Introduction
The Cybersecurity and Infrastructure Security Agency (CISA), alongside the FBI, NSA, and Department of Energy (DOE), has issued a critical warning regarding active cyberattacks targeting Automatic Tank Gauge (ATG) systems. These internet-exposed devices, essential for monitoring fuel and liquid storage levels across critical infrastructure sectors, are currently being scanned and exploited by threat actors.
For defenders, this is not a theoretical risk. Active exploitation is underway. The consequences of compromised ATG systems range from operational disruption and fuel supply chain outages to potential physical safety hazards caused by inaccurate tank level readings. This advisory demands immediate action to identify, isolate, and secure these operational technology (OT) assets.
Technical Analysis
Affected Assets: The threat specifically targets internet-exposed ATG systems. These are typically serial-to-ethernet converters or dedicated tank gauge consoles (such as those commonly used in the fuel and energy sectors) that use TCP/IP to communicate tank status data. These devices often possess built-in web servers or Telnet interfaces for remote configuration.
Attack Vector: While the advisory does not cite a specific CVE for 2025 or 2026, the attack chain relies on the fundamental exposure of the management interface. Threat actors are scanning for open ports associated with ATG communication—most notably TCP 10001 (commonly used by Veeder-Root and similar protocols) and standard web management ports (TCP 80/443).
Exploitation Mechanics:
- Discovery: Attackers scan internet-facing IP blocks for devices listening on ATG-specific ports.
- Access: Upon identifying an exposed ATG, actors attempt to access the administrative interface. This often involves exploiting weak default credentials or unauthenticated access mechanisms enabled for remote maintenance.
- Impact: Once accessed, attackers can alter tank calibration settings, disable alarms, or disrupt communication, leading to service denial or potentially dangerous overfilling conditions.
Exploitation Status: Confirmed Active Exploitation. CISA has confirmed that these systems are being targeted in the wild. This is a live campaign against critical infrastructure.
Detection & Response
Detecting compromised ATG systems requires focusing on network traffic anomalies and unauthorized access attempts to OT segments. Since many ATG devices lack extensive host-based logging, network telemetry is your primary source of truth.
Sigma Rules
The following Sigma rules detect suspicious network interactions with ATG management interfaces and potential scanning activity.
---
title: Potential External Access to ATG Management Port
id: 8a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
status: experimental
description: Detects inbound network connections to common ATG management ports (e.g., TCP 10001) from external sources, which may indicate active probing or exploitation.
references:
- https://www.cisa.gov/news-events/alerts/2026/03/xx/cisa-warns-cyberattacks-targeting-fuel-tank-monitoring-systems
author: Security Arsenal
date: 2026/03/24
tags:
- attack.initial_access
- attack.t1190
logsource:
category: network_connection
product: windows
detection:
selection:
DestinationPort:
- 10001
- 80
- 443
- 8080
Initiated: 'false'
filter_legit_internal:
SourceIp|cidr:
- '10.0.0.0/8'
- '172.16.0.0/12'
- '192.168.0.0/16'
- '127.0.0.0/8'
condition: selection and not filter_legit_internal
falsepositives:
- Legitimate remote administration by authorized staff (verify IP ranges)
- Misconfigured internal NAT reflecting traffic
level: high
---
title: Suspicious Process Accessing Serial Port Emulators
id: 9c3d4e5f-6a7b-8c9d-0e1f-2a3b4c5d6e7f
status: experimental
description: Detects unusual processes interacting with COM/Serial ports often used by ATG-to-Ethernet converters on management servers.
references:
- https://attack.mitre.org/techniques/T1055/
author: Security Arsenal
date: 2026/03/24
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
- 'COM1'
- 'COM2'
- 'COM3'
- '\\.\COM'
filter_legit:
Image|contains:
- '\Program Files\'
- '\Windows\System32\'
- '\Program Files (x86)\'
condition: selection and not filter_legit
falsepositives:
- Legitimate configuration utilities for serial devices
level: medium
KQL (Microsoft Sentinel / Defender)
Use this KQL query to hunt for external connections hitting known ATG ports in your network logs or firewall data.
// Hunt for inbound connections to common ATG ports from external IPs
let ATGPorts = dynamic([10001, 80, 443, 2112, 8080]);
let PrivateIPs = datatable(IP:string) ['10.0.0.0/8', '172.16.0.0/12', '192.168.0.0/16'];
DeviceNetworkEvents
| where Direction in ("Inbound", "Received")
| where DevicePort in (ATGPorts)
| extend IsPrivate = iff(ipv4_is_match(RemoteIP, '10.0.0.0/8') or ipv4_is_match(RemoteIP, '172.16.0.0/12') or ipv4_is_match(RemoteIP, '192.168.0.0/16'), true, false)
| where IsPrivate == false
| project Timestamp, DeviceName, RemoteIP, RemotePort, DevicePort, InitiatingProcessAccountName
| summarize count() by RemoteIP, DevicePort, bin(Timestamp, 1h)
| order by count_ desc
Velociraptor VQL
This VQL artifact hunts for active network connections on Linux-based gateways or jump servers that might be communicating with ATG devices on the management port.
-- Hunt for active connections to ATG management ports (10001) or Web interfaces
SELECT Fd.Address AS RemoteAddress, Fd.Port AS RemotePort,
Process.Pid, Process.Name, Process.Username, Process.CommmandLine
FROM listen_sockets()
LEFT JOIN Process ON Process.Pid = listen_sockets.Pid
WHERE Fd.Port IN (10001, 80, 443, 2112)
AND Fd.Family == "AF_INET"
Remediation Script (Bash)
This Bash script assists Linux administrators in auditing firewall rules to ensure ATG ports are not globally exposed.
#!/bin/bash
# Audit script to check for exposure of common ATG ports (10001, 80, 443)
# Recommended for Linux-based firewalls/gateways managing OT segments
ATG_PORTS=(10001 80 443 2112)
echo "Checking iptables rules for ATG port exposure..."
for port in "${ATG_PORTS[@]}"; do
# Check for rules accepting traffic from anywhere (0.0.0.0/0) to these ports
exposed=$(iptables -L INPUT -v -n | grep -E "dpt:$port" | grep -E "ACCEPT.*0.0.0.0/0")
if [ -n "$exposed" ]; then
echo "[ALERT] Port $port is potentially exposed to 0.0.0.0/0:"
echo "$exposed"
else
echo "[OK] No global accept rules found for port $port."
fi
done
echo ""
echo "Recommendation: Ensure ATG devices are behind a VPN or restricted to specific management IPs."
Remediation
Immediate remediation is required to prevent disruption. Follow these steps:
- Network Isolation (Immediate): Ensure all ATG systems are disconnected from the public internet. They should reside on an isolated OT network with strictly controlled access to the IT network via a Demilitarized Zone (DMZ) or jump server.
- Firewall Hardening: Block inbound access to ATG management ports (TCP 10001, 80, 443, 2112) from the internet at the network perimeter. Allow access only from specific, internal management subnets or VPN endpoints.
- Disable Unused Services: If ATG devices support web or Telnet interfaces that are not required for daily operations, disable them. If required, ensure they are not reachable from the internet.
- Credential Hygiene: Change default passwords on all ATG systems immediately. Enforce strong, unique credentials for administrative access.
- Vendor Updates: Contact your ATG vendor to check for the latest firmware patches that address security vulnerabilities and harden remote access features.
Related Resources
Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.