When it comes to security, many gas stations have typically been concerned with defending against credit card skimmers on their pumps and point-of sale vulnerabilities. But they will now need to widen their security scope to include their automated tank gauges, many of which lack password protection, as recently discovered by the IT security solution provider Rapid7.
ATGs are used to monitor fuel tank levels and track deliveries and to raise alarms when a problem occurs (such as a fuel spill). They also have serial ports (and some even have TCP/IP cards) that allow them to be remotely accessed for monitoring and programming.
When alerted to this vulnerability by Jack Chadowitz, founder of Kachoolie, Rapid7 conducted an Internetwide IPv4 scan, looking for any addresses with an open TCP port 10001 (the most common configuration for ATGs) and without a set password. Like so many security vulnerabilities, this one is simple and exists primarily because basic security protocol isn’t followed: unsecure port, passwords unset.
This scan revealed 5,800 vulnerable ATGs globally, with 5,300 of them in the U.S. The researchers then sent Get In-Tank Inventory Report requests to these exposed ATGs, quickly gleaning a station’s name and address along with the number of tanks and their levels and fuel types.
While Rapid7 researchers do not believe that this vulnerability is being exploited much in the wild, they do express concern that an attacker could potentially reset alarm thresholds, reset the system and generally disrupt the operation of the pump. Another tactic might involve changing the access settings and then triggering a manual shutdown. No special tools are needed to access these ATGs, so it would take little effort to disrupt the service at 5,300 gas stations across the country.
With this revelation and others, gas stations and other energy-sector businesses are realizing that in a connected, Internet-of-Everything world, security can no longer be an afterthought — it must be weighed right alongside business needs.
Gas stations concerned about the ATG issue can check out the web-based portal developed by Mr. Chadowitz to determine if their ATGs are at risk. Rapid7 suggests using a VPN gateway to connect ATGs to the company’s monitoring service.