DDoS attacks - How Firewalls make Gas Stations Vulnerable

Firewalls and Operational Technology (OT) Systems

Firewalls are a cornerstone of online security, but in the world of gas station technology, it’s been discovered that they create an unexpected vulnerability. This vulnerability centers around Operational Technology (OT) systems and in this context, the vulnerability targets the system that connects to and collects data from gas tank gauges, also used to configure them. These systems, used by the handful of companies that monitor the majority of Gas Stations, serve a critical role in gas station operations.

OT systems used for polling automatic tank gauges (ATGs) very often use a security measure called "whitelisting" or "access control lists (ACLs)" to protect tank gauges from unauthorized access. Here's how it works:

  • The local router or firewall has a whitelist containing the IP addresses of authorized devices, typically the polling servers used by monitoring companies.

  • The router only allows communication from these whitelisted IP addresses to reach the tank gauges.

    This approach offers a good layer of security, but it creates a critical vulnerability: publicly known IP addresses. Since the monitoring companies need to provide their IP addresses for whitelisting, they become public knowledge. This knowledge can be exploited by attackers in what's known as a Distributed Denial-of-Service (DDoS) attack.

    In a DDoS attack, attackers overwhelm a server with a flood of communication requests, essentially shutting it down and preventing legitimate traffic to ALL the ATGs, not only those with firewalls. These attacks are cheap and readily available through "botnet-for-hire" services.

    • Mitigating DDoS Attacks

    Mitigating a DDoS attack typically involves changing the server's IP address. However, this creates new problems:

  • The whitelisted IP addresses on the routers at gas stations become outdated and need to be updated for every single server for the communications to resume. This is time intensive.

  • Once updated, the new IP addresses are now vulnerable and repetitive DDoS attacks are therefore possible, continually shutting down polling servers.

  • The only way to break this cycle is to disable the firewalls, leaving the tank gauges exposed to the previously mentioned vulnerability of being completely open to the internet.

    • The Need for Improved Security

    The DDoS attacks, when active, not only shut down communications to all the ATGs, but this new vulnerability also has the long-term effect of negating the firewall protection that has been the most popular and effective way of protecting these TCP/IP polled ATGs.

    This vulnerability highlights the need for improved security measures in gas station technology that go beyond traditional methods like firewalls and VPNs. Read about ARUME’s secure alternative communication solutions that don’t rely on TCP/IP polling, bypassing the known vulnerabilities and significantly improve the resilience of gas station infrastructure against cyberattacks.