Are Suspected Iranian Intrusions Into Gas Station ATGs a Precursor to Larger Attacks?
Given the turmoil caused by the ongoing war in Iran, the attention being trained on high prices at the gas pump, and concerns over the vulnerability of critical infrastructure and OT, it is no wonder U.S. officials and cyberdefenders are alarmed that Iranian hackers may have targeted U.S. gas stations in a coordinated series of attacks.
So far, there is no forensic evidence tying what CNN reported as attacks on automated tank gauge (ATG) and fuel management systems at the stations, and no physical harm was done. The suspected hackers apparently keyed in on tank readers that allow stations to monitor the fuel storage levels in underground tanks.
The intrusions ratcheted up concerns that the tank monitoring systems might serve as an entry point to the wider OT and ICS environments to which they connect. If that were the case, hackers could not only shut down fuel distribution systems but also tinker with inventory data, throw a wrench into fuel deliveries, and otherwise wreak havoc by triggering false alarms.
While evidence of who orchestrated the attack is in short supply, authorities suspect Iran because the country has engaged in similar exploitations in the past. “Iran has well-honed cyber warfare capabilities and has had them for some time. U.S. critical infrastructure operators have developed and frequently updated policies to secure their systems, such as NERC CIP-015 and similar,” says John Gallagher, vice president of Viakoo Labs at Viakoo.
Noting that this suspected exploitation “is a clear example of how geopolitical conflict no longer stays confined to traditional battlefields,” Louis Eichenbaum, federal CTO at ColorTokens, says, “When tensions rise between nation-states, critical infrastructure becomes an attractive target because it creates fear, disruption, and economic pressure without requiring a conventional military strike.”
Even a “minor” cyber incident against fuel, water, or energy systems, he says, “can send a strategic message: we can reach into your communities and affect daily life. CISA has warned that Iran-affiliated actors are actively targeting internet-facing OT and industrial control systems across U.S. critical infrastructure.”
What makes the intrusions even more worrisome and frustrating is that Iran, as Eichenbaum says, “does not need the most sophisticated cyber capability to create serious risk.” In this case, the ATGs sat there in the open, figuratively as naked as a jaybird, without password protection.
“The danger is that Iranian-affiliated actors have shown they can exploit exposed, poorly secured OT systems and use them for disruption, intimidation, and strategic signaling,” says Eichenbaum, meaning that “U.S. critical infrastructure providers cannot build defense strategies around the assumption that only highly advanced attacks matter.”
While cyberwar often walks hand in hand with or follows on the heels of kinetic warfare, Eichenbaum says that “the degree to which cyber warfare is being acted out is massively much larger than actual incidents that occur or are reported.”
Many tests and small-bore examples done on the path to using cyber methods to create a larger-scale impact often go unnoticed, he says. “With better monitoring or tracking of them, we would have a better picture of real versus imagined impact of these threats.”
Damage or no, the ATG exploitations are another “warning that cyber defense can’t be left to piecemeal and manual methods” and must include structured policies, audited, and “automated solutions to be compliant,” says Gallagher. “We will likely see OT and IoT systems governed within organizations no differently than IT cybersecurity is.”
