September 24, 2024 at 11:36AM
Infosec researchers disclosed 10 critical CVEs affecting Automatic Tank Gauge systems from various vendors, including Dover Fueling Solutions, OPW Fuel Management Systems, Franklin Fueling Systems, and OMNTEC. These vulnerabilities could allow full administrator privileges, potentially leading to physical and environmental damage. Despite efforts to work with vendors, some vulnerable devices still lack fixes.
From the meeting notes, we can gather that there are significant security vulnerabilities in various Automatic Tank Gauge (ATG) systems from different vendors, including Dover Fueling Solutions (DFS), OPW Fuel Management Systems (owned by DFS), Franklin Fueling Systems, and OMNTEC. These vulnerabilities, which have been assigned CVEs, allow for full administrator privileges of the device application. Additionally, these vulnerabilities are remotely exploitable and carry a low attack complexity.
The implications of these vulnerabilities are serious, as they could result in physical and environmental damage, including the potential for overflowing tanks, changing critical parameters, and disabling alarms. The affected ATG products are in use at various critical infrastructure facilities, such as gas stations, airports, government systems, manufacturers, and utility companies.
While some of the vulnerabilities have manufacturer-issued updates to mitigate the flaws, there are still three that do not have fixes. This includes vulnerabilities in OPW’s SiteSentinel fuel management system, OMNTEC’s Proteus OEL8000 tank monitoring device, and Alisonic Sibylla devices. It’s noted that patching these industrial control systems is challenging and may require physical intervention at the installation facilities.
Recommendations to address these vulnerabilities include placing critical systems behind firewalls, isolating them from business networks, and ensuring they are not accessible from the public internet. If remote access is necessary, a secure VPN should be used. In cases where vulnerabilities remain unmitigated, the advice is to disconnect the affected devices from the internet.
As an executive assistant, these takeaways provide a clear overview of the security issues identified in the meeting notes and the potential impact on critical infrastructure facilities.