Fuel storage tanks put at risk by worrying security flaws

Aerial view or oil terminal is industrial facility for storage tank of oil and LPG Petrochemical. oil manufacturing products ready for transport and business transportation, LPG Tank, CNG tank.
(Image credit: Shutterstock / AU USAnakul)

Fuel storage is an essential part of worldwide logistics, marking it as critical infrastructure and therefore a target for state-sponsored cyber attacks.

As with most things today, many fuel depots have some form of internet facing technology to help manage fuel levels remotely using automated tank gauges (ATG), and research from Bitsight has warned these systems have multiple critical vulnerabilities that could give an attacker full control over the fuel storage, allowing for the possibility of physical and environmental damage as well as economic loss.

The company identified multiple critical zero day vulnerabilities across six different ATG systems produced by five different companies. Despite multiple warnings about the potential for these systems to be easily attacked over the internet, many remain online and unpatched, making them prime targets for hacktivists and state-sponsored attackers.

ATG vulnerabilities

The Bitsight research outlines legacy vulnerabilities, such as those relating to a certain protocol in ATG systems known as Veeder-Root, Gilbarco, or TLS protocol. These protocols use an interface for communicating functions to the ATG, with many of the operational manuals detailing different protocols that can be used. Some such protocols could be abused by an attacker to change network configurations, change volume and fill limit configurations, stop leak or pressure detection tests, and put the ATG into a denial of service (DoS) loop by repeating a remote reboot. DoS attacks can be highly disruptive if done en-mass, potentially putting the fuel distribution infrastructure of entire regions offline affecting both civilian, logistical and military function.

As for new vulnerabilities, Bitsight discovered 10 unique vulnerabilities in one week relating to OS command injection, hardcoded credentials, authentication bypass, SQL injection, cross site scripting (XSS), privilege escalation, and arbitrary file read, with CVSS scores ranging from 7.5 to 10.

Using one of the protocol vulnerabilities the researchers discovered in Maglink LX4, they were able to force a relay to turn on and off 50 times per second, which is fast enough for the relay to damage itself and potentially the components around it. A relay damaged in this way could prevent detection and warning systems from operating properly, such as ventilation systems, alarms and pumps.

A further potential use of ATG vulnerabilities is intelligence gathering. By monitoring the volume of fuel storage through ATGs, state-sponsored attackers can gain valuable information into fuel sales, delivery times, and when is best to strike a fuel tank with a kinetic attack to cause the most damage.

More from TechRadar Pro

Benedict Collins
Staff Writer (Security)

Benedict has been writing about security issues for over 7 years, first focusing on geopolitics and international relations while at the University of Buckingham. During this time he studied BA Politics with Journalism, for which he received a second-class honours (upper division),  then continuing his studies at a postgraduate level, achieving a distinction in MA Security, Intelligence and Diplomacy. Upon joining TechRadar Pro as a Staff Writer, Benedict transitioned his focus towards cybersecurity, exploring state-sponsored threat actors, malware, social engineering, and national security. Benedict is also an expert on B2B security products, including firewalls, antivirus, endpoint security, and password management.