Automatic Tank Gauge (ATG) Vulnerabilities and Mitigations

By ARUME

What are ATGs and Why Secure Them?

Automatic Tank Gauges (ATGs) are crucial components of gas stations, measuring fuel levels, calculating delivery needs, detecting leaks, and triggering alarms. Traditionally located in secure areas within convenience stores (C-stores), they play a vital role in environmental protection and business operations. However, the rise of internet-connected ATGs introduces significant security concerns.

Understanding ATG Vulnerabilities

There are two main categories of ATG vulnerabilities:


Physical Access Vulnerabilities

Unauthorized individuals gaining physical access to the ATG can manipulate settings or steal data. Mitigation strategies include placing the ATG in a restricted area and implementing strong password protection:


  • Restricted Location: The ATG is designed for placement in a secure area within the C-store.
  • Hardwired Power: The ATG is directly connected to the electrical panel, preventing easy disabling.
  • Passive Panel Protection: The ATG panel may have additional physical safeguards like non standard fasteners and password protection to deter tampering.

Internet Connectivity Vulnerabilities

Connecting an ATG to the internet exposes it to a wider range of threats:


  • Data Theft: Valuable business information such as current inventory levels, delivery amounts and sales data is made available to a hacker by using an internet connection.  Environmental compliance alarms and leak test results are also made available for anyone to make public, and be reported to the EPA and State authorities resulting in large fines and possible station shutdowns.
  • Configuration Manipulation: Commands to alter ATG configuration can cause expensive damage, loss of revenue through business disruption, expensive service calls, and environmental compliance fines. These commands are publicly available and would allow even inexperienced hackers to very easily make changes to the configuration of ATGs. 

The Communication Protocol Challenge

The traditional Veeder-Root communication protocol used by ATGs is a key vulnerability.  Designed for secure serial communication, it lacks the necessary protection mechanisms when exposed to the public internet.  Essentially, the ATG becomes vulnerable like an unprotected web server once connected.

The Consequences of Exploited Vulnerabilities

The potential consequences of a successful cyberattack on an ATG are severe:


  • Station Shutdown: Hackers can remotely shut down a station by manipulating configurations, halting fuel sales and impacting revenue.
  • Environmental Risks: Tampering with configurations could create leaks or mask existing leaks, leading to environmental hazards and potential regulatory issues.
  • Disruption of Critical Infrastructure: Widespread attacks targeting numerous stations could disrupt the critical infrastructure and fuel supply of The United States.

Beyond Shutdown: Deception and Disruption

Sophisticated attackers can go beyond simply shutting down stations:


  • Simulate Leaks: Hackers could create false leak warnings, forcing unnecessary station closures and wasting technician resources. In these scenarios, reliance on a qualified ATG technician is required to diagnose the situation and can often take hours due to availability causing significant downtime.
  • Resource Drain: Repeated manipulation of readings can lead to frustration and wasted resources for station owners, impacting operations and unnecessary costs for technicians who may not even be available.

Mitigating the Risks: A Multi-Layered Approach

Securing ATGs requires a multi-layered approach:


  • Physical Security Measures
    • Restrict physical access to the ATG.
    • Implement strong password protection for the ATG unit itself.
  • Communication Security Measures
    • Explore secure communication protocols specifically designed for internet-connected ATGs, replacing the vulnerable Veeder-Root protocol.
    • Consider solutions that encrypt data transmission for added protection.
  • Enhanced Response
    • Prioritize prompt response times for qualified ATG technician services to minimize downtime in case of attacks.
  • Education and Awareness
    • Educate convenience store operators about ATG vulnerabilities and best practices for securing their systems. This empowers them to make informed decisions about their cybersecurity posture.

Looking Forward: A Collaborative Effort

The industry can further enhance ATG security through:


  • Industry Standards: Collaboration between ATG manufacturers, security researchers, and government agencies can lead to the development and adoption of secure communication standards.
  • Vulnerability Assessments: Regularly conduct vulnerability assessments for ATG systems to identify and address potential weaknesses.

By taking proactive steps, convenience store operators can safeguard their ATGs and minimize the risks associated with cyberattacks. This will not only protect their businesses but also contribute to the overall security of the critical fuel supply infrastructure.