Four Agencies Warned About Exposed Fuel-Tank Gauges. We Ran the Hunt: 5,573 Are Sitting on the Internet Right Now.

This week CISA, the FBI, the NSA, and the Department of Energy did something they do not do lightly: they issued a joint advisory. Four agencies, one warning. The target was Automatic Tank Gauges — the small industrial controllers that sit on top of fuel and liquid storage tanks at gas stations, airports, hospitals, military bases, and chemical plants, measuring what is in the tank and watching for leaks. The warning was that attackers are targeting the ones exposed to the internet. When four agencies co-sign a single page, the right response is not to read it and nod. It is to go find out how big the problem actually is. So we did.

The fingerprint of an exposed Automatic Tank Gauge is well known to anyone who has spent time in industrial-control-systems security. These devices speak a serial protocol over TCP port 10001, and they answer a specific command — the in-tank inventory request — by reporting their tank levels to whoever asks. They were designed in an era when "whoever asks" meant a technician on the same wire, not the entire internet. We searched the internet-wide scan data for devices answering that command on that port, and the count came back at five thousand five hundred and seventy-three. Two thousand three hundred and twenty-five of them are in the United States. The rest are scattered across China, Germany, Brazil, Singapore, Australia — every country with fuel infrastructure, which is every country.

Sit with that number for a second, because the abstraction hides the stakes. Five thousand five hundred exposed tank gauges is not five thousand five hundred spreadsheets. It is five thousand five hundred physical systems controlling or monitoring volatile liquids, each one answering questions from anyone on earth who knows to ask on port 10001. An attacker who can read the gauge knows your fuel levels and your delivery schedules. An attacker who can write to it can falsify a leak alarm, suppress a real one, or alter the configured tank limits that the overfill protections depend on. The worst-case is not data loss. It is a physical-safety event at a facility that stores flammable liquid, triggered remotely, from a protocol that was never built to authenticate the person on the other end.

This is not theoretical, and it is not new, and that is exactly why we were positioned to react to this advisory in hours instead of weeks. The same class of exposed operational technology — internet-reachable industrial controllers speaking unauthenticated legacy protocols — is the playground of Cyber Av3ngers, the operational cyber arm of Iran's Islamic Revolutionary Guard Corps. We published, on April 28, that we had Cyber Av3ngers' water-plant command-and-control infrastructure in our indicator feed thirty days before CISA's advisory named the campaign. We have written more than sixty posts on the Iran-aligned ICS lineage. The pattern is always the same shape: find the exposed legacy controller, talk to it in its own old protocol, and either steal the picture or move the physical process. Tank gauges are the fuel-sector instance of the water-plant pattern. The advisory this week is the government catching up to a target class that has been soft and exposed and known for years.

What to do about it is, as usual, unglamorous and decisive. An Automatic Tank Gauge should never have port 10001 reachable from the public internet. Not behind a password — there often is not one — but simply not reachable. If you operate fuel or liquid storage with networked gauges, the single highest-leverage action you can take today is to confirm that the gauge's serial-over-TCP port is firewalled off from the internet entirely and reachable only from the specific monitoring systems that need it, on a segmented operational-technology network. Inventory your sites. Many operators do not know a given station's gauge is exposed because the exposure was introduced by a cellular modem or a remote-monitoring contractor, not by anyone who thought of it as putting an industrial controller online. The exposure is almost never a decision. It is an accident nobody audited.

The structural lesson is the one this whole platform exists to press. The hard perimeter holds; the soft surfaces bleed; and the softest, least-watched surface in critical infrastructure is the operational-technology layer — the controllers and gauges and programmable logic that run the physical world and were built before the internet was a threat model. A nation-state actor does not need a zero-day to take a fuel facility's tank gauge offline or lie to it. It needs port 10001 to be open, and five thousand five hundred times over, it is. The four agencies are right to warn. The number is the part they did not publish, and the number is the part that should move you: this is not a rare exposure to hunt for. It is a default condition to go correct, today, at every site you run.

We found the five thousand five hundred with a search anyone could run — including the adversaries who have been running it for years. The only question that decides whether your site is on tomorrow's incident report is whether you check port 10001 on your own gauges before someone in Tehran does.

The threat feed this post is built on

1.14M+ IOCs, STIX 2.1, precursor signals, supply-chain detection. Free API key in 30 seconds.

Get your free key → analytics.dugganusa.com/stix/register