909 Exposed Tank Gauges: OT Critical Infrastructure on the Open Internet

On 5 June 2026 the Shadowserver Foundation counted 1,061 automatic tank gauge (ATG) systems answering on the public internet over port 10001/tcp — 909 of them in the United States — after filtering out the honeypots that crowd the adjacent 8001 and 9001 ports. The day before, CISA and seven other US agencies — the FBI, NSA, Department of Energy, EPA, TSA, Department of Transportation and USDA — issued a joint advisory warning that attackers are already inside some of these devices, running commands and changing their configuration. This is not a theoretical exposure. It is a live one, and the device at the centre of it is a box almost nobody in the security org has ever logged into.

That gap — between what runs your endpoint agents and what actually keeps fuel from overflowing a tank — is the whole story.

What an automatic tank gauge actually controls

An ATG is the small industrial computer that sits in the back office of a fuel station, a depot, an airport, or a hospital generator room. It measures the level, volume and temperature of product in underground storage tanks; detects leaks; and — critically — drives physical outputs: high- and low-level alarms, sirens, emergency shutoff valves, ventilation, and in some configurations the dispensers themselves. It is, in the language of the BleepingComputer report on the Shadowserver scan, the difference between a tank that stops filling and a tank that overflows.

The CISA advisory is unusually specific about what compromise looks like. Attackers are "compromising internet-exposed ATG systems and manipulating them through remote command execution," exploiting OS command-execution flaws and SQL injection to run arbitrary code, then altering "network settings, product identifiers, tank volume data, and pump controls" — and, in the part that should make any safety engineer wince, disabling system alerts. The named sectors are energy, chemical, food and agriculture, and transportation. These are not edge cases. They are the spine of physical supply.

Why OT critical infrastructure is invisible to the security stack

Here is the uncomfortable mechanism. The security industry spent a decade building visibility around three assumptions: there is an operating system you control, you can install an agent on it, and it phones telemetry to a SIEM. An ATG breaks all three.

• You do not control the OS. It is a vendor-locked Linux build on a TLS4B, a Maglink LX, an OPW SiteSentinel — shipped, sealed, and updated on the vendor's schedule, not yours.
• You cannot install an agent. There is no EDR for a tank gauge. CrowdStrike, Defender, SentinelOne — none of them have a sensor that runs here.
• It does not phone home to your SIEM. The device's idea of logging is a serial console and a SOAP interface that was never meant to face the internet.

So the endpoint-centric stack is structurally blind to the exact assets a regulator now classes as critical. The reason 909 of these were found by an external scanner and not by their owners is that nothing the owners deployed was ever looking. The asset wasn't in the CMDB; the subnet wasn't in scope; the port wasn't in the firewall rule. Visibility stopped at the edge of what could run an agent, and the tank gauge lives one hop past that edge.

"We don't have OT exposure — our SCADA is air-gapped." Then explain the 909 devices on port 10001. Air-gap is an architecture diagram, not a measured fact. A maintenance contractor who needed remote access in 2019, a 4G modem someone added for convenience, a misconfigured NAT rule — and the gap is a bridge. The only way to know is to look at the wire.

The vulnerabilities are real, rated, and old

This is not a single-CVE panic. The exposure has a documented pedigree.

Source	Date	Finding
Bitsight TRACE	Disclosed Mar 2024, published Sep 2024	11 vulnerabilities across 6 models from 5 vendors; two OS-command-injection bugs in the Maglink LX rated CVSS 10.0; multiple authentication-bypass and hardcoded-credential issues at 9.8
CVE-2025-58428 / ICSA-25-296-03	Oct 2025	Command injection in the Veeder-Root TLS4B SOAP interface, CVSS 9.4 (v4) / 9.9 (v3.1) — valid-credential RCE giving full shell on the underlying Linux host and lateral movement into the network
CISA + 7 agencies	4 Jun 2026	Active, in-the-wild manipulation of internet-exposed ATGs via command execution

The Bitsight researchers spelled out the physical end state in plain terms: an attacker can overfill a tank and cause an environmental leak, disable leak detection, damage relays into permanent failure, or suppress the alarms an operator relies on to stop a refill. The affected models — Maglink LX and LX4, OPW SiteSentinel, Proteus OEL8000, Alisonic Sibylla, Franklin TS-550 — span five vendors, which is the tell: this is a category weakness, not one bad product.

And it is not new. US officials suspect Iranian operators were behind a wave of ATG intrusions at American gas stations earlier this year, altering display readings on devices that in some cases had no password at all (per a CNN report in May 2026; investigators noted fuel distribution itself was not disrupted). The point of that campaign was not to drain a tank. It was to demonstrate reach into physical infrastructure — and exposed ATGs make that demonstration trivial.

NIS2 already counts this as a regulated asset

For European operators the regulatory frame is no longer ambiguous. Under NIS2, energy (including fuel distribution and storage) and transport are essential entities. A fuel depot's tank gauge is in scope, and so is the obligation to manage and report incidents affecting it. The same logic runs through DORA for the financial sector's facilities and through sector-specific ICS guidance from ENISA and national CSIRTs. An auditor asking "show me your asset inventory and your monitoring coverage for OT" is a question most organisations cannot answer for the ATG, because — see above — nothing was watching it.

The compliance failure here is not a missing policy document. It is a missing measurement. You cannot attest to monitoring an asset you never inventoried.

What sees a device that can't be agented

If the endpoint is unreachable, the only remaining monitoring surface is the network. Everything an attacker does to an ATG — the SOAP command-injection session, the credential reuse, the lateral pivot off the compromised Linux host, the configuration writes that disable an alarm — crosses the wire. That traffic is where the attack is visible while it happens, not in a post-incident forensic image.

This is the problem Zero Hunt's AI Traffic Analysis pillar was built for. A proprietary deep-learning model, trained on billions of PCAP sequences, runs on the appliance GPU at 2.7+ Gbit/s and watches the OT segment directly — no agent on the tank gauge, no cloud callback, no telemetry leaving the site. Its four inference heads (suspicious traffic, malware classification, attack-type identification, application fingerprinting) flag the anomaly that endpoint tooling cannot see: a never-before-seen external ASN opening a SOAP session to a device that has only ever spoken to the back-office PC, a command pattern that doesn't match normal polling, a sudden lateral connection from the gauge into the corporate VLAN. The device stays dumb and unpatchable; the network around it becomes the sensor.

The exposure side closes from the other direction. Zero Hunt's change-triggered campaigns treat a newly internet-reachable asset as an event: when an ATG, a modem, or a forgotten NAT rule puts port 10001 on the perimeter, a full validation campaign fires within the hour — finding your own exposed gauge before Shadowserver, or an Iranian operator, finds it for you. The 10-agent generative engine then probes it the way an attacker would, with a per-target exploit chain backtested in the AI Gym before it ever runs in production, and signs each finding with an ECDSA evidence chain that answers the NIS2 auditor's question with a verifiable record instead of an assumption.

909 gauges were found by someone scanning from the outside. The operators who will sleep through the next campaign are the ones who can see the same wire the attacker uses — locally, continuously, and without waiting for a vendor to ship an agent that is never coming. See how the traffic model and continuous validation fit together, or talk to us about OT coverage. For the regulated-sector framing, our note on the manufacturing ransomware evidence gap covers the same NIS2 logic from the factory floor.