Exposed gas pump controllers may tempt attackers to try and create fuel shortages. Worryingly, there are thousands of unprotected controllers worldwide, with the potential to impact millions.
Until civilization transitions to relying solely on fully electric vehicles, gas stations will remain a critical infrastructure component.
And like so many other components of critical infrastructure, pumping gas relies on digital components such as controllers – the electronic devices that manage fuel dispensing.
The Cybernews research team has discovered thousands of exposed gas station pump controllers, mainly in the US, that are dangerously open for attackers to abuse.
“Disrupting gas station operations could have economic and logistical consequences. For example, disrupting fuel distribution could affect transportation, military capability, and emergency services,” our researchers said.
How many are affected?
According to the Shodan search engine, at least 5,860 gas pump controllers are exposed globally.
However, the vast majority of the exposed gas station devices, 4,323, are located in the United States, with an additional 221 in Puerto Rico, an island territory of the US.
Germany (156), Canada (149), and Australia (139) line up far behind the US.
Exposing gas station pump controllers poses risks to fuel providers as attackers could attempt to access them remotely, tampering with pump settings or stealing fuel by manipulating inventory stats.
Attackers could also steal controller-stored data, such as transaction data, siphoning it to data leak forums or other venues for sharing illegally obtained data.
“In the age of the internet of things (IoT), many gas station controllers are connected to the internet for remote monitoring and management. If these connections are not properly secured, they could be vulnerable to remote attacks by hackers,” researchers explained.
Dangers of a cyberwar
While gas stations are not of existential importance as, say, an electricity grid or internet connectivity, disrupting enemy populations’ ability to fill up a tank would certainly have negative implications.
For example, attacks explicitly targeting gas stations may lead to increased fuel prices and even fuel shortages, allowing attackers to sow panic among the target population.
For example, according to the National Association of Convenience Stores (NACS), an average convenience store selling fuel has around 1,100 daily customers.
If we assume that each of the 4,323 exposed controllers operates in a different gas station, that would mean taking them out would disrupt the fuel stops of 4.7 million Americans in a single day.
“During a cyberwar, attackers may launch attacks on various targets to distract and overwhelm the defenders. Gas station controllers could be one such target to divert resources and attention away from more critical systems,” researchers said.
An attack focused on gas stations may also serve as a propaganda piece, demonstrating vulnerabilities in critical infrastructure and showcasing target nations’ supposed cybersecurity weaknesses.
Protecting gas station pump controllers
Even though gas station pump controllers are not the main focus of cyber warfare, they’re part of a broader web of interconnected systems that comprise critical infrastructure.
In times of conflict, governments and organizations need to secure these systems to mitigate the potential impact of cyberattacks.
“In a cyberwar, protecting critical infrastructure, including gas stations, becomes a matter of national security,” the Cybernews research team says.
To protect gas station pump controllers from exploitation, it’s crucial to implement a comprehensive security strategy, which includes measures such as:
- Regular software updates and security patches to fix known vulnerabilities
- Strong network security to protect against remote attacks
- Physical security measures to prevent unauthorized physical access
- Intrusion detection and monitoring systems to identify and respond to suspicious activity
- Employee training to recognize and prevent social engineering attacks
- Compliance with industry standards and regulations for payment card security (such as PCI DSS) and overall security.
Your email address will not be published. Required fields are markedmarked