Fuel storage tanks put at risk by worrying security flaws

News
By published

Fuel tanks are prime targets for state-sponsored attacks

Aerial view or oil terminal is industrial facility for storage tank of oil and LPG Petrochemical. oil manufacturing products ready for transport and business transportation, LPG Tank, CNG tank.
(Image credit: Shutterstock / AU USAnakul)

Fuel storage is an essential part of worldwide logistics, marking it as critical infrastructure and therefore a target for state-sponsored cyber attacks.

As with most things today, many fuel depots have some form of internet facing technology to help manage fuel levels remotely using automated tank gauges (ATG), and research from Bitsight has warned these systems have multiple critical vulnerabilities that could give an attacker full control over the fuel storage, allowing for the possibility of physical and environmental damage as well as economic loss.

Latest Videos From

ATG vulnerabilities

The Bitsight research outlines legacy vulnerabilities, such as those relating to a certain protocol in ATG systems known as Veeder-Root, Gilbarco, or TLS protocol. These protocols use an interface for communicating functions to the ATG, with many of the operational manuals detailing different protocols that can be used. Some such protocols could be abused by an attacker to change network configurations, change volume and fill limit configurations, stop leak or pressure detection tests, and put the ATG into a denial of service (DoS) loop by repeating a remote reboot. DoS attacks can be highly disruptive if done en-mass, potentially putting the fuel distribution infrastructure of entire regions offline affecting both civilian, logistical and military function.

As for new vulnerabilities, Bitsight discovered 10 unique vulnerabilities in one week relating to OS command injection, hardcoded credentials, authentication bypass, SQL injection, cross site scripting (XSS), privilege escalation, and arbitrary file read, with CVSS scores ranging from 7.5 to 10.

Using one of the protocol vulnerabilities the researchers discovered in Maglink LX4, they were able to force a relay to turn on and off 50 times per second, which is fast enough for the relay to damage itself and potentially the components around it. A relay damaged in this way could prevent detection and warning systems from operating properly, such as ventilation systems, alarms and pumps.

A further potential use of ATG vulnerabilities is intelligence gathering. By monitoring the volume of fuel storage through ATGs, state-sponsored attackers can gain valuable information into fuel sales, delivery times, and when is best to strike a fuel tank with a kinetic attack to cause the most damage.

More from TechRadar Pro

Benedict Collins
Benedict Collins
Senior Writer, Security

Benedict is a Senior Security Writer at TechRadar Pro, where he has specialized in covering the intersection of geopolitics, cyber-warfare, and business security.

Benedict provides detailed analysis on state-sponsored threat actors, APT groups, and the protection of critical national infrastructure, with his reporting bridging the gap between technical threat intelligence and B2B security strategy.

Benedict holds an MA (Distinction) in Security, Intelligence, and Diplomacy from the University of Buckingham Centre for Security and Intelligence Studies (BUCSIS), with his specialization providing him with a robust academic framework for deconstructing complex international conflicts and intelligence operations, and the ability to translate intricate security data into actionable insights.