Study Reveals New Security Threat at Fuel Stations

In recent years, motor fuel marketers have fixed their attention on the nightmarish problem of skimming, in which thieves plant small devices at the pump to extract customer data that can be used to counterfeit debit and credit cards. 
 
Another rampant crime is fuel theft, particularly where crooks break into dispensers and tamper with the meter to freely pump fuel at little or no cost or brazenly park a truck over an underground storage tank to siphon fuel.
 
However, in the Internet age, as more operations go online, another threat has surfaced – the possibility that a sophisticated theft ring, a vandal, even a terrorist, could hack into a gas station’s automatic tank gauges (ATG) to disrupt the alarm system or sabotage the gauge, shutting down the site’s fuel operations.  
 
Security software from Rapid7 ran an Internet scan in January discovering that 5,800 ATGs at fuel stations were exposed to the Internet without a password.  More than 5,300 of these ATGs are located in the United States (US), where there are about 150,000 fueling stations around the country.  
 
ATGs are used to monitor fuel-tank inventory levels, track deliveries, raise alarms that indicate problems with the tank or gauge, such as a fuel spill, and perform leak tests in accordance with environmental regulation.  The gauges are used by nearly every fueling station in the US and tens of thousands of systems internationally.  Many tank operators use ATGs to manage inventory remotely over the Internet.
 
“The vulnerability is due to the serial port connected to the ATG being exposed to the Internet without authentication,” said H.D. Moore, chief research officer at Rapid7.
 
An attacker with access to the serial port interface of an ATG may be able to shut down the station by spoofing the reported fuel level, generating false alarms and locking monitoring service out of the system, Rapid7 said.
 
Tank-gauge malfunctions are considered a serious issue due to the regulatory and safety issues that may apply.
 
The thousands of vulnerable ATGs identified in Rapid7’s Internet scan on January 10 were primarily at gas stations, truck stops, and convenience stores.  A number of major brands and franchises were represented in the data set.  The actual number of ATGs exposed through modem access in unknown, the company said.
  
The majority of the ATGs appear to be manufactured by Veeder-Root, one of the largest vendors in this space, and were identified on IP ranges associated with consumer broadband services.
 
A Veeder-Root spokesperson said that there have been no reports of unauthorized access to ATGs. 
 
Rapid 7 said that it would be difficult to tell the difference between an intentional attack and a system failure.  No special tools are necessary to interact with exposed ATGs.  But, as a result of its recent scan, the company said that theoretically an attacker could shut down thousands of fueling stations “with little effort.”
 
New York ranks No. 1 on Rapid7’s top 10 states with exposed ATGs.  That list also includes Texas, Florida, Virginia, Illinois, Maryland, California, Pennsylvania, Connecticut, and Tennessee.
 
Article taken from Oil Express, Volume XXXVIII, Issue No. 6 dated February 9, 2015.