A series of critical vulnerabilities have been found in the Industrial Control Systems (ICS) within fuel storage tanks made by a number of separate vendors, raising fears that attackers could exploit them to cause "widespread physical damage".
The bugs have been found with the Automatic Tank Gauge (ATG) systems used in pumps in petrol stations, military bases, hospitals, airports, emergency services, and power plants.
Automatic Tank Gauges monitor and manage storage tanks, ensuring that fuel levels are accurately tracked and leaks are detected as quickly as possible.
Researchers at Bitsight TRACE identified zero day vulnerabilities in six ATG systems from five different vendors, which we have decided not to name for legal reasons.
"These vulnerabilities pose significant real-world risks, as they could be exploited by malicious actors to cause widespread damage, including physical damage, environmental hazards, and economic losses," wrote Pedro Umbelino, Principal Research Scientist.
"What’s even more concerning is that, besides multiple warnings in the past, thousands of ATGs are still currently online and directly accessible over the Internet, making them prime targets for cyberattacks, especially in sabotage or cyberwarfare scenarios."
Major German oil supplier confirms cyber-attack – "Oiltanking" says incident has crippled inland supply
CISA has issued an advisory about the vulns in one vendor's pump, which you can read here.
One is being tracked CVE-2024-8497 as has a CVSS score of 8.7. The other, CVE-2024-8497, has a score of 7.5.
CISA warned that the flaws were "exploitable remotely" with a "low attack complexity".
"Successful exploitation of this vulnerability allow an attacker to gain administrative access over the affected device," it wrote.
What happens if attackers access ATG systems with full privileges?
The results of a compromise of fuel systems can range from minor to "disastrous", Bitsight said.
Attackers could rename tank information to "inappropriate names" by altering MAC addresses, and even resize tanks, falsely increasing capacity to cause dangerous overflows and environmental leaks.
But the potential damage caused by a bad word in your fuel tank pales in comparison to the greater dangers. Hackers could also shut down dispensing functions by disabling relays or turning off leak detection, increasing the risk of undetected "catastrophic leaks".
Hackers can also capture sensitive corporate data through insecure Telnet connections, selling critical information like inventory and alarms to third parties.
Furthermore, they may shut down networking services by altering IP card settings, disrupting essential operations like hospitals and power plants. Finally, reprogramming consoles can result in the loss of compliance data, leading to potential regulatory fines and further operational risks.
The impacts of ATG exploitation
The most basic threat is Denial of Service (DoS) caused when attackers reconfigure devices, delete values, or flash faulty firmware, rendering the pump non-functional and requiring repair. More advanced attacks can target the core functions of the ATG system, such as manipulating tank settings to cause fuel leaks or disabling alarms that prevent overfilling.
Sophisticated attacks can also physically damage components by forcing relays to operate at high speeds, leading to the failure of connected systems like ventilation or emergency valves.
Attackers can also exploit the system’s functionality to gather financial data, delete tank records, or "monitor fuel levels in critical infrastructures to decide the best time to conduct a kinetic attack". Which means, in other words, they they could plan a physical attack with a bomb or some other means of sabotage to cause the biggest possible explosion.
"Experts that we have spoken with expressed specific concern about the ability for an attacker to change tank settings remotely," Bitsight continued. "Alarms are very important for refilling operators to understand when the tank is about to be full and to have enough time to stop the refilling. Without alarms the probability for a spill will increase significantly, which, depending on the type of fuel, could create a dangerous situation."
