Governance & Risk Management , Operational Technology (OT)
Zero-Day Vulnerabilities in Automatic Tank Gauge Systems
Hackers Could Cause Tanks to Overfill and Disable Leak DetectionIndustrial control systems made by different manufacturers for monitoring fuel storage tanks including those used in everyday gas stations contain critical zero-days that could convert them into targets for cyberattacks that cause physical damage.
See Also: The State of OT Security: A Comprehensive Guide to Trends, Risks, and Cyber Resilience
Security bugs in automatic tank gauge systems can enable attackers to disable leak detection and cause overflows, leading to environmental hazards and financial losses, researchers at BitSight found. Besides gas stations, ATGs are used in military bases, hospitals and power plants.
Researchers found 11 vulnerabilities spread across six models of ATG systems. The flaws include reflected cross-site scripting and authentication bypasses, command injection issues, hard-coded administrator credentials and arbitrary file reads that grant full system access to attackers.
BitSight reported the flaws in collaboration with the U.S. Cybersecurity and Infrastructure Security Agency, which on Tuesday published an advisory.
The advisory is one in a continuing series of warnings about the insecurity of ATG systems. Previous research from as early as 2015 highlighted the risks of leaving these systems exposed to the internet without proper security measures.
Despite previous warnings about similar vulnerabilities, thousands of ATG systems are accessible through the internet. The widely used communication standard in these systems is fundamentally insecure and was originally designed for serial RS-232 interfaces and later adapted for TCP/IP networks, the researchers said. The transition to network connectivity, without proper security measures, has left these systems vulnerable to a wide range of attacks.
The ATG communications protocol has a field for a six-digit code meant to limit external serial access, but the field is "both optional and insufficient," BitSight said. The code is not turned on by default and even when administrators do turn it on, the six-digit maximum means there are only 1 million combination possibilities, making the codes easily guessable by modern computers.
The researchers urged that organizations using ATG systems take additional steps to protect their systems from potential exploitation. They recommend disconnecting ATG systems from the public internet, implementing stricter access controls and applying network segmentation to reduce the attack surface and prevent unauthorized access.