WashingtonUS fuel-tank gauges ran internet-connected, password-free.
Iran-linked actors exploited the unprotected gauges, manipulating display readings at stations across multiple US states, American officials said.
Attackers could not alter actual fuel levels, officials confirmed; formal attribution and a government response remain pending.
Sources: Hindustan Times
WHAT AN ATG ACTUALLY IS
An Automatic Tank Gauge is a probe inside an underground fuel tank that measures level, temperature, and water intrusion. It exists for environmental compliance — the EPA mandates leak detection on every US underground storage tank — not for cybersecurity. The device was designed to dial a pager when a tank leaked, not to defend against nation-state actors.
WHY THEY'RE ON THE INTERNET
Station owners wanted remote readings without paying for a VPN or a cellular gateway. The cheapest path was plugging the gauge's serial port into a $40 serial-to-Ethernet adapter and forwarding TCP port 10001 through the station's router. Tens of thousands of US stations did exactly this — and Shodan has been indexing them since 2014.
DISPLAY VS RESERVOIR
Officials emphasized attackers could change the readout, not the fuel itself — and that distinction is the whole story. The gauge is a sensor with a screen, not a valve. There is no command in the TLS-350 spec that opens a tank, starts a pump, or changes a dispenser price. The worst direct outcome is a false low-fuel alarm or a missed leak.
WHY IRAN PROBES SOFT TARGETS
Iran's offensive cyber doctrine since the 2010 Stuxnet attack on Natanz has favored asymmetric, low-cost intrusions against soft civilian infrastructure — water utilities, hospitals, gas stations — rather than hardened military networks. The 2023 CyberAv3ngers campaign against Unitronics PLCs at US water plants followed the same template: find devices with default credentials, deface or disrupt, claim credit through a Telegram channel.
THE DWELL-TIME ASYMMETRY
Defenders measure intrusions by dwell time — days between compromise and detection. Critical-infrastructure intrusions by state actors routinely run hundreds of days because the operators stay still and exfiltrate quietly. A gauge-defacement campaign is the opposite posture: noisy, attributable, designed to be noticed. That choice tells you the goal is signaling, not preparation.
THE PATCH THAT NEVER LANDED
CISA issued ICS advisories on exposed ATGs in 2015, 2018, 2020, and 2024. The fix is trivial — set a password, close port 10001, or put the gauge behind a VPN — but the install base is fragmented across ~150,000 US stations owned by tens of thousands of small operators with no IT staff. Mandates have never followed the advisories because no federal agency has clear jurisdiction over retail fuel cybersecurity.