CISA, the FBI, the NSA, and the Department of Energy just issued a joint advisory warning: hackers are actively breaking into the systems that monitor fuel storage tanks across the United States.

These systems, called Automatic Tank Gauges (ATG), are used at gas stations, fuel depots, chemical plants, and transportation facilities to track fuel levels, temperatures, and potential leaks. But they don’t just track data. They control pumps. They trigger safety alerts. They manage leak detection.

When attackers get in and start changing settings, it isn’t a data problem. It’s a physical infrastructure problem.

How are they getting in?

The methods aren’t new, and that is the part that should concern every organization running connected industrial equipment.

Attackers are getting in through:

• Hardcoded credentials — factory-default usernames and passwords that were never changed
• Authentication bypass — weaknesses that let someone skip the login process entirely
• Command injection flaws — bugs that let an attacker run their own commands on the device
• SQL injection — a technique that’s been on security professionals’ radar for over 20 years
• Privilege escalation — once they’re in with limited access, they find ways to gain full control

None of these are exotic. They’re the first things a penetration tester checks. The reason they keep working is that these devices were never designed with security in mind, and they’ve never been tested.

Why are these systems so exposed?

Most ATG systems are old. They were built to do one job — monitor a tank — and security wasn’t part of the design. Over time, operators added remote access so they could check readings without being on-site. That connectivity is convenient, but it also puts these devices directly on the internet, where anyone can find them.

There’s also a common mindset in industrial environments: if it isn’t broken, don’t fix it. Updating firmware or changing configurations feels risky when a system is actively managing fuel at a facility, so patches don’t get applied, passwords don’t get changed, and systems that were set up years ago stay exactly as they were.

Attackers know this, and they look for it.

This isn’t just a fuel industry problem

The advisory is specifically about ATG systems, but the underlying issue applies to connected industrial equipment across every sector: manufacturing, utilities, agriculture, transportation, healthcare facilities. Any device that was built for operational use, connected to a network for convenience, and never properly secured shares the same risk profile.

If your organization runs equipment that fits that description, this week’s news is relevant to you.

Penetration testing finds this before attackers do

A penetration test on OT and IoT systems is specifically designed to find the kinds of vulnerabilities CISA flagged in this advisory: default credentials, authentication weaknesses, command injection, the ability to escalate privileges once inside. It answers the question every operator should be asking: if someone targeted our systems today, could they get in?

For a lot of industrial environments, the honest answer right now is yes.

Reach out to the A-LIGN team to learn how OT and IoT penetration testing can help you find and fix these vulnerabilities before someone else does.