Over 900 US Fuel Tank Gauge Systems Exposed Online, Under Active Attack

More than 900 automatic tank gauge (ATG) systems in the United States are exposed to the internet and under active attack, according to a joint advisory published this week by CISA, the FBI, the NSA, and five other federal agencies. The systems monitor fuel and chemical storage tanks at gas stations, industrial facilities, and other critical infrastructure sites.

The advisory, co-signed by the Department of Energy, the Environmental Protection Agency, the Transportation Security Administration, the Department of Transportation, and the Department of Agriculture, warns that threat actors are exploiting internet-connected ATGs to alter tank readings, manipulate pump controls, and disable safety alerts. The agencies said they are aware of malicious cyber activity targeting these systems in the United States but did not attribute the attacks to any specific group.

US accounts for 90% of exposed ATGs worldwide

Following the advisory, the Shadowserver Foundation conducted widespread scans and found 909 exposed ATGs in the United States. The next most exposed countries were Canada with 30, Australia with 22, and the United Kingdom and Brazil with four each. The US share represents more than 90% of all discoverable ATGs on the open web.

• 909 exposed ATGs in the US as of June 2026
• 30 in Canada, 22 in Australia, 4 each in the UK and Brazil
• Nearly 6,000 ATGs were exposed a decade ago, indicating a significant reduction but still a large attack surface
• ATGs are often legacy devices running unpatched firmware with known vulnerabilities
• Researchers at Bitsight previously found seven critical zero-day vulnerabilities across six popular ATG models, including command injection flaws with CVSS scores of 9.8

Legacy design and unpatched bugs create persistent risk

ATGs are built for reliability and long field life, often without downtime for updates. They run legacy software stacks and lack the complexity to support security tools. This design philosophy leaves them vulnerable to command injection and other exploits that can give attackers full control over tank monitoring and alarm systems.

The joint advisory urges site owners to immediately remove ATGs from direct internet exposure, use firewalls and VPNs for remote access, apply available patches, and monitor for unauthorized changes. The agencies also recommend conducting a full inventory of all ATG devices and verifying that default credentials have been changed. With active attacks already underway, the window for remediation is narrow.