The “Internet of Things” (IoT) includes a class of devices known as automatic tank gauges (ATGs). ATGs play a critical role in monitoring and managing storage tanks, either underground or above-ground (USTs and ASTs respectively), which are used to store hazardous materials such as gasoline, diesel, jet fuel, and so on. ATGs continuously test for leaks, for example, and send alarms when various conditions occur so that mishaps can be avoided or minimized.
Almost all ATGs have some sort of communications capability, ranging from simple modems with RS-232, to Ethernet interfaces supporting telnet, ftp, http/s, and ssh. In the latest generations of ATGs, there are actually two computers in the same box. The core monitoring computer performs the actual collection of data from the sensor groups, while a management computer sits on top to provide a human-machine interface and, frequently, to send data to a centralized management application. The two computers communicate through an interface module. The management computer is usually a Linux machine, but in some cases may be a Windows CE machine.
Attack Surface. In a large enterprise with perhaps thousands of ATGs, the gauges are integrated to the enterprise’s wide area private network either directly or through the use of virtual private network technology (encrypted tunneling over a public network), or sometimes the gauge is directly connected to the public Internet. Estimates of the number of ATGs in use in the USA put the number at about 150,000. Recent surveys by internet security firms and IoT search engines reveal that around 6,000 ATGs are exposed to the public Internet in the US, around 1,200 in China, and smaller counts elsewhere. In the past, hackers of various types have focused their efforts on computers and network equipment like routers, and were unaware of the nature of the other ‘things’ available on the Internet. But that situation is changing, particularly in the context of cyberwarfare where physical damage may result from a cyberattack, instead of just the usual information theft, corruption, and so on.
Vulnerabilities. Vulnerabilities are many and varied, and tens of thousands have been cataloged in the NIST National Vulnerability Database (NVD). By the time something makes it to the NVD, the vendor or manufacturer has issued a fix or patch for the problem. But ATGs often don’t support an automated patching service like Windows Update. Instead, fixes may require an on-site (and expensive) visit by a trained technician. This means that vulnerabilities can persist and create risk over a much larger time frame than normal computer and software bugs. The vulnerabilities you find related to ATGs may include but not be limited to: 1) network ports and services left open though unused 2) insecure services such as FTP, Telnet, HTTP 3) default factory accounts and passwords left unchanged 4) no expiration of passwords or complexity requirements 5) device connected directly to internet 6) device in a trusted network segment of the enterprise 7) lack of a remote update capability 8) lack of software patch authentication and verification 9) weak encryption suites supported, and probably worst of all, 10) uncontrolled physical access to the device permitting unauthorized modifications of the O/S and applications creating a rogue device inside the enterprise perimeter.
Risk. So now we have computers (ATGs) managing storage tanks containing millions of gallons of hazardous materials, on your corporate network, close to financial transactions, exposed to an active and global cyberthreat. I don’t need to say anything else about risk, let’s quickly move on to risk mitigation.
Mitigation. There are a number of mitigations available immediately to the operator of an ATG. Most of vulnerabilities listed above are readily mitigated by “don’t do that” policies and procedures. So, you should change the default passwords, and then change them on a regular schedule and make them strong. Get the gauge off the Internet. Don’t trust the ATGs, and do put them in a DMZ (untrusted) segment of your network. Block risky services like FTP with your firewall unless they are absolutely required by the ATG. Use strong cipher suites. Lock down the box so it cannot be tampered with easily.
For ATG manufacturers, there are numerous improvements possible. The engineering requirements in general should look more like those for military-grade hardware instead of light industrial electronics. Features such as 1) strong encryption 2) code signing such as AuthentiCode 3) tamper resistance 4) tamper detection 5) elimination of unused network services 6) two-factor authentication of users 7) security log forwarding 8) self-checking for virus, malware, and modifications 9) strong passwords 10) mandatory changing of factory default passwords at installation 11) trusted certificates for TLS/SSL web services that are browser verifiable from built-in certificate authorities.
Solutions. Magnus is working with a leading technology firm in the downstream oil & gas space, Titan Cloud Software, to co-develop solutions for both ATG Operators and Equipment Manufacturers. Operator solutions include management of ATG passwords, ATG configuration management, two-factor authentication of users, and mobile app/https ATG access protection. For Equipment Manufacturers solutions revolve around hardening the device.
Summary. This is a major problem that is already happening. Petroleum retailing is an attractive target to all kinds of attackers ranging from hacktivists and transnational criminal organizations to nation-states . Fuel and ATG operators should proactively address ATG vulnerabilities and find solutions while pressuring their ATG manufacturer to harden the devices. ‘Do nothing’ is not an option.
