Iranian-linked hackers are believed to have targeted internet-connected fuel tank gauges at US petrol stations, in what security researchers describe as the latest example of long-standing industrial IoT vulnerabilities being exploited within critical infrastructure.
The incident has reignited criticism from security experts who argue that the underlying problem is not new, and not even particularly sophisticated, but rather a long-standing failure to secure widely deployed industrial IoT equipment.
“OK, so maybe we don’t have 100% attribution that this is Iran, but the pattern makes it seem highly likely,” said Denis Calderone, CTO of Suzu Labs. “Back in April, we saw the six-agency PLC advisory come out of the federal government pointing out that Iran had moved well past hacktivism and was actively pursuing operational disruption of critical infrastructure.”
“Attacking gas station tank gauges is a logical next target,” he added. “These automatic tank gauge (ATG) systems at US gas stations are internet connected and have been shown in the past to have no built-in authentication mechanism. Because these ATGs have not been better protected, despite repeated warnings from CISA, BitSight, Rapid7 and others, the front door has essentially been left unlocked.”
He added that the impact of such intrusions is less about physical tampering and more about degrading trust in operator visibility.
“The officials are saying actual fuel levels weren’t affected, but the real threat here isn’t someone changing how much fuel is in a tank. It’s someone changing what the operator sees on the screen. This is a similar concern to HMI and SCADA displays where if your monitoring system is showing you normal readings and the actual conditions are different, then you are making safety and operational decisions based on false data. Thinking about gas stations specifically, that means a leak could go undetected, an overfill condition could be missed, or equipment failures could be masked until something goes physically wrong. Display manipulation turns a monitoring system into a liability.”
Calderone added that the issue had been reported many times by security researchers. In 2015 Rapid7 documented over 5,800 exposed tank gauges with no passwords. And in 2024 BitSight reported thousands more. The research led CISA to issue multiple advisories.
“Researchers have been publishing on this for over a decade, but still these devices remain unprotected and vulnerable,” he said. “And yet here we are in 2026 with Iranian-linked actors accessing these same systems because they’re still sitting on the public internet with no credentials. The prescriptive advice hasn’t changed because it doesn’t need to: take these systems off the internet. If you need remote monitoring, put them behind a protective layer of some sort, like a VPN or some other form of a private network.”
For policy and product security specialists, the episode is less about attribution and more about accountability across manufacturers, operators and regulators.
Doc McConnell, Head of Policy and Compliance at Finite State, said the sector already has enough information to prevent repeat incidents.
“When we have evidence that fuel tank gauges have been exposed and subject to compromise for a decade, our biggest concern isn’t attributing the latest hack. We have everything we need to solve this problem: an understanding of the vulnerability, a specific fix, and evidence of urgency,” he said.
“This should be an immediate priority for everyone involved: for the gauge manufacturers that are selling their products with insecure configurations by default, for the gas station operators maintaining the tanks, and for the government regulators that set safety standards.”
There’s plenty of other editorial on our sister site, Electronic Specifier! Or you can always join in the conversation by commenting below or visiting our LinkedIn page.
