The Cybersecurity and Infrastructure Security Agency (CISA), alongside the FBI, NSA, DOE, EPA, TSA, DOT, and USDA, has issued a urgent joint advisory regarding active malicious cyber activity targeting United States-based Automatic Tank Gauge (ATG) systems.
ATG systems are operational technology (OT) staples responsible for the automated monitoring of storage tank parameters—critical for managing fuel levels, temperature, and volume in the Energy, Chemical, Food and Agriculture, and Transportation Systems Sectors. The consequences of compromised ATG systems extend beyond data theft; they pose significant risks to physical safety, environmental compliance, and supply chain continuity. Defenders in these sectors must treat this advisory with the highest urgency, assuming that active scanning and exploitation attempts are already underway against exposed infrastructure.
Technical Analysis
The Target: Automatic Tank Gauges
ATG systems typically consist of a probe inside the tank and a console that communicates with a supervisory system. In modern environments, these consoles are frequently connected to serial-to-Ethernet converters or have built-in network interfaces to facilitate remote monitoring.
Attack Vector and Mechanics
While the advisory does not disclose a specific CVE, the attack vector focuses on the exposure of ATG management interfaces and communication protocols to the public internet.
-
Exposure: Many ATG systems utilize serial communication (e.g., RS-485) encapsulated over TCP/IP. A common industry standard involves the use of TCP Port 10001 or proprietary vendor ports for remote access. When these devices are internet-facing, they are vulnerable to unauthorized access, brute-forcing of credentials, and protocol manipulation.
-
Lack of Authentication: Certain legacy ATG implementations or remote terminal units (RTUs) may operate with minimal or default authentication, relying on "security by obscurity." Attackers can exploit this to read sensitive tank data or, in some cases, send malicious commands affecting gauge calibration or shutdown triggers.
-
Exploitation Status: CISA reports that "malicious cyber activity" is currently targeting these systems. This implies active exploitation of misconfigurations rather than a zero-day software flaw. The threat actors are likely scanning for open ports associated with tank gauges and utilizing default or weak credentials to gain access.
Detection & Response
Detecting attacks on ATG systems requires visibility into the OT network perimeter. Because these protocols are often proprietary or simple TCP encapsulations, standard intrusion detection systems (IDS) may miss the nuances of the attack without specific rules targeting the port usage and access patterns.
SIGMA Rules
---
title: Potential Internet-Facing ATG System Access
id: 8a1c2d3e-4f5a-6b7c-8d9e-0f1a2b3c4d5e
status: experimental
description: Detects inbound network connections to commonly used ATG communication ports (e.g., TCP 10001) from external, non-local IP addresses.
references:
- https://www.cisa.gov/resources-tools/resources/cisa-and-partners-urge-hardening-automatic-tank-gauge-systems
author: Security Arsenal
date: 2026/04/08
tags:
- attack.initial_access
- attack.t1190
logsource:
category: network_connection
product: windows
detection:
selection:
DestinationPort|startswith: '10001'
SourceIp|contains:
- 'External'
condition: selection
falsepositives:
- Legitimate remote vendor maintenance (should be via VPN)
level: high
---
title: Suspicious Process Accessing Serial Port Emulation
id: 9b2d3e4f-5a6b-7c8d-9e0f-1a2b3c4d5e6f
status: experimental
description: Detects unusual processes spawning to access COM ports or serial-to-ethernet utilities often used to interface with ATG hardware.
references:
- https://www.cisa.gov/resources-tools/resources/cisa-and-partners-urge-hardening-automatic-tank-gauge-systems
author: Security Arsenal
date: 2026/04/08
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
- 'COM1'
- 'COM2'
- 'serial'
- 'putty'
- 'plink'
filter:
Image|contains:
- '\Program Files\'
- '\Windows\System32\'
condition: selection and not filter
falsepositives:
- Authorized technician using terminal software for maintenance
level: medium
KQL (Microsoft Sentinel / Defender)
Use this query to hunt for traffic destined to common ATG ports originating from outside the trusted corporate OT network.
let ATGPorts = dynamic([10001, 2101, 5502, 5503, 8022]); // Common ATG/Modbus/Proprietary ports
DeviceNetworkEvents
| where RemotePort in ATGPorts
| where InitiatingProcessFileName !in ("svchost.exe", "lsass.exe", "system")
| where ActionType == "InboundConnectionAccepted"
| summarize Count = count(), Timestamp = max(Timestamp) by DeviceName, RemoteIP, RemotePort, LocalIP
| extend Severity = iff(Count > 10, "High", "Medium")
Velociraptor VQL
This VQL artifact hunts for processes on Windows-based jump servers or HMIs that are listening on the high-risk ports typically associated with ATG serial tunneling.
SELECT Pid, Name, CommandLine, Exe, Username, ListeningPorts
FROM listen_procs()
WHERE ListeningPorts =~ '10001'
OR Name =~ 'ser2net'
OR Name =~ 'ttyd'
Remediation Script (PowerShell)
Run this script on Windows-based firewall gateways or HMI workstations to audit and block inbound traffic on ATG ports from external interfaces.
# Define ATG related ports to block
$ATGPorts = @(10001, 2101, 5502) # Add specific vendor ports as needed
# Get active network interfaces to identify Public-facing adapters
$publicAdapters = Get-NetAdapter | Where-Object { $_.Status -eq 'Up' -and $_.InterfaceDescription -notmatch 'Virtual|Hyper-V' }
foreach ($adapter in $publicAdapters) {
$adapterIndex = $adapter.ifIndex
Write-Host "Checking firewall rules on adapter: $($adapter.Name) (Index: $adapterIndex)"
foreach ($port in $ATGPorts) {
# Check if a block rule exists
$existingRule = Get-NetFirewallRule -DisplayName "*Block ATG Port $port*" -ErrorAction SilentlyContinue
if (-not $existingRule) {
Write-Host "Creating Block Rule for TCP Port $port..." -ForegroundColor Yellow
New-NetFirewallRule -DisplayName "Block ATG Port $port" `
-Direction Inbound `
-InterfaceAlias $adapter.Name `
-Protocol TCP `
-LocalPort $port `
-Action Block `
-Profile Any `
-Enabled True
}
else {
Write-Host "Rule for Port $port already exists." -ForegroundColor Green
}
}
}
Remediation
Defensive action is required immediately to secure ATG infrastructure against the active threats identified by CISA and partners.
-
Isolate from the Public Internet: Ensure ATG systems and their communication channels (serial-to-ethernet converters, RTUs) are not directly accessible from the internet. If remote access is required, it must be strictly enforced through a Zero Trust Network Access (ZTNA) solution or an enterprise-grade VPN with Multi-Factor Authentication (MFA).
-
Network Segmentation: Place ATG systems behind firewalls that separate the OT network from the IT network. Limit inbound and outbound traffic to only necessary protocols and known IP addresses (whitelisting).
-
Change Default Credentials: Audit all ATG consoles, gateway devices, and associated web interfaces. Replace default usernames and passwords with strong, unique credentials. Disable any unused built-in accounts.
-
Disable Unused Services: If the ATG system supports web servers, FTP, or Telnet management interfaces that are not in use, disable them immediately. Prefer SSH over Telnet and HTTPS over HTTP if remote management is unavoidable within the local network.
-
Update Firmware: Contact the ATG vendor to ensure the latest firmware is applied, particularly patches that address authentication bypasses or protocol vulnerabilities.
Related Resources
Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.