American fuel storage tanks sit quietly across thousands of sites. Their levels, temperatures and leak status feed directly into operations at refineries, chemical plants, farms, food processors and transport hubs. Yet a new joint warning from federal agencies shows those same devices have become a prime target for cyber attackers.
Automatic tank gauge systems, or ATGs, monitor storage tanks remotely. They track fuel and liquid levels. They measure temperature. They flag potential leaks. Operators in the energy, chemical, food and agriculture, and transportation sectors rely on them every day. Internet exposure turns them into an open door.
On June 3, 2026, the National Security Agency joined the Cybersecurity and Infrastructure Security Agency, FBI, Department of Energy, Environmental Protection Agency, Transportation Security Administration, Department of Transportation and USDA to issue a fact sheet. The document details ongoing malicious cyber activity aimed at these systems. NSA press release.
Unattributed threat actors have compromised internet-exposed ATG units. They then modify the systems through command execution. The tactics include authentication bypass using hardcoded credentials, OS command execution, SQL injection and privilege escalation. Once inside, attackers alter network settings, product identifiers, tank volumes and pump controls. They disable alerts. They create denial-of-view conditions that hide actual tank levels.
The consequences stretch beyond data loss. A compromised gauge can mask leaks or overfills. It can trigger equipment damage. Environmental hazards become more likely when operators lose visibility. One successful hit on a fuel terminal or chemical storage site could ripple through supply chains that already operate on tight margins.
This advisory arrives amid broader concern over operational technology security. Earlier warnings from the same agencies highlighted pro-Russia hacktivist activity against OT devices in water, energy and food sectors. Iranian-linked actors have targeted programmable logic controllers in water and energy facilities. Chinese groups probe communications, energy and transport infrastructure. The pattern shows adversaries treat these systems as accessible entry points rather than fortified targets.
A GBHackers News report from June 3, 2026 noted the joint alert emphasizes that attackers exploit flaws through multiple vectors on exposed devices. The article stressed the widespread deployment of ATGs across critical sectors and the potential for operational disruption.
Yet the fix starts with basics that many industrial operators still overlook. The fact sheet urges owners to eliminate public internet exposure immediately. Do not leave the ATG serial port — often listening on default TCP ports such as 8001, 9001 or 10001 — reachable from the web. If remote access remains necessary, enforce strict firewall rules, access control lists or VPN tunnels. Change every default password. Deploy strong, unique credentials. Add phishing-resistant multifactor authentication where possible.
Software updates matter too. Operators should work with certified service providers to apply the latest patches from manufacturers. Many ATG units run outdated firmware with known weaknesses. Monitoring provides another layer. Enable detailed logging. Watch for unauthorized connections, modified alarm thresholds, changed tank labels or suspicious commands. Report incidents promptly through CISA channels.
The guidance also calls on third-party service providers to follow established OT hardening practices. Those include network segmentation, least-privilege access and regular security assessments. Such steps align with prior CISA and NSA recommendations on reducing exposure of internet-facing industrial control systems.
Industry observers note that many ATG installations were deployed years ago when remote monitoring meant dial-up modems rather than constant cloud connectivity. The shift to IP-based systems increased convenience but also attack surface. Bitsight research from 2023, referenced in the fact sheet, cataloged critical vulnerabilities in popular ATG models that remain relevant today.
So what separates this alert from previous OT warnings? Scale and specificity. ATGs exist in huge numbers across dispersed sites. A single vendor’s device might appear in hundreds of independent facilities. Attackers do not need to breach a central corporate network. They scan for exposed ports and exploit weak authentication. The barrier to entry stays low while potential impact stays high.
Energy sector leaders already wrestle with legacy equipment that cannot be patched easily. Chemical processors face similar constraints under strict safety regulations that limit downtime. Food and agriculture operations often operate with thinner cybersecurity budgets. Transportation fuel depots serve both commercial and emergency response needs. Each sector shares the same vulnerable component.
Federal agencies stop short of attributing the attacks to any specific nation-state or criminal group. The focus remains on observed behavior and practical defenses. That approach echoes recent joint advisories on Iranian activity against PLCs and earlier alerts about hacktivist probing of small-scale OT systems. The message stays consistent: adversaries probe for easy wins in industrial environments.
Implementation will test many organizations. Removing devices from direct internet access requires architectural changes. Some facilities use these gauges for vendor-managed inventory systems. Third-party remote monitoring contracts may need renegotiation. Training staff to recognize anomalous alerts adds another demand on already stretched teams.
Still, the cost of inaction looks higher. A disabled leak detection system at a fuel storage farm could lead to groundwater contamination before anyone notices. Manipulated volume readings at a chemical plant might cause incompatible mixing or overflow. Disrupted pump controls at a transportation hub could halt deliveries during peak demand.
The joint fact sheet points to additional resources. It references CISA’s guidance on reducing internet exposure, principles for secure OT connectivity, and primary mitigations for operational technology threats. Operators who follow those documents gain a repeatable framework that extends beyond tank gauges to other control systems.
Technology alone will not solve the problem. Culture and process matter. Operators must treat these gauges with the same caution once reserved for physical locks and keys. Service technicians need clear instructions on credential management. Executives must accept that convenience of remote visibility carries measurable risk.
And the threat will not vanish. As more industrial sensors connect to networks, attackers gain fresh opportunities. The agencies’ coordinated release signals that this particular vector has moved from theoretical concern to active exploitation. Organizations that act now on the listed recommendations stand a better chance of keeping fuel, chemicals and food supplies moving without interruption.
Visibility into tank contents once seemed a simple operational advantage. Today it represents a contested digital frontier. The agencies have drawn the line. The question for industry becomes how quickly it can respond.
WebProNews is an iEntry Publication