Back to Intelligence

Exposed Fuel Tank Gauges Under Attack: Detection and Protection Guide for US Gas Stations

SA
Security Arsenal Team
June 6, 2026
9 min read

Recent cybersecurity incidents have revealed a concerning trend: internet-exposed fuel tank gauges across US gas stations are being actively targeted by threat actors. These devices, often connected directly to the internet without proper security controls, provide attackers with a pathway to breach critical fuel infrastructure, potentially causing operational disruption at gas stations nationwide. Defenders must urgently assess their exposure and implement protective measures to secure these vulnerable devices.

Technical Analysis

The threat involves internet-exposed automatic tank gauge (ATG) systems commonly used at fuel stations to monitor fuel levels, temperatures, and other operational parameters. These devices often communicate over serial or proprietary protocols and are typically connected to management systems.

Key vulnerability factors:

  • Default or weak authentication credentials
  • Direct internet exposure without firewalls
  • Unencrypted communications
  • Lack of network segmentation between OT and IT networks
  • Outdated firmware with unpatched vulnerabilities
  • No intrusion detection or monitoring for OT protocols

Attack vector: Threat actors scan for exposed tank gauges using internet scanning tools, identify vulnerable devices, and then attempt default credentials or exploit known vulnerabilities to gain unauthorized access. Once inside the network, they may manipulate fuel readings, disrupt operations, or move laterally to compromise other systems.

Detection & Response

YAML
---
title: Potential Internet-Exposed Tank Gauge Connection
id: 1f8d3c9a-7e4b-5a6d-8b2c-9f3e4d5a6b7c
status: experimental
description: Detects potential connections to known tank gauge management interfaces or ports from external sources
references:
  - https://attack.mitre.org/techniques/T1190/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.initial_access
  - attack.t1190
logsource:
  category: network_connection
  product: windows
detection:
  selection:
    DestinationPort:
      - 10001
      - 10002
      - 20000
      - 2101
      - 8000
      - 9000
    SourceIp|startswith:
      - '10.'
      - '192.168.'
      - '172.16.'
      - '172.17.'
      - '172.18.'
      - '172.19.'
      - '172.20.'
      - '172.21.'
      - '172.22.'
      - '172.23.'
      - '172.24.'
      - '172.25.'
      - '172.26.'
      - '172.27.'
      - '172.28.'
      - '172.29.'
      - '172.30.'
      - '172.31.'
    condition: not selection
falsepositives:
  - Authorized remote management connections
level: medium
---
title: Tank Gauge Management Interface Access
id: 2e9f4a8d-8b5c-6a7e-9c3d-0a4f5b6c7d8e
status: experimental
description: Detects potential access to tank gauge management web interfaces or APIs
references:
  - https://attack.mitre.org/techniques/T1078/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.initial_access
  - attack.t1078
logsource:
  category: webserver
  product: windows
detection:
  selection:
    c-uri|contains:
      - '/tank'
      - '/gauge'
      - '/fuel'
      - '/atg'
      - '/veeder'
      - '/tokheim'
      - '/gilbarco'
    cs-method:
      - GET
      - POST
falsepositives:
  - Authorized administrative access
  - Legitimate monitoring tools
level: low
---
title: Unusual Serial-to-Ethernet Gateway Access
id: 3c0g5h9i-9j6k-7b8f-0d4e-1b5f6c7d8e9f
status: experimental
description: Detects unusual access patterns to serial-to-ethernet gateways potentially used for tank gauges
references:
  - https://attack.mitre.org/techniques/T0865/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.initial_access
  - attack.t0865
logsource:
  category: network_connection
  product: windows
detection:
  selection:
    DestinationPort:
      - 23
      - 2323
      - 9000
      - 9500
      - 9600
    Initiated: 'true'
  timeframe: 24h
  condition: selection | count() > 10
falsepositives:
  - Authorized serial device management
level: high
KQL — Microsoft Sentinel / Defender
// Hunt for potential external connections to tank gauge management interfaces
let TimeRange = ago(7d);
let TankGaugePorts = dynamic([10001, 10002, 20000, 2101, 8000, 9000]);
let SerialGatewayPorts = dynamic([23, 2323, 9000, 9500, 9600]);
let PrivateIPRanges = dynamic(["10.", "192.168.", "172.16.", "172.17.", "172.18.", "172.19.", "172.20.", 
                               "172.21.", "172.22.", "172.23.", "172.24.", "172.25.", "172.26.", 
                               "172.27.", "172.28.", "172.29.", "172.30.", "172.31."]);
// External connections to tank gauge ports
DeviceNetworkEvents
| where Timestamp > TimeRange
| where RemotePort in (TankGaugePorts)
| where not(parse_(RemoteIP) has_any (PrivateIPRanges))
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteIP, RemotePort, RemoteUrl
| summarize Count=count(), EarliestTime=min(Timestamp), LatestTime=max(Timestamp) by DeviceName, RemoteIP, RemotePort
| order by Count desc
// Web access to tank gauge management interfaces
| union (
    Syslog
    | where TimeGenerated > TimeRange
    | where FacilityName contains "web" or ProcessName contains "nginx" or ProcessName contains "apache"
    | parse SyslogMessage with * "GET" RequestURI "HTTP/" * 
    | where RequestURI has_any ("/tank", "/gauge", "/fuel", "/atg", "/veeder", "/tokheim", "/gilbarco")
    | project TimeGenerated, HostName, ProcessName, SyslogMessage
)
// Unusual serial gateway access patterns
| union (
    DeviceNetworkEvents
    | where Timestamp > TimeRange
    | where RemotePort in (SerialGatewayPorts)
    | summarize Count=count() by DeviceName, RemotePort, bin(Timestamp, 1h)
    | where Count > 10
    | project DeviceName, RemotePort, Count, Timestamp
)
VQL — Velociraptor
-- Hunt for processes associated with tank gauge management software or unusual network connections
SELECT Pid, Name, CommandLine, Exe, Username, CreateTime
FROM pslist()
WHERE Name =~ "serial"
   OR Name =~ "com"
   OR Name =~ "port"
   OR Exe =~ "veeder"
   OR Exe =~ "tokheim"
   OR Exe =~ "gilbarco"
   OR Exe =~ "atg"
   OR Exe =~ "gauge"
   OR CommandLine =~ "tank"
   OR CommandLine =~ "fuel"
-- Hunt for network connections to known tank gauge ports
| SELECT Pid, RemoteAddress, RemotePort, State, Family, Protocol
FROM netstat()
WHERE RemotePort IN (10001, 10002, 20000, 2101, 8000, 9000, 23, 2323, 9500, 9600)
   AND State != "ESTABLISHED"
   AND RemoteAddress != "127.0.0.1"
   AND NOT RemoteAddress =~ "192.168."
   AND NOT RemoteAddress =~ "10."
   AND NOT RemoteAddress =~ "172."
-- Hunt for configuration files associated with tank gauge management
| SELECT FullPath, Mtime, Size, Mode
FROM glob(globs="*/config/*.ini")
WHERE FullPath =~ "veeder"
   OR FullPath =~ "tokheim"
   OR FullPath =~ "gilbarco"
   OR FullPath =~ "atg"
   OR FullPath =~ "gauge"
   OR FullPath =~ "tank"
   OR FullPath =~ "fuel"
PowerShell
# Tank Gauge Exposure Remediation Script
# This script checks for common exposure issues and implements protective measures

# Check for internet-exposed tank gauge management interfaces
Write-Host "Checking for potential internet-exposed tank gauge interfaces..."

# Define common tank gauge management ports
$tankGaugePorts = @(10001, 10002, 20000, 2101, 8000, 9000)

# Check for listening ports on tank gauge interfaces
$listeningPorts = Get-NetTCPConnection -State Listen -ErrorAction SilentlyContinue | 
                  Where-Object { $tankGaugePorts -contains $_.LocalPort }

if ($listeningPorts) {
    Write-Host "WARNING: Found listening ports potentially associated with tank gauges:"
    $listeningPorts | Format-Table LocalAddress, LocalPort, OwningProcess
    Write-Host "Recommendation: Restrict access to these ports via firewall or VPN"
} else {
    Write-Host "No listening tank gauge ports detected on this host"
}

# Check for common tank gauge management software/processes
$processesToCheck = @("veeder", "tokheim", "gilbarco", "atg", "tank", "gauge")
$runningProcesses = Get-Process -ErrorAction SilentlyContinue | 
                   Where-Object { $processesToCheck | Where-Object { $_ -in ($_.ProcessName, $_.Path) } }

if ($runningProcesses) {
    Write-Host "Found tank gauge management related processes:"
    $runningProcesses | Format-Table ProcessName, Path, Id
    Write-Host "Recommendation: Verify these applications are updated and properly configured"
}

# Check firewall rules for tank gauge ports
$firewallRules = Get-NetFirewallRule -ErrorAction SilentlyContinue | 
                 Where-Object { $_.Enabled -eq "True" -and $_.Action -eq "Allow" }

foreach ($port in $tankGaugePorts) {
    $rulesWithPort = $firewallRules | 
                    Get-NetFirewallPortFilter -ErrorAction SilentlyContinue | 
                    Where-Object { $_.LocalPort -eq $port }
    
    if ($rulesWithPort) {
        Write-Host "WARNING: Found firewall rules allowing traffic on port $port:"
        $rulesWithPort | Get-NetFirewallRule | Format-Table DisplayName, Direction, Profile
        Write-Host "Recommendation: Restrict these rules to specific IP addresses or profiles"
    }
}

# Check for default credentials in configuration files (example check)
$configPaths = @("C:\Program Files", "C:\Program Files (x86)")
$configFiles = @("config.ini", "settings.conf", "connection.xml")

foreach ($path in $configPaths) {
    foreach ($file in $configFiles) {
        $foundFiles = Get-ChildItem -Path $path -Filter $file -Recurse -ErrorAction SilentlyContinue -Depth 3
        foreach ($foundFile in $foundFiles) {
            $content = Get-Content $foundFile.FullName -Raw -ErrorAction SilentlyContinue
            if ($content -match "(password|pwd|passwd).*=.*(admin|password|1234|default)") {
                Write-Host "WARNING: Possible default credentials found in $($foundFile.FullName)"
            }
        }
    }
}

# Provide recommendations
Write-Host "`nRemediation Recommendations:"
Write-Host "1. Immediately move tank gauge management interfaces behind VPN or firewall"
Write-Host "2. Implement strong authentication (multi-factor if possible)"
Write-Host "3. Update all tank gauge management software to latest firmware"
Write-Host "4. Segment OT networks from IT networks with proper access controls"
Write-Host "5. Implement logging and monitoring for tank gauge systems"
Write-Host "6. Review and restrict firewall rules to minimum necessary access"
Write-Host "7. Change all default credentials on tank gauge devices"
Write-Host "8. Regularly scan for and remediate exposed devices"

# Create a firewall block rule recommendation (not implemented, just recommended)
Write-Host "`nExample firewall rule to restrict tank gauge ports:"
Write-Host "New-NetFirewallRule -DisplayName 'Restrict Tank Gauge Ports' -Direction Inbound -LocalPort 10001,10002,20000 -Protocol TCP -Action Block -Profile Any"
Write-Host "Followed by specific allow rules for management IPs only"

Remediation

  1. Immediate Actions:

    • Conduct an immediate inventory of all internet-exposed tank gauge systems
    • Move all tank gauge management interfaces behind VPNs or strict firewall rules
    • Change all default credentials to strong, unique passwords
    • Disable remote management access if not required for business operations

  2. Network Segmentation:

    • Implement proper network segmentation between IT and OT networks
    • Use industrial DMZs for any necessary external connectivity
    • Implement jump servers with MFA for remote access to tank gauge systems

  3. Access Controls:

    • Enforce the principle of least privilege for all access
    • Implement multi-factor authentication where possible
    • Restrict access to specific IP addresses for management interfaces
    • Use separate accounts for management vs. monitoring purposes

  4. System Hardening:

    • Update all tank gauge management software and firmware to latest versions
    • Disable unused services and ports on tank gauge systems
    • Implement encrypted communications protocols
    • Regularly review and update firewall rules

  5. Monitoring and Detection:

    • Implement logging and monitoring for all tank gauge systems
    • Set up alerts for unusual access patterns or configuration changes
    • Deploy intrusion detection systems capable of monitoring industrial protocols
    • Regularly review logs for signs of unauthorized access attempts

  6. Vendor Coordination:

    • Contact tank gauge vendors for security best practices
    • Subscribe to vendor security advisories
    • Implement any vendor-provided security updates promptly

  7. Incident Response:

    • Develop specific incident response procedures for tank gauge compromises
    • Test response procedures through tabletop exercises
    • Ensure backup procedures are in place for configuration data

  8. Long-term Security:

    • Implement a continuous vulnerability management program for OT systems
    • Consider implementing zero-trust principles for tank gauge access
    • Regularly conduct security assessments of tank gauge infrastructure
    • Provide security awareness training for personnel who manage these systems

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

sigma-rulekql-detectionthreat-huntingdetection-engineeringsiem-detectionfuel-tank-gaugesot-securityindustrial-control-systems

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action