Tank Gauge Systemshttps://www.cisa.gov/resources-tools/resources/cisa-and-partners-urge-hardening-automatic-tank-gauge-systemsVerified
- NSA warns that cybercriminals are targeting this one critical component that the energy, chemical, food, agriculture, and transportation sectors rely on - here's what we knowhttps://www.techradar.com/pro/security/nsa-warns-that-cybercriminals-are-targeting-this-one-critical-component-that-the-energy-chemical-food-agriculture-and-transportation-sectors-rely-on-heres-what-we-knowVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is relevant to this incident as it could have limited the attacker's ability to exploit internet-exposed ATG systems, escalate privileges, move laterally, establish command and control, and exfiltrate data, thereby reducing the overall blast radius of the attack.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: Implementing CNSF could have limited the attacker's ability to exploit internet-exposed ATG systems by enforcing strict access controls and reducing the attack surface.
Control: Zero Trust Segmentation
Mitigation: Zero Trust Segmentation could have limited the attacker's ability to escalate privileges by enforcing strict access controls and reducing the scope of accessible resources.
Control: East-West Traffic Security
Mitigation: East-West Traffic Security could have limited the attacker's ability to move laterally by enforcing strict access controls and reducing the reachability of connected ICS.
Control: Multicloud Visibility & Control
Mitigation: Multicloud Visibility & Control could have limited the attacker's ability to establish command and control by enforcing strict access controls and reducing the reachability of compromised devices.
Control: Egress Security & Policy Enforcement
Mitigation: Egress Security & Policy Enforcement could have limited the attacker's ability to exfiltrate data by enforcing strict access controls and reducing the reachability of ATGs and ICS.
Implementing Aviatrix Zero Trust CNSF could have reduced the attacker's ability to manipulate fuel levels and disrupt operations by limiting their access to critical systems.
Impact at a Glance
Affected Business Functions
- Fuel Inventory Management
- Leak Detection
- Regulatory Compliance Reporting
Estimated downtime: 3 days
Estimated loss: $500,000
Operational data related to fuel levels, temperature readings, and leak detection statuses.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict access between ATGs and other ICS components.
- • Deploy East-West Traffic Security to monitor and control lateral movement within the network.
- • Utilize Multicloud Visibility & Control to detect and respond to unauthorized access attempts.
- • Enforce Egress Security & Policy Enforcement to prevent unauthorized data exfiltration.
- • Apply Inline IPS (Suricata) to detect and block exploitation attempts targeting known vulnerabilities.
