10-24, 09:30–10:00 (Europe/Luxembourg), Europe - Main Room
Since the war(s) broke loose last years, a lot has been said about cyberwarfare, attacks on critical infrastructure, ICS/OT vulnerabilities, you name it. In this talk, we are going to talk about a specific set of ICS: Automated Tank Gauging (ATG) systems. These systems control the safe storage and management of fuel in critical infrastructures like gas stations, military bases, airports and hospitals.
We will discuss multiple (10) zero-day vulnerabilities that expose these systems to catastrophic risks, from environmental hazards to significant economic losses. Despite past warnings, thousands of ATG systems remain online, unprotected, and vulnerable to exploitation.
This track will talk about past ATG research, the new vulnerabilities found and their technical details, demonstrating how they can be exploited to gain unauthorized control over ATG systems. In the end, we will dive into our quest to cause physical damage remotely, in hopes of blowing up (our) gas station.
In the recent years, an increasing number of cyber attacks have been targeting critical infrastructure, especially since the war in Ukraine has started. Automated Tank Gauging (ATG) systems are critical components in the infrastructure of fuel storage and distribution across various sectors, including commercial gas stations, military facilities, and emergency services. These systems monitor fuel levels, detect leaks, and ensure regulatory compliance, but they also present an alarming attack surface when exposed to the Internet and, by their very nature, an interesting target for malicious actors.
This presentation will cover the findings of both past and recent investigations, which identified multiple critical vulnerabilities in ATG systems from various vendors, as well as our quest to physically damage such systems remotely.
We will explore how these vulnerabilities can be exploited to alter system behaviors, disrupt fuel supply chains, potentially cause significant physical and environmental damage, as well as other out of the box scenarios.
We will show global prevalence data from our latest scans, and talk about both our coordination with CISA in order to responsible disclose all these vulnerabilities and our efforts to try to mitigate these risks at a wider scale, in several fronts - one of which is raising awareness within the infosec community.
This session is for cybersecurity professionals, industrial system operators, and anyone interested in the security of critical infrastructure. Attendees will leave with a deeper understanding of the risks posed by ATG systems and how to secure them against potential attacks.
Pedro Umbelino currently holds the position of Principal Research Scientist at Bitsight Technologies and brings over a decade of experience in dedicated security research.
His eclectic curiosity has led to the uncovering of vulnerabilities spanning a gamut of technologies, highlighting critical issues in multiple devices and software, ranging from your everyday smartphone to household smart vacuums, from the intricacies of HTTP servers to the nuances of NFC radio frequencies, from vehicle GPS trackers to protocol-level denial of service attacks.
Pedro is committed to advancing cybersecurity knowledge and has shared his findings at prominent conferences, including Bsides Lisbon, DEF CON, Hack.lu and RSA.