Back to Intelligence

900+ US Gas Station ATG Systems Exposed: Operational Detection and Hardening Guide

SA
Security Arsenal Team
June 6, 2026
5 min read

Introduction

Security Arsenal is tracking a critical exposure affecting over 900 Automatic Tank Gauge (ATG) systems across the United States. These systems, essential for monitoring fuel levels and preventing environmental hazards at gas stations and critical infrastructure facilities, are currently accessible via the public internet without adequate authentication controls.

This is not a theoretical risk. Exposed OT assets like ATGs provide attackers with a vector to manipulate fuel inventory data, disable alarm systems, or cause physical damage to storage tanks. Defenders must treat this with the same urgency as an active ransomware campaign. The exposure is primarily due to misconfigured cellular gateways and firewalls that have serial-to-Ethernet converters facing the public web.

Technical Analysis

Affected Assets: Automatic Tank Gauge (ATG) systems (commonly vendors like Veeder-Root, Franklin Fueling, or Tokheim) connected via serial-to-ethernet gateways or cellular modems.

The Vulnerability: The core issue is a lack of network segmentation and authentication. These devices speak proprietary protocols over TCP (commonly port 10001 for TLS-350 series, port 80/8080 for web management interfaces, and port 23 for Telnet). Many legacy ATG systems were designed for serial/dial-up connectivity and lack built-in security controls when translated to TCP/IP. When exposed online, attackers can query tank levels, reset alarms, or—in some cases—issue shutdown commands.

Attack Vector: Attackers are scanning for open TCP ports associated with ATG management (specifically TCP 10001, 8022, and 23).

  • Reconnaissance: Scanners identify devices via banners on open ports.
  • Exploitation: Attackers connect to the open port using standard terminal software or custom scripts. No CVE is required for this "access" as it relies on default configurations and lack of firewalls rather than a software buffer overflow.
  • Impact: Manipulation of fuel tank calibration data, disabling leak detection, and potential disruption of fuel delivery operations.

Exploitation Status: Confirmed Active Exposure. While a specific 2025/2026 CVE is not the root cause (this is a configuration exposure), these devices are currently indexed by search engines and are being probed by automated scanners.

Detection & Response

Detecting exposed ATG systems requires visibility into network traffic patterns that should never traverse the internet. Standard IT traffic does not involve connections to TCP port 10001 or legacy Telnet ports from external IP ranges.

Sigma Rules

YAML
---
title: Potential External Access to ATG System Port 10001
id: 8a1b2c3d-4e5f-6789-0abc-1def2a3b4c5d
status: experimental
description: Detects inbound network connections to TCP port 10001, commonly used by Veeder-Root and other ATG systems, originating from external IPs.
references:
  - https://attack.mitre.org/techniques/T1190/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.initial_access
  - attack.t1190
logsource:
  category: network_connection
  product: windows
detection:
  selection:
    DestinationPort: 10001
    Initiated: 'false'
  filter:
    SourceIp|startswith:
      - '10.'
      - '192.168.'
      - '172.16.'
      - '127.'
condition: selection and not filter
falsepositives:
  - Authorized remote management from known corporate ranges (tune SourceIp filter accordingly)
level: high
---
title: Inbound Telnet Connections to Non-Standard Infrastructure Ports
id: 9b2c3d4e-5f6a-7890-1bcd-2ef3a4b5c6d7
status: experimental
description: Detects inbound connections to Telnet (Port 23) or port 8022, often used for maintenance on exposed OT gateways.
references:
  - https://attack.mitre.org/techniques/T1078/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.command_and_control
  - attack.t1078
logsource:
  category: network_connection
  product: windows
detection:
  selection:
    DestinationPort:
      - 23
      - 8022
    Initiated: 'false'
  condition: selection
falsepositives:
  - Legacy equipment administration (verify source IP)
level: medium

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender
// Hunt for external connections to ATG specific ports
DeviceNetworkEvents
| where RemotePort in (10001, 23, 8022, 8080)
| where ActionType == "ConnectionAccepted" or ActionType == "InboundConnectionAccepted"
| where not(IPv4RangeContains("10.0.0.0/8", RemoteIP) or 
             IPv4RangeContains("192.168.0.0/16", RemoteIP) or 
             IPv4RangeContains("172.16.0.0/12", RemoteIP))
| project Timestamp, DeviceName, RemoteIP, RemotePort, LocalPort, InitiatingProcessFileName
| order by Timestamp desc

Velociraptor VQL

VQL — Velociraptor
-- Hunt for processes or listeners on ATG management ports
-- Useful for identifying if a gateway is listening on dangerous ports
SELECT Pid, Name, CommandLine, Exe
FROM pslist()
WHERE Name =~ 'telnet.exe' 
   OR Name =~ 'putty.exe' 
   OR Name =~ 'plink.exe'

-- Supplement with netstat check (if artifact collection allows)
-- SELECT * FROM listen() WHERE Port in (23, 10001, 8022)

Remediation Script (PowerShell)

This script checks for local listening ports associated with ATG gateways on Windows jump servers.

PowerShell
# Audit local listening ports for ATG protocols
Write-Host "Checking for listening ports associated with ATG exposure..."

$atgPorts = @(10001, 23, 8022, 8080)
$listeners = Get-NetTCPConnection -State Listen -ErrorAction SilentlyContinue

foreach ($port in $atgPorts) {
    $found = $listeners | Where-Object { $_.LocalPort -eq $port }
    if ($found) {
        Write-Host "[WARNING] Port $port is listening." -ForegroundColor Red
        $owningProcess = Get-Process -Id $found.OwningProcess -ErrorAction SilentlyContinue
        Write-Host "  Process: $($owningProcess.ProcessName) (PID: $($found.OwningProcess))"
        Write-Host "  Action: Verify this process requires public internet access. If not, block inbound traffic via firewall."
    } else {
        Write-Host "[OK] Port $port is not listening." -ForegroundColor Green
    }
}

Remediation

Immediate action is required to secure these operational technology (OT) assets.

  1. Network Isolation: Ensure ATG systems and their serial-to-Ethernet gateways are placed behind a firewall and NOT connected directly to the public internet.
  2. Block Inbound Traffic: Configure firewalls to block all inbound traffic to TCP ports 10001, 23, 80, and 8022 from untrusted networks.
  3. Implement VPNs: If remote monitoring is required, mandate the use of a VPN (IPsec or SSL) with Multi-Factor Authentication (MFA) rather than port forwarding.
  4. Change Default Credentials: If the ATG gateway or web interface uses a password, ensure it is changed from the factory default (e.g., admin/admin, veeder/veeder).
  5. Disable Unused Services: If Telnet is not required for operations, disable it on the gateway device. Use SSH v2 if shell access is needed.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub

managed-socmdrsecurity-monitoringthreat-detectionsiemics-securityatg-systemsot-exposure

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action
900+ US Gas Station ATG Systems Exposed: Operational Detection and Hardening Guide | Security Arsenal | Security Arsenal