The US Cybersecurity and Infrastructure Security Agency (CISA), along with the FBI, NSA, and Department of Energy, has issued an urgent warning to energy companies about malicious cyber activity targeting automatic tank gauge (ATG) systems. These systems are critical for monitoring fluid storage in oil and gas operations, refining, chemicals manufacturing, and liquid fuel transportation. The agencies have not yet attributed the attacks to a specific nation-state or threat actor group.

Nature of the Threat

ATG systems connected to the internet are particularly vulnerable. A successful cyberattack could allow attackers to manipulate gauge readings, leading to spills or industrial accidents by misleading operators on fluid volumes, temperatures, and tank pressures. The observed malicious activity involves threat actors compromising internet-exposed ATG systems and modifying them through command execution. This could cause permanent damage to the tank system's critical functions by denying operators accurate readings, uploading malicious code, gaining full administrator privileges, altering network settings, leaving on-site operators blind to internal tank conditions, or disabling alarms.

Recommended Mitigations

The primary recommendation from CISA and other agencies is to take ATG systems offline entirely to prevent sabotage. If that is not feasible, they advise implementing measures to make it more difficult for outside actors to gain operational control and administrative privileges remotely. Specific recommendations include:

• Applying security patches where possible
• Changing passwords
• Introducing multifactor authentication to reduce the risk of employees exposing sensitive access credentials through phishing

Vulnerability of Operational Technology

Oil and gas field operational technology (OT) is inherently more vulnerable to cyber incursions than office information technology (IT). According to OT security expert Al Lindseth, while IT systems can rely on firewalls and patching, OT systems often cannot be patched. Once an attacker gains access, these networks are "flat" and wide open, making them easier to exploit.