Critical Infrastructure At Risk: Vulnerabilities Discovered In Automatic Tank Gauging

Pedro Umbelino, Principal Research Scientist at Bitsight, says the vulnerabilities could allow malefactors to exploit ATG systems, leading to potentially catastrophic outcomes, including environmental hazards, economic disruption, and even physical damage. The ability to control physical processes is a grave risk to critical infrastructure, which could cause fuel spills, equipment damage, or widespread service disruption at essential facilities like hospitals or emergency services. Bitsight’s ongoing monitoring has revealed over 6,500 ATG systems are still connected to the internet without any security protections, leaving critical infrastructure vulnerable to cyberattacks. Industrial Control Systems (ICS) form the backbone of modern critical infrastructure, with ATG systems playing a key role in managing fuel storage across various industries. Bitsight’s research found that threat actors could gain full control of ATG systems, allowing them to manipulate fuel levels, disable alarms, and even shut down fuel dispensing systems. A recent investigation by Bitsight TRACE has uncovered several critical 0-day vulnerabilities in six Automatic Tank Gauge (ATG) systems from five different vendors. Disconnecting these systems from the internet, implementing strong access controls, and following CISA’s remediation advisories are key steps to reducing the risk of exploitation. These systems, responsible for monitoring fuel levels and detecting leaks, are essential for facilities ranging from gas stations to hospitals, airports, military bases, and power plants. As far back as 2015, security researchers warned of exposed ATG systems on the internet, with thousands found to be accessible without password protection. The financial impact could also be severe, with attackers able to steal sensitive operational data or disable critical systems, potentially leading to hefty fines and regulatory penalties. The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network. These vulnerabilities are substantial real-world threats, with the potential for exploitation by malicious actors, leading to severe consequences such as physical damage, environmental harm, and financial losses. They could rename tank information, alter tank sizes to trigger overflows, disable leak detection, or even shut down fuel pumps, creating physical and environmental hazards. Even more alarming is that, despite repeated warnings, thousands of ATGs remain online and directly accessible via the internet, making them highly vulnerable to cyberattacks, particularly in sabotage or cyberwarfare contexts. Between 2015 and 2022, the number of vulnerable ATG systems increased by 120%, according to Cyborg Security. The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user. While some facilities may have implemented external controls to mitigate these risks, the widespread exposure of ATG systems online is alarming. The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes. In response to these findings, Bitsight says it has collaborated with the US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) to coordinate a responsible vulnerability disclosure process.

This Cyber News was published on informationsecuritybuzz.com. Publication date: Tue, 01 Oct 2024 05:43:37 +0000


Cyber News related to Critical Infrastructure At Risk: Vulnerabilities Discovered In Automatic Tank Gauging

A Plan to Protect Critical Infrastructure from 21st Century Threats - On April 30th, the White House released National Security Memorandum-22 on Critical Infrastructure Security and Resilience, which updates national policy on how the U.S. government protects and secures critical infrastructure from cyber and ...
6 months ago Cisa.gov
Critical Infrastructure At Risk: Vulnerabilities Discovered In Automatic Tank Gauging - Pedro Umbelino, Principal Research Scientist at Bitsight, says the vulnerabilities could allow malefactors to exploit ATG systems, leading to potentially catastrophic outcomes, including environmental hazards, economic disruption, and even physical ...
2 months ago Informationsecuritybuzz.com
9 Best DDoS Protection Service Providers for 2024 - eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More. One of the most powerful defenses an organization can employ against distributed ...
1 year ago Esecurityplanet.com
16 top ERM software vendors to consider in 2024 - Enterprise risk management software helps organizations identify, mitigate and remediate business risks, which can lead to improved business performance. The risk management market is rapidly evolving from separate tools across different risk domains ...
11 months ago Techtarget.com
Master Security by Building on Compliance with A Risk-Centric Approach - In recent years, a confluence of circumstances has led to a sharp rise in IT risk for many organizations. That's why a proactive approach to seeing, understanding, and acting on risk is key to improving the effectiveness of defenses in place to meet ...
11 months ago Cyberdefensemagazine.com
ProcessUnity Introduces Industry's All-In-One Third-Party Risk Management Platform - PRESS RELEASE. BOSTON-(BUSINESS WIRE)- ProcessUnity, provider of comprehensive end-to-end third-party risk management and cybersecurity solutions to leading enterprises, today announced the completed integration of the Global Risk Exchange. The newly ...
10 months ago Darkreading.com
What CIRCIA Means for Critical Infrastructure Providers and How Breach and Attack Simulation Can Help - Cyber Defense Magazine - To prepare themselves for future attacks, organizations can utilize BAS to simulate real-world attacks against their security ecosystem, recreating attack scenarios specific to their critical infrastructure sector and function within that sector, ...
2 months ago Cyberdefensemagazine.com
A Cybersecurity Risk Assessment Guide for Leaders - Now more than ever, keeping your cyber risk in check is crucial. In the first half of 2022's Cyber Risk Index, 85% of the survey's 4,100 global respondents said it's somewhat to very likely they will experience a cyber attack in the next 12 months. ...
1 year ago Trendmicro.com
Strategy, Harmony & Research: Triaging Priorities for OT Cybersecurity - The mission of the Cybersecurity and Infrastructure Security Agency is to lead the national effort to understand, manage, and reduce risk to the cyber and physical infrastructure that Americans rely on every hour of every day. CISA is not responsible ...
1 year ago Darkreading.com
Critical Start Implements Cyber Risk Assessments With Peer Benchmarking and Prioritization Engine - PRESS RELEASE. PLANO, Texas, Jan. 11, 2024 /PRNewswire/ - Today, Critical Start, a leading provider of Managed Detection and Response cybersecurity solutions and pioneer of Managed Cyber Risk Reduction, announced general availability of Critical ...
11 months ago Darkreading.com
Key elements for a successful cyber risk management strategy - In this Help Net Security interview, Yoav Nathaniel, CEO at Silk Security, discusses the evolution of cyber risk management strategies and practices, uncovering common mistakes and highlighting key components for successful risk resolution. Nathaniel ...
11 months ago Helpnetsecurity.com
Key Takeaways from the Gartner® Market Guide for Insider Risk Management - Insider risk incidents are on the rise and becoming more costly to contain. As a result, earlier this year, Gartner predicted that 50% of all medium to large enterprises would adopt insider risk programs. The report reveals several key findings about ...
1 year ago Securityboulevard.com
Three Things to Know About the New SEC Rules on Sharing Information and Breach Disclosure Deadlines - Recently, the Securities and Exchange Commission adopted rules about the handling and reporting of cyber risks and breaches. With these new guidelines and regulations, public companies and organizations must disclose cybersecurity incidents ...
10 months ago Cyberdefensemagazine.com
How to Complete an IT Risk Assessment - An effective security strategy needs to put managing risk at the heart of its approach. An IT risk assessment process is used by organizations to identify and prioritize the most pressing risks to their IT environment. Naturally, it focuses on IT ...
1 year ago Heimdalsecurity.com
Third-Party Security Assessments: Vendor Risk Management - As businesses rely more heavily on external vendors to provide critical services and support, the importance of effective vendor risk management strategies becomes paramount. This article explores the significance of third-party security assessments, ...
10 months ago Securityzap.com
Opening Statement by CISA Director Jen Easterly - Chairman Gallagher, Ranking Member Krishnamoorthi, Members of the Committee, thank you for the opportunity to testify on CISA's efforts to protect the Nation from the preeminent cyber threat posed by the People's Republic of China. As America's ...
10 months ago Cisa.gov
Enhancing PCI DSS Compliance: The Urgent Need for Risk-Based Prioritization - Keeping U.S. commercial critical national infrastructure organizations safe is vital to national security, and it's never been more top of mind as international conflicts and cyberattacks increase and create tensions for businesses, governments, and ...
10 months ago Cyberdefensemagazine.com
Critical Start Asset Visibility helps customers become more proactive within their security program - Critical Start launched their Asset Visibility offering. As part of an MCRR strategy, Asset Visibility helps customers become more proactive within their security program, helping them uncover assets that need protection, validate that the expected ...
11 months ago Helpnetsecurity.com
The ONE Thing All Modern SaaS Risk Management Programs Do - Reducing SaaS risk is, without a doubt, a difficult challenge. Gaining visibility into all the SaaS apps used across an enterprise is hard enough, but it becomes an even greater challenge when only a portion of the apps go through the company's ...
8 months ago Securityboulevard.com
How to Do a Risk Analysis Service in a Software Project - Software projects are vulnerable to countless attacks, from the leak of confidential data to exposure to computer viruses, so any development team must work on an effective risk analysis that exposes any vulnerabilities in the software product. A ...
1 year ago Feeds.dzone.com
CISOs Need to Take a Holistic Approach to Risk Management - Although the traditional approach to cybersecurity typically revolves around mitigating threats and vulnerabilities, these tactics are no longer enough to protect businesses effectively. There is now a need for a more comprehensive, holistic approach ...
1 year ago Feeds.fortinet.com
Attacks on critical infrastructure are harbingers of war: Are we prepared? - Recent attacks on several water authorities, such as Aliquippa and St. Johns River, are putting a new spotlight on the need to protect critical infrastructure. In war, to bring a nation to its knees, attacks against power and water inflict the most ...
11 months ago Scmagazine.com
What Are the 6 Types of Risk Assessment and How Do They Work? - Risk assessment is a tool used to help quantify potential risks in a certain situation. It can be used in many different scenarios, including business operations, financial decisions, and also cybersecurity. A risk assessment helps you identify areas ...
1 year ago Thehackernews.com
The Cyber Risk Nightmare and Financial Risk Disaster of Using Personal Messaging Apps in The Workplace - This practice, which is unfortunately still widespread in an environment of relentless cyberattacks, is fraught with major cyber and financial risk. Unsecure messaging apps are a gateway for cybercriminals to access, expose and exploit an ...
11 months ago Cyberdefensemagazine.com
Meet the Cisco Security Risk Score - In April 2023, we rebranded our risk-based vulnerability management solution, Kenna. Effective immediately, the Kenna Risk Score is renamed to the Cisco Security Risk Score. VI is renamed to Cisco Vulnerability Intelligence, and Kenna. To strengthen ...
1 year ago Feedpress.me

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)