NSA warns that cybercriminals are targeting this critical component that the energy, chemical, food, agriculture and transportation sectors depend on - here's what we know

Agencies warn of attacks on ATG systems
Attackers take advantage of weak credentials and SQL injection
Mitigation includes stronger passwords and eliminating Internet exposure.

Critical infrastructure organizations should take steps to strengthen their automatic tank gauging (ATG) systems to defend against ongoing attacks. This is the warning given earlier this week by the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), the Federal Bureau of Investigation (FBI) and other agencies.

In a joint press release, these agencies said they were “aware of malicious cyber activity targeting US-based automatic tank gauging systems.”

“The author organizations urge ATG owners and operators to defend against this malicious activity by securing their ATG systems with strong passwords and removing them from the Internet to reduce public exposure.”

A list of mitigations

ATG systems are monitoring devices used in fuel storage tanks that automatically measure fuel levels, temperature, potential leaks and other vital elements, helping operators manage inventory and detect problems early.

The agencies could not attribute the ongoing attacks to any specific threat actor or nation-state, but they did say what companies should pay attention to. The attackers are apparently using hardcoded credentials, command execution, and SQL injection attacks, or privilege escalation, to access the devices.

Once inside, attackers often change system attributes (network configurations, product identifiers, tank volumes, pump controls), exacerbate operational failures, and disable system alerts.

The advisory lists a number of things organizations can do to mitigate risk, including eliminating public exposure to the Internet, restricting access, and enforcing stronger credential security. The full list of mitigation suggestions can be found at this link.

Protecting critical infrastructure has always been a challenge for nation-states and now, with the advent of AI, it has become more difficult. To that end, earlier this week, the UK’s GCHQ unveiled the world’s first AI cyber defense system.

At an annual conference held earlier this week in Bletchley Park, GCHQ director Anne Keast-Bulter set out plans for the shield, citing Russia and China as posing a growing cyber threat to the UK’s national interests and way of life.