A possible hack of gas station fuel tank systems in several US states has raised concerns about industrial devices that experts say have been exposed online for years, despite repeated federal warnings.

According to CNN, US officials believe Iranian-linked hackers are likely behind a series of breaches involving automatic tank gauge (ATG) systems used to monitor fuel storage tanks.

The systems were accessible online without password protection, allowing attackers to manipulate display readings viewed by operators, though not the actual fuel levels.

The incidents did not result in physical damage, according to officials, but security experts say access to monitoring interfaces alone is an operational and safety concern.

“The real threat here is someone changing what the operator sees on the screen,” explains Denis Calderone, chief technology officer at Suzu Labs.

Calderone compared the issue to attacks involving industrial control system dashboards and SCADA interfaces, where inaccurate monitoring data can lead operators to make decisions based on false conditions.

“Thinking about gas stations specifically, that means a leak could go undetected, an overfill condition could be missed, or equipment failures could be masked until something goes physically wrong."

Denis Calderone, chief technology officer, Suzu Labs

Researchers have warned about exposed automatic fuel tank level monitoring systems (ATG) for more than a decade.

In 2015, security firm Rapid7 identified more than 5,800 internet-connected tank gauges operating without authentication controls.

Additional research published in recent years by BitSight found large numbers of similar systems remained publicly accessible.

“The front door has been left unlocked”

Federal agencies, including CISA, have repeatedly advised operators to remove industrial monitoring systems from direct internet exposure or secure them behind VPNs and segmented remote-access systems.

Calderone said that one of the most frequently mentioned issues is the continued use of default or nonexistent passwords on industrial monitoring equipment.

This stems from the fact that many systems were originally designed for isolated environments, before remote internet access became the norm.

"These systems have been sitting on the public internet with no credentials,” Calderone said. “The front door has essentially been left unlocked.”

Denis Calderone, chief technology officer, Suzu Labs.

CNN says the investigation into the gas station breaches remains ongoing, and US officials have not publicly attributed the activity to a specific Iranian government entity or hacking group.

Critical infrastructure under attack

Last month Michael Hoffman, an industrial cybersecurity expert at Dragos told Cybernews that this reflected a broader pattern in recent Iran-linked cyber activity involving opportunistic targeting of exposed infrastructure.

“A lot of what we’re seeing is low-hanging fruit,” he said.

“They’re scanning the internet, finding exposed devices, and going after those not hardened environments.”

Michael Hoffman, principle industrial consultant, Dragos

Hoffman added that many campaigns attributed to pro-Iranian hacktivist groups rely on basic intrusion methods, including testing default credentials, reusing stolen passwords, and identifying internet-facing operational technology (OT) systems.

The gas station incident also follows wider concern amongst regulators about the resilience of operational technology environments that underpin critical infrastructure.

Last week, a British water supplier was fined nearly £1 million after investigators found parts of its environment were still running obsolete Windows Server 2003 systems, with attackers remaining inside its network undetected for months.

Separately, a survey of UK critical national infrastructure operators published earlier this year found that 93% had experienced a cyber incident in the previous 12 months.

---

Unlock more exclusive Cybernews content on YouTube.