On June 2, 2026, CISA and seven federal partners, including the FBI and NSA, issued a joint warning: cyber threat actors are compromising internet-exposed Automatic Tank Gauge systems across U.S. critical infrastructure and modifying their operation through command execution.
The systems at issue are mounted inside nearly every fuel retail location in North America. Automatic Tank Gauges, or ATGs, monitor underground storage tanks, track fuel levels and temperatures, detect water intrusion, support leak and overfill prevention, and help verify that delivered fuel actually made it into the tank. When they work as intended, they quietly protect environmental compliance and business continuity every day.
That scale matters. Industry counts from NACS, Canadian Fuels Association data citing Kalibrate’s 2024 National Retail Petroleum Site Census, and Mexican fuel-sector reporting put the number at roughly 148,000 fuel retail sites across North America. At that size, ATG exposure is not a niche concern. It is a broad operational resilience issue hiding inside everyday fuel retail infrastructure.
The risk is not only that an exposed ATG can become a path into the network. A compromise can also suppress leak detection, alter high-level thresholds or interfere with alarms and shutdowns. In other words, a remote configuration change can create operational and environmental consequences far beyond a traditional data security incident.
The practical response is to treat the ATG as a managed store technology asset: identified, owned, segmented, governed and assessed periodically. ATG security is not an unsolvable cybersecurity problem. For most fuel retailers, it can be managed through the same resilience practices already used across mature store environments: asset visibility, network segmentation, access governance, standard configuration baselines and periodic validation.
The ATG is not new technology. Neither is the vulnerability. What has changed is the operating environment around it. Many ATGs were connected long before store technology, operational technology and cybersecurity programs were managed as one environment. In many organizations, they still sit in a gray area between IT, facilities, vendors and operations. That ownership gap, more than the technology itself, is why ATG exposure continues to show up across the industry.
The vulnerability history still matters because it shows how long ATGs have sat outside normal technology governance. In the early 2000s, many were connected via public IP addresses, with little or no authentication and no meaningful firewall protection. The assumption was that no one would bother looking for a fuel monitoring controller online. That assumption turned out to be wrong.
Since then, public research and advisories have continued to document the exposure, from Rapid7’s 2015 finding of more than 5,800 internet-exposed ATGs to later vulnerability disclosures from Bitsight and CISA. The lesson is not simply that warnings exist. It is that many operators still need a consistent way to identify these devices, assign ownership and remediate risk across their estates.
What better ATG ownership looks like
The operators that manage this risk best do not treat ATGs as isolated facilities equipment or unmanaged vendor devices. They treat them as part of the connected store technology environment, with clear ownership, a known configuration baseline and a process for periodic review.
That starts with knowing what is deployed: manufacturers, models, firmware versions, store locations and the team or vendor responsible for managing each device. In acquired or franchised environments, this is often the most revealing part of the work because corporate IT may not know every in-store controller exists.
It also means verifying where ATGs sit on the network and whether segmentation is actually enforced. Assumed segmentation and verified segmentation are not the same thing. Operators need to know whether there is any path, direct or indirect, between the ATG network and payment, back-office or enterprise systems.
Access control is another key part of ownership. Default passwords, hardcoded vendor credentials and unreviewed remote-access configurations are common findings in ATG environments. A device configured years ago by a third-party service contractor may still have access paths that no one has reviewed.
Finally, better ownership requires standardization. When ATG models, firmware versions, network placement and credential practices are standardized, deviations become visible. Patch cycles become more manageable. When a new advisory affects a specific model, the organization can determine more quickly whether it is affected and at how many locations.
None of this requires operators to replace every ATG overnight. It requires treating the ATG as the networked store device it already is, with an accountable owner, a configuration baseline and a periodic assessment process.
Why ATG security is an operational resilience issue
The conversation about ATG security often drifts toward network intrusions and payment card data. Those risks are real, but they are not the whole story. The ATG's primary function is environmental and operational protection: monitoring inventory, water levels, temperature and ullage across underground storage tanks and triggering alarms or shutdowns when conditions exceed defined thresholds.
If an attacker suppresses leak-detection thresholds, a real underground release may not trigger an alarm. The console inside the store can continue reporting normal conditions. At the same time, fuel migrates into soil or groundwater, delaying discovery until an inspection, an inventory discrepancy, or a neighboring property complaint reveals the issue.
If high-level thresholds are altered, the impact can be immediate. A delivery that should trigger an automatic shutoff may continue until the tank overfills, creating a spill, a fire risk, a regulatory notification requirement and a remediation event.
For a large chain, either scenario can become an expensive and reputationally damaging incident. For a small independent operator or franchisee working on thin margins, cleanup costs, regulatory liability, permit risk and lost revenue can threaten business continuity. The point is not that every ATG exposure will lead to an environmental event. A remote configuration change may have consequences far beyond a traditional data security incident.
That is not a cybersecurity problem in the abstract. It is an operational, environmental and business risk that happens to have a cybersecurity cause.
Three exposure areas to prioritize
1. Environmental liability
The ATG controller is often the last line of automated defense between a compromised underground storage tank and an environmental incident. A tampered alarm threshold, whether it suppresses a leak or disables an overfill shutoff, can create a liability the business did not know it was carrying.
2. Operational disruption
Modern ATGs can be integrated with POS and fuel-controller systems. A critical alarm reported by the in-store console, whether real or fabricated, can trigger pump shutdowns to prevent equipment damage or environmental release. For a high-volume location, a multi-hour shutdown on a busy day is a measurable financial event. For a network of locations affected simultaneously, it can become a crisis.
3. Unmapped network paths
Thousands of ATG systems remain directly accessible over the internet. In many retail environments, the in-store controller may sit near back-office systems or, in some cases, POS infrastructure. The ATG can become a staging point for lateral movement into systems that were never supposed to be connected to it. The problem is often not malicious design; it is that no one drew the network path because the ATG was never on anyone's asset inventory.
Why scale makes the ownership gap harder to close
For multi-site operators, especially those that have grown through acquisition, ATG security has an additional dimension: they may not always know what they have or who owns it.
Rapid7's 2015 research noted that affected stations included major convenience store and truck stop brands, with exposure likely shaped by M&A activity and by stores that were not fully integrated with parent-company operations. A decade later, the same dynamic still appears in acquisition integration work. The acquirer inherits an ATG estate that may span multiple manufacturers, firmware versions, third-party service contracts, remote-access methods and credential practices.
At scale, the question is not only, "Which ATGs do we have?" It is also, "Who is accountable for them?" In many organizations, the answer varies by site, acquisition history, vendor relationship or franchise model. That inconsistency makes basic security questions harder to answer quickly: Is this model affected by the latest advisory? Which sites allow remote access? Are any ATGs reachable from payment systems? Who can approve a configuration change?
This is where standardization becomes a security control in its own right. An operator that has standardized ATG models, firmware versions, network placement, credential rotation and exception management has an advantage over one that has not. Deviations become visible. Patch cycles become manageable. When an advisory drops on a specific model, the organization can determine within hours whether it is affected and at how many locations. In a patchwork estate, that same question can take weeks to answer.
What an ATG security assessment should cover
A structured ATG security assessment does not need to be a lengthy engagement, but it should answer both technical and ownership questions. The assessment should cover:
- Asset discovery and ownership mapping: identifying manufacturers, models, firmware versions, store locations, service providers and the accountable team for each device.
- Network placement verification: confirming whether ATGs are isolated on dedicated VLANs, whether firewall rules enforce that isolation and whether there is any path between the ATG network and payment, back-office or enterprise systems.
- Credential and access-control review: identifying default passwords, hardcoded vendor credentials, unreviewed remote access and former contractor access that may still be active.
- Logging and configuration-change review: determining whether authentication events and configuration changes are logged centrally and retained for review.
- Standardization gap analysis: comparing sites against a defined baseline and creating a remediation roadmap for exceptions.
For acquired or franchised environments, the inventory and ownership work is often the most revealing part of the assessment. It is common to find in-store controllers that corporate IT did not know existed, managed through vendor relationships that predate the current operating model.
Closing the gap
The persistence of ATG exposure is less a technology failure than an ownership gap. These devices often sit between IT, facilities, operations and third-party service providers. Everyone depends on them, but no single team may be accountable for inventory, configuration, access, monitoring and remediation. The result is a device class that falls outside every security program without anyone making an explicit decision to exclude it.
Closing that gap is the practical path forward. Once ATGs are assigned an owner, included in asset inventories, segmented from sensitive systems and governed through standard access and configuration practices, the risk becomes measurable and manageable.
The question for fuel retailers is not whether ATG security is worth addressing. It is whether they want to address it through a planned resilience program or after an incident forces the issue.
Strengthen resilience across connected fuel retail operations
For fuel retailers, ATG security is a manageable risk when treated as part of the broader store technology environment. We help retail organizations strengthen operational resilience, modernize store infrastructure and address risks across increasingly connected retail environments.
Ready to learn more? Connect with a CGI expert to discuss how your organization can better understand and reduce risk across your fuel infrastructure.