Fuel Tanks In The Crosshairs: A Warning For Critical Infrastructure
The cybersecurity community has spent years warning that operational technology (OT) systems are among the most attractive targets for state-sponsored threat actors. Recent incidents involving fuel tank monitoring systems across the United States show that these concerns are no longer theoretical.
What began as a series of seemingly low-impact compromises of automatic tank gauge (ATG) systems has become a broader warning about the vulnerability of industrial control systems that underpin critical infrastructure.
In early June 2026, the Cybersecurity and Infrastructure Security Agency (CISA), alongside the FBI, the Environmental Protection Agency, and the Department of Energy, issued a joint advisory warning that malicious actors were actively targeting internet-exposed ATG systems used across the energy, transportation, chemical, and food sectors.
The advisory highlighted ongoing compromises of devices used to monitor fuel levels, detect leaks, and manage storage tank operations. The agencies noted that threat actors were exploiting weak security controls, including default credentials, internet-facing management interfaces, authentication weaknesses, and poor remote access configurations. That warning came only weeks after reports emerged that U.S. officials suspected Iranian-linked hackers had breached tank monitoring systems at gas stations across multiple states.
According to sources familiar with the investigation, the attackers exploited ATG systems connected directly to the internet and, in many cases, lacking password protection. While investigators found no evidence that attackers manipulated actual fuel inventories, they did alter displayed readings in some instances, demonstrating unauthorized access to systems that monitor fuel storage infrastructure.
Although the immediate operational impact appeared limited, the implications were far more serious. These fuel monitoring systems do more than track inventory; they also provide leak detection, environmental monitoring, and safety alerts. Security researchers have long warned that access to these systems may allow attackers to suppress alarms, alter tank parameters, or conceal dangerous operating conditions that could lead to environmental damage or operational disruptions.
The incidents reveal a persistent challenge facing critical infrastructure operators: many industrial devices were designed for reliability and operational longevity rather than cybersecurity. As organizations increasingly connect operational technology to corporate networks and remote management platforms, legacy systems often become exposed to modern attack techniques without receiving equivalent security protections.
The concern extends far beyond fuel monitoring systems. Similar operational weaknesses have appeared repeatedly across water treatment facilities, energy providers, manufacturing environments, and transportation networks. In many cases, attackers are not exploiting sophisticated zero-day vulnerabilities; instead, they are identifying devices that remain accessible from the public internet and protected by weak or default credentials. The result is a growing attack surface that nation-state actors can exploit with relatively modest effort.
OT Under Siege
Recent intelligence indicates that Iranian cyber operators have increasingly focused on industrial environments amid rising geopolitical tensions. U.S. government agencies have warned that Iranian-affiliated actors are targeting programmable logic controllers (PLCs), industrial control systems, and other OT assets across critical infrastructure sectors. These campaigns mark a shift from traditional espionage and information theft toward operations capable of creating real-world disruption.
One of the most significant developments supporting this trend is the emergence of IOCONTROL malware. First publicly documented in late 2024, IOCONTROL was specifically designed to compromise industrial and Internet of Things devices commonly found within critical infrastructure environments.
Researchers identified capabilities that allow operators to establish persistence, execute commands remotely, and manage compromised systems across diverse industrial networks. Targeted devices included programmable logic controllers, routers, human-machine interfaces, firewalls, cameras, and fuel management systems.
The significance of IOCONTROL lies not only in its technical capabilities but also in what it reveals about attacker intent. Traditional IT-focused malware often seeks financial gain through ransomware, credential theft, or espionage. Industrial malware serves a different purpose. It provides adversaries with access to systems that control physical processes, enabling them to disrupt operations, manipulate equipment, or establish long-term footholds for future campaigns.
Security researchers have observed that Iranian-linked actors appear increasingly interested in maintaining persistent access to critical infrastructure rather than conducting immediate, destructive attacks. This strategy creates strategic leverage. By compromising systems in advance and maintaining dormant access, adversaries can preserve options for future escalation during periods of geopolitical conflict.
The scale of the exposure problem remains substantial. Earlier research identified nearly 4,000 U.S.-based industrial devices exposed to cyber threats associated with Iranian targeting activity. These exposed systems included industrial controllers, monitoring equipment, and operational technology devices connected directly to the internet. Such exposure creates opportunities for attackers to identify vulnerable assets, conduct reconnaissance, and establish initial access without requiring advanced exploitation techniques.
Several recurring factors continue to contribute to successful attacks against industrial environments:
- Internet-exposed operational technology systems with inadequate access controls.
- Default or weak credentials that remain unchanged after deployment.
- Limited network segmentation between IT and OT environments.
- Legacy devices that cannot easily support modern security controls.
- Insufficient monitoring of operational technology assets and communications.
These weaknesses persist because many organizations prioritize operational continuity over security modernization. Industrial environments frequently operate equipment for decades, making upgrades costly and operationally complex. However, threat actors increasingly view these environments as high-value targets precisely because security maturity often lags behind traditional enterprise networks.
The latest CISA advisory provides a roadmap for reducing risk. Agencies recommend removing ATG systems from direct internet exposure wherever possible, implementing strong authentication and multifactor authentication, restricting remote access through secure gateways and virtual private networks, applying security updates promptly, and continuously monitoring systems for unauthorized activity. The advisory also emphasizes the importance of network segmentation and the principle of least privilege for operational technology environments.
Organizations should also recognize that operational technology security cannot remain isolated from broader cybersecurity strategies. Threat actors increasingly move between IT and OT environments, using compromised credentials, remote access platforms, and unmanaged assets to expand access across enterprise networks. Effective defense requires visibility across both domains and the ability to identify abnormal activity before operational systems become affected.
The recent targeting of fuel tank monitoring systems may not have resulted in widespread disruption, but it serves as an important warning: attackers continue to probe critical infrastructure for weaknesses, and many organizations remain vulnerable to relatively simple intrusion techniques. More importantly, the incidents highlight the growing convergence of geopolitical conflict and cyber operations.
Critical infrastructure operators face an evolving threat landscape in which state-sponsored actors are developing specialized capabilities for industrial environments and actively testing them against real-world targets. Fuel monitoring systems may represent only one component of that ecosystem, but the lesson is clear: operational technology remains an exposed and increasingly consequential target across every sector that relies on it.
Share:
Facebook
X.com
LinkedIn
Copy Link
Karolis Liucveikis
Experienced software engineer, passionate about behavioral analysis of malicious apps
Author and general operator of PCrisk's News and Removal Guides section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over 8 years working in this branch. He attended Kaunas University of Technology and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications.
PCrisk security portal is brought by a company RCS LT.
Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.
Our malware removal guides are free. However, if you want to support us you can send us a donation.
DonatePCrisk security portal is brought by a company RCS LT.
Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.
Our malware removal guides are free. However, if you want to support us you can send us a donation.
Donate
▼ Show Discussion