Home » GEÓ Voice » CYBER INSECURITY: Critical Cybersecurity Vulnerabilities Discovered in Fuel Tank Gauge Systems

CYBER INSECURITY: Critical Cybersecurity Vulnerabilities Discovered in Fuel Tank Gauge Systems

Image Credit: StockSnap/Pixabay https://pixabay.com/users/stocksnap-894430
Image Credit: StockSnap/Pixabay

Wednesday, 25 September 2024

CYBER INSECURITY: Critical Cybersecurity Vulnerabilities Discovered in Fuel Tank Gauge Systems

By: Pedro Umbelino
Syndicated by GEÓ PRWire Channel Team – Gibraltar
GEÓPoliticalMatters.com/PRWire
First for Geopolitical Intel

Critical Vulnerabilities Discovered in Automated Tank Gauge Systems 

Industrial Control Systems (ICS) have become a ubiquitous part of modern critical infrastructure. Automatic Tank Gauge (ATG) systems play a role in this infrastructure by monitoring and managing fuel storage tanks, such as those found in everyday gas stations. These systems ensure that fuel levels are accurately tracked, leaks are detected early, and inventory is managed efficiently. Although the typical gas station comes to mind when thinking about fuel tanks, these systems also exist in other critical facilities, including military bases, hospitals, airports, emergency services, and power plants, to name a few.

Recent investigation by Bitsight TRACE has discovered multiple critical 0-day vulnerabilities across six ATG systems from five different vendors. These vulnerabilities pose significant real-world risks, as they could be exploited by malicious actors to cause widespread damage, including physical damage, environmental hazards, and economic losses. What’s even more concerning is that, besides multiple warnings in the past, thousands of ATGs are still currently online and directly accessible over the Internet, making them prime targets for cyberattacks, especially in sabotage or cyberwarfare scenarios.

Bitsight strongly believes in responsible disclosure of vulnerabilities. For the past six months, Bitsight has been collaborating closely with the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), as well as with affected vendors, in order to mitigate these vulnerabilities. This coordinated effort aims to safeguard critical infrastructure and prevent the dire consequences that could result from successful attacks.

In this blogpost, we will explore the ATG systems, their inherent risk when exposed to the Internet and the several critical vulnerabilities uncovered by Bitsight TRACE. By understanding these vulnerabilities, we hope that the reader can better appreciate the urgent need for enhanced security measures and the steps that need to be taken to protect these systems from exploitation.

What is an ATG system and why it matters 

Automatic Tank Gauging refers to a system that automatically measures and records the level, volume, and temperature of products in storage tanks, such as gas stations fuel tanks. It can also monitor leaks, issue high-level and low-level alarms, trigger sirens, emergency shutoff valves, ventilation, fuel dispensers and other peripherals. The ability to control physical processes is made by interfacing with the internal or external relays. This technology helps ensure compliance with environmental regulations and is used to optimize inventory management at a gas station or other facilities that store fuel (hospitals, airports, military facilities).

There are several brands and models of controllers that are commonly used in Automatic Tank Gauging systems. Our research focused on some of the brands and models most commonly found online. It is by no means exhaustive, but we considered a good first approach to the issue.

Part of what makes these devices attractive to security researchers, or a malicious actor for that matter, is the potential ability to control physical processes that could lead to disastrous consequences if they are abused in unintended ways.

Image Credit: StockSnap/Pixabay https://pixabay.com/users/stocksnap-894430

Recommendations 

We’ve covered the overall recommendations about ICS systems in the past and we will reiterate them here. An ATG system should be treated as any other ICS.

For security leaders 

Organizations should immediately engage in outreach and remediation efforts:

Identify any ATG deployed by your organization and/or your third-party business partners, and promptly assess the security of these systems.

Remove any ATG from the public internet.

Employ safeguards like firewalls to protect against unauthorized access to your ATG systems.

Security leaders must acknowledge the unique control needs that apply to OT including industrial control systems rather than just apply a traditional IT risk model to this infrastructure.

For manufacturers 

Manufacturers of ATGs must take action to increase the cybersecurity of their devices, not only in their internal software development life-cycle, but also throughout their supply chain. Just earlier this year the U.S. Department of Energy’s (DOE) Office of Cybersecurity, Energy Security, and Emergency Response (CESER) published a set of the principles with input from leading ICS manufacturers and asset owners who participate in CESER’s supply chain research and development, and drawing from research and insights at Idaho National Laboratory, which characterize the foundational actions and approaches needed to deliver strong cybersecurity throughout the vast global supply chains of industrial control systems.

In addition, manufacturers should work with their customers to ensure the proper configuration and security of already deployed devices. Although broader in scope than ATGs, ICS manufacturers are leading with innovative initiatives to enhance the security of their devices and their customers. For example, Schneider Electric has made device security and customer security a business priority. Through a joint effort with Bitsight, Schneider Electric is working to identify externally observable risks to the OT community and engage customers in remediation initiatives. Manufacturers should follow Schneider Electric’s lead and take steps to:

Geopolitical Intel

About GEO´ PRWire Channel

Our PR Wire Channel Management Team provide direct, immediate, highly cost-effective access to our entire Geopolitical contacts network including our proprietary Userbase of 232k* individually named, profiled & GDPR compliant CSuite industry influencers and policy makers, across the Banking & Finance, Insurance, Manufacturing, Technology, Aviation and Maritime industries as well as NGOs and Government Departments Worldwide. (*Up 41% year on year) Post your First Release Free!

Translate »
geopoliticalmatters.com