Gas stations across the country woke up to tampered displays. Fuel levels shown on monitors no longer matched reality. Alerts that should have flagged leaks stayed quiet. The incidents weren’t accidents. They were the work of intruders who found automatic tank gauge systems sitting on the public internet with little more than weak or missing passwords for protection.
Earlier this year reports surfaced of breaches at retail fueling sites in multiple states. CNN first detailed how suspected Iranian-linked actors had accessed these devices. The hackers changed what operators saw on screens. Yet they left actual tank volumes untouched. No immediate spills. No fires. Still the potential consequences loomed. A masked leak could go unnoticed for days. Environmental damage might follow. Safety systems could fail without warning.
Now federal agencies have responded with a blunt warning. On June 2, 2026, the Cybersecurity and Infrastructure Security Agency joined the FBI, NSA, Department of Energy, EPA, TSA, DOT and USDA to issue a joint fact sheet. “The recent malicious cyber activity observed by the authoring organizations… involves cyber threat actors compromising internet-exposed ATG systems and subsequently modifying them through command execution,” the document states. (CISA)
The systems in question do more than track inventory. They monitor temperature, detect leaks and trigger alarms across energy, chemical, agriculture and transportation facilities. Convenience stores rely on them for daily operations. Airports use them for jet fuel. Farms depend on them for diesel storage. One compromise can ripple outward. Operators lose visibility. Decisions rest on bad data. And the door opens to physical harm.
Weak Defenses Meet Determined Attackers
Attackers didn’t need sophisticated zero-days in every case. Many ATG units were simply exposed. Default ports like 8001, 9001 or 10001 left open. No firewall rules. No VPN. Credentials set to factory defaults or absent entirely. Once inside, the intruders exploited known flaws. Authentication bypass let them reach management interfaces. Hardcoded credentials handed over access. OS command execution and SQL injection allowed code to run and databases to be rewritten. Privilege escalation delivered full control.
With that access came real power. Adversaries could alter network settings. Change product identifiers. Adjust displayed tank volumes or pump controls. They disabled alerts. Created “denial of view” conditions where operators saw nothing useful. In the worst scenarios these changes could lead to permanent equipment damage or undetected hazards. The CISA advisory spells it out plainly. Compromised systems let attackers interface “as though they possessed legitimate physical access to the system console.”
This activity didn’t appear in isolation. A September 2024 investigation by Bitsight uncovered 11 vulnerabilities across six ATG systems from five vendors. The flaws included command injection, hardcoded credentials, authentication bypass, SQL injection, privilege escalation and more. Researchers found 6,542 exposed devices without security codes in a single month. Many sat in the United States. Potential outcomes ranged from data theft to physical relay failures that could trigger leaks. (Bitsight)
Industry groups sounded alarms months earlier. The Pennsylvania Petroleum Association and Energy Marketers of America warned members in April 2026 after reports of attacks hitting convenience stores nationwide. One chain saw at least 15 tanks affected. Data vanished in some cases. No physical impacts were confirmed then. But the pattern was clear. (Pennsylvania Petroleum Association)
Recent coverage adds urgency. BleepingComputer reported on June 3 that the campaign builds directly on the spring incidents linked to Iran. While the new advisory stops short of formal attribution, it acknowledges the earlier probes. And it stresses that the risk persists. Hackers continue scanning for exposed units. Command execution remains the favored technique once inside.
But here’s the uncomfortable truth. Many of these devices didn’t need to be reachable from anywhere. Remote monitoring offers convenience. Yet that convenience came without segmentation or basic hardening. Service providers often managed the systems. Operators assumed someone else handled security. The result? Thousands of critical sensors broadcasting their presence to the world.
Impacts stretch beyond fuel. In agriculture compromised gauges could hide problems in liquid fertilizer tanks. Food processors might lose visibility into edible oil storage. Transportation hubs could face false readings on aviation fuel. Each sector faces its own version of the same problem. Loss of accurate data. Delayed response to failures. Heightened chance of accidents that proper monitoring should prevent.
Practical Steps Replace Complacency
Agencies offer straightforward fixes. Remove ATG systems from direct internet exposure. No serial ports or web interfaces facing the public. If remote access is required, lock it down tight. Firewalls. Access control lists. VPNs. Change every default password today. Deploy strong, unique credentials. Add phishing-resistant multifactor authentication where possible. Patch firmware and software through certified providers. Turn on logging. Review it regularly for signs of tampering: unexpected connections, altered alarms, modified thresholds.
The advisory points operators to existing guidance on operational technology defenses. It also references the Bitsight research that first cataloged many of these weaknesses. And it urges immediate reporting to CISA, the FBI’s IC3 or sector-specific contacts at EPA and DOE. (CISA)
Nick Andersen, acting director at CISA, reinforced the message. His agency works directly with partners to assess and respond to threats against critical infrastructure. Organizations should review the fact sheet and act. Support remains available for those facing incidents.
Experts have warned about these exposures for years. Bitsight’s 2024 findings echoed earlier research. Trade associations repeated the call in spring 2026. The June advisory from eight federal entities marks a coordinated escalation. It signals that probing has become persistent. That modification of systems is underway. And that the window for easy fixes is closing.
Operators who treat these gauges as simple inventory tools miss the point. They function as frontline sensors for safety and compliance. When attackers silence them or feed false readings, the entire chain of custody for hazardous liquids breaks. Fuel supply reliability suffers. Environmental rules get violated by accident. Public trust erodes.
The pattern fits larger concerns about operational technology. Legacy devices. Minimal built-in security. Assumptions that physical isolation equals protection. Those assumptions fail when modems or network links create pathways. The ATG campaign shows how quickly attackers move from discovery to disruption once access is granted.
So far no widespread physical damage has been tied to these breaches. That doesn’t mean none will occur. A single undetected leak at scale could change that assessment overnight. Or a coordinated campaign timed with other events could amplify effects. The authoring agencies clearly see enough activity to issue a multi-department alert.
Industry insiders face a choice. Accept the new fact sheet as another checklist. Or treat it as confirmation that fuel storage monitoring now sits squarely in the crosshairs of determined adversaries. The technical recommendations aren’t complex. Strong authentication. Network segmentation. Logging and patching. Consistent application across thousands of sites will prove harder.
Yet the alternative looks worse. Continued exposure invites more command execution. More altered readings. More silent alarms. The systems that should prevent disasters instead become the opening for them. Federal warnings have now made that risk impossible to ignore.
WebProNews is an iEntry Publication