CISA urges ATG operators to cut internet exposure

CISA’s alert is nominally about automatic tank gauge systems, but the operational point is broader: an exposed industrial device with weak authentication can become a physical-risk system without looking like one on an enterprise dashboard. ATGs monitor fuel and liquid levels, temperature and leak detection across energy, chemical, food and agriculture, and transportation environments. CISA and seven federal partners say threat actors are compromising internet-exposed ATGs and modifying them through command execution.

The mitigation is not complicated, which is part of the diagnosis. Owners and operators should remove ATG serial ports and web interfaces from direct internet exposure, including default TCP ports 8001, 9001 and 10001, and restrict remote access with a firewall, access control list or VPN when remote access is necessary. They also need to enforce credential security, because the alert specifically calls out weak authentication, authentication bypass and hardcoded credentials as attack paths.

The consequence is not merely bad telemetry. The agencies warn that a compromised ATG could let an actor alter network settings, product identifiers, tank volumes and pump controls, compound malfunctions that create a denial of view into fill levels, and disable alerts that operators rely on to detect leaks or relay failures. That is the familiar industrial-control problem in its least glamorous form: a small management interface becomes the place where safety, inventory and environmental monitoring all trust the same compromised box.

The government has not attributed the activity to a nation-state or named threat actor group. That matters less for Monday morning than the agency lineup. CISA, FBI, NSA, DOE, EPA, TSA, DOT and USDA are not all needed to tell operators that default credentials are bad. Their joint signature is the signal that exposed ATGs are being treated as a cross-sector critical-infrastructure entry point, not a niche fuel-station nuisance.