Over 900 automatic tank gauge (ATG) systems across the United States, used to monitor fuel and chemical storage tanks across various critical infrastructure sectors, have been found exposed online and are vulnerable to ongoing attacks.
ATG systems are electronic monitoring devices used to remotely track fuel, chemicals, or other liquids in storage tanks, automating inventory control, environmental leak detection, and regulatory compliance. While they’re commonly used at gas stations to monitor fuel tank levels, they can also be found in industrial settings to track chemical storage tanks.
On Tuesday, the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, the NSA, the Department of Energy, and other U.S. government partners issued a joint advisory warning critical infrastructure organizations to secure internet-exposed ATG systems against ongoing attacks.
The federal agencies warned that threat actors target such devices to alter system settings in command execution attacks after exploiting various security flaws, including hardcoded credentials, authentication bypasses, SQL injection vulnerabilities, OS command execution flaws, and privilege escalation weaknesses.
“The recent malicious cyber activity observed by the authoring organizations—which the U.S. government has not yet attributed to a nation-state or threat actor group—involves cyber threat actors compromising internet-exposed ATG systems and subsequently modifying them through command execution,” the joint advisory warned.
As CISA cautioned, following successful compromises, the attackers could disable system alerts, increasing the risk of leaks or equipment failures and even causing permanent damage to the targeted tank systems.
In light of CISA’s advisory, Internet security watchdog Shadowserver warned today that over 1,000 ATG systems were exposed online, with the vast majority (909 devices) in the United States.
”We added scanning of Automatic Tank Gauge (ATG) systems to our Accessible ICS reporting with 1061 IPs seen on 2026-06-05 (on port 10001/tcp),” Shadowserver said. “This is after weeding out vast majority which appear to be honeypots (including ports 8001/9001).”
Critical infrastructure organizations are advised to restrict remote access to ATG systems from the Internet as soon as possible and implement controlled access through firewalls, VPNs, or access control lists.
They should also replace default passwords on vulnerable devices with strong credentials, apply security updates, monitor systems for unauthorized changes, and implement multi-factor authentication where possible.
CISA’s warning comes after a May CNN report that Iranian hackers had breached ATG systems connected to the Internet at multiple gas stations across the United States. Iranian hacking groups were linked to these incidents based on their previous history of targeting fuel management systems and other industrial control technologies.
After hacking the devices with weak or nonexistent passwords, the attackers reportedly manipulated the display readings but did not alter the actual fuel levels. Although these incidents didn’t cause any physical damage, they raise concerns that such attacks could hinder automated fuel leak detection and similar safety-related functions.
In April, another joint advisory issued by U.S. federal agencies linked Iranian state-backed hackers to attacks targeting Rockwell Automation/Allen-Bradley PLC devices since March 2026, causing financial losses and operational disruptions.
Cybersecurity firm Censys reported one day later that 74.6% (3,891 hosts) of such industrial control systems found exposed online globally were from the United States.
Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
