Automatic tank gauge vendors alerted of software vulnerabilities in their products

Some vendors for automatic tank gauge systems found in gas stations, airports, and hospitals around the U.S. have ignored warnings concerning multiple critical vulnerabilities, according to alerts from the Department of Homeland Security and a report from the cybersecurity firm Bitsight.

Bitsight TRACE researchers and the Cybersecurity and Infrastructure Security Agency worked together to disclose 10 vulnerabilities impacting five vendors that, if exploited, could give hackers full administrative access to critical networks found in the tank management systems for large fuel storage. While all of the CVE’s in the release are rated critical, the vulnerability in theProGauge MagLink tang console is rated 10.0.

Automatic tank gauge (ATG) systems are usually found wherever a large operation depends on precise monitoring of products like water or oil. ATGs are used to measure temperature and pressure inside giant fuel storage tanks for safety purposes, with convenient built-in virtual private networks or web servers for remote access.

“You can gain administrative privileges” via these vulnerabilities, said Pedro Umbelino, principal security scientist at Bitsight TRACE. “You can do pretty much whatever you can do, as almost if you are at the console clicking the buttons and changing all the settings. So you’re the owner.” 

The five products affected are: 

• Proteus OEL8000, made by New York-based Omntec
• Sibylla, made by Verona, Italy-based Alisonic
• SiteSentinel, made by OPW, owned by Austin-Texas based Dover Corporation
• MagLink, made by ProGauge, also owned by Dover Corporation
• TS-550, made by Wisconsin-based Franklin Fueling Systems

Umbelino, who discovered the vulnerabilities, found hundreds of these systems online around the world with simple research methods. He tracked these online devices during the disclosure process, which compared June to September 2024.  Only a handful were taken offline.

The gauges are in use at airports, in government systems, and in manufacturing and utilities companies, according to the report.  Systems in the U.S. are “the most affected country by far,” the report notes.

Bitsight did point out that Hollywood-style attacks like blowing up gas tanks require “a set of very specific circumstances” that “would have to align, some of them outside of an attacker’s control.”

However, the bugs are not complex and it was not hard to find or to prove to be exploitable, Umbelino noted. Bitsight researchers exploited the bugs in various scenarios via their own physical ICS test bed.

The disclosure process was an unusually long one, said Jake Olcott, vice president of communications and government affairs at Bitsight. The usual 45-day wait with CISA stretched into a six-month affair as attempts were made to contact the vendors and mitigations were pursued. Some products were widely found on the web but were also end of life.

“We do believe in that responsive disclosure process and we wanted to give organizations a little bit more time to address some of the issues that we’ve learned to veer sort of on the side of caution,” Olcott said.

Three of the vendors — ProGauge, OPW, and Franklin — responded to CISA, providing mitigations or fixes. Alisonic and Omntec did not respond to CISA, and did not answer CyberScoop’s request for comment. 

Patching software related to industrial control systems is not as simple as other forms of software. Technology used in industrial operations cannot be taken offline due to its importance in operations. Additionally, this equipment can be in remote areas that — either due to isolation or basic labor shortages — make a simple patch untenable without connected devices.

This story was updated Sept. 24, 2024, to clarify a comment from Bitsight on large-scale attacks.