Pedro Umbelino, Principal Research Scientist at Bitsight, says the vulnerabilities could allow malefactors to exploit ATG systems, leading to potentially catastrophic outcomes, including environmental hazards, economic disruption, and even physical damage. The ability to control physical processes is a grave risk to critical infrastructure, which could cause fuel spills, equipment damage, or widespread service disruption at essential facilities like hospitals or emergency services. Bitsight’s ongoing monitoring has revealed over 6,500 ATG systems are still connected to the internet without any security protections, leaving critical infrastructure vulnerable to cyberattacks. Industrial Control Systems (ICS) form the backbone of modern critical infrastructure, with ATG systems playing a key role in managing fuel storage across various industries. Bitsight’s research found that threat actors could gain full control of ATG systems, allowing them to manipulate fuel levels, disable alarms, and even shut down fuel dispensing systems. A recent investigation by Bitsight TRACE has uncovered several critical 0-day vulnerabilities in six Automatic Tank Gauge (ATG) systems from five different vendors. Disconnecting these systems from the internet, implementing strong access controls, and following CISA’s remediation advisories are key steps to reducing the risk of exploitation. These systems, responsible for monitoring fuel levels and detecting leaks, are essential for facilities ranging from gas stations to hospitals, airports, military bases, and power plants. As far back as 2015, security researchers warned of exposed ATG systems on the internet, with thousands found to be accessible without password protection. The financial impact could also be severe, with attackers able to steal sensitive operational data or disable critical systems, potentially leading to hefty fines and regulatory penalties. The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network. These vulnerabilities are substantial real-world threats, with the potential for exploitation by malicious actors, leading to severe consequences such as physical damage, environmental harm, and financial losses. They could rename tank information, alter tank sizes to trigger overflows, disable leak detection, or even shut down fuel pumps, creating physical and environmental hazards. Even more alarming is that, despite repeated warnings, thousands of ATGs remain online and directly accessible via the internet, making them highly vulnerable to cyberattacks, particularly in sabotage or cyberwarfare contexts. Between 2015 and 2022, the number of vulnerable ATG systems increased by 120%, according to Cyborg Security. The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user. While some facilities may have implemented external controls to mitigate these risks, the widespread exposure of ATG systems online is alarming. The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes. In response to these findings, Bitsight says it has collaborated with the US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) to coordinate a responsible vulnerability disclosure process.
This Cyber News was published on informationsecuritybuzz.com. Publication date: Tue, 01 Oct 2024 05:43:37 +0000