Can your gas station be hacked?
BY KERRY TOMLINSON, AMPYX NEWS
Cyber attackers are hacking into tank readers at gas stations in the U.S., according to CNN. Officials suspect Iran is behind the attack.
What does this mean for you at the gas pump?
Here’s what the attackers can do with this kind of hack and control.
WATCH HERE:
THE TARGET
What keeps the gas flowing --- or not flowing --- at a gas station? A key part of the system is an automatic tank gauge, or ATG, measuring crucial things like how full is the tank, what is the temperature, and are there any leaks.
The ATG sends the info to the station building to make sure all is well below, part of an industrial control system.
But what if cyber criminals could get to this gauge and take control?
It turns out, they can. U.S. officials suspect Iranian cyber attackers have done that very thing with ATG's in the U.S., CNN reported. Other cyber attackers have boasted about hacking them in other countries as well.
"The fact is and remains, they are targeting ATG's as we speak," said research scientist Pedro Umbelino with the Bitsight TRACE security team.
SECURITY GAPS
The team investigated these tank gauges to see if they are vulnerable and how.
First, they found thousands of them around the world connected to the Internet with no security, easy for attackers to take over.
"And we are seeing more than 5,000 - 6,000 of these systems exposed in the U.S. alone. Completely vulnerable, in the open," he said in an interview with Ampyx News.
On top of that, some tank gauges have vulnerabilities in their design, so someone with evil intentions could cause trouble.
What could the attackers do?
Umbelino and his team tried it out. They hacked a small device connected to the tank gauge called a relay. They used automation to make it switch on and off again, quickly, more than 50 times a second. Not every relay set up is vulnerable like this. But this relay eventually caught fire.
OPEN FLAME
Fire at a gas station? That sounds risky. But there's good news.
"I don't think we will see, right now, gas stations start to blow up left and right," Umbelino said.
However, you don't need to actually blow up gas stations to cause trouble, Umbelino added.
If you control the gauge remotely, you could shut it down so no one can get gas. You could try to make the tank overflow, creating a spill that could a health and safety hazard, including the possibility of an explosion.
Umbelino reported the vulnerability issues to the national Cybersecurity and Infrastructure Security Agency, which issued a series of security flaw advisories in 2024.
MASS PANIC
Attackers could try this hack at many stations across the country at the same time, attempting to trigger the same kind of chaos and panic as the Colonial Pipeline cyberattack in 2021, Umbelino said.
"They rushed to the gas stations. They started to buy. The supplies ran out. Supplies that would last two, three days ran out in hours," Umbelino said. "Imagine an attack on thousands of gas stations, and people reacting the same way. The effect will trickle down on society in a potential catastrophic way."
An explosion at a gas station would be destructive. But Umbelino said a mass shutdown could cause more damage.
"The implications of a wide scale attack are much bigger than the actual explosion itself," he explained. "The panic buying, the lack of fuel for emergency services, for the police, for ambulances, that that will put people in danger."
UNPROTECTED
Why are some of these critical devices not secure? Tank gauges and other similar industrial devices are often designed for reliability, not security. But now that everything is connected to the Internet, that kind of design can be a big security risk.
Fixing the problem isn't always easy, Umbelino said, so some people don't do it.
"I guess the easiest way is just to assume nobody will mess with your device and just use it as it is," he explained.
But cyber attackers are showing they will mess with gas stations, with a 2023 attack in Canada, in Iran in 2021 and 2023, and in the U.S. in 2025.
DIGITAL VS. PHYSICAL DAMAGE
Those attacks, however, hit financial and data systems.
The tank gauge attacks hit the actual physical devices that control the gas, a much more sensitive system because of the physical damage it can do.
So far, the suspected Iranian attackers have only changed the readings from the devices, no leaks yet, said U.S. officials in the CNN report.
But there is potential for more attacks and not just at gas stations. The gauges show up at places like hospitals and airports with large back up generators and fuel tanks, as well as fuel storage companies.
What to do?
The researchers recommend that companies making tank gauges focus more on security. And companies using tanks and gauges need to check the gauges and make sure they're actually secure. Connecting them to the Internet without any security protection is dangerous.
This is not the first time these companies have heard this message. Other researchers have warned about poor ATG security for years, including in January 2015, August 2015, November 2022, September 2024, and 2026.
"We have to be proactive, have to think like attackers," Umbelino said. "We have to think the worst possible scenario can happen, and then test our solutions and test our defenses after figuring out what the problems are."
ALSO IN THE NEWS:
