Citing reports from late last week, U.S. officials suspect Iranian hackers are behind a series of coordinated cyber breaches targeting fuel infrastructure technology at U.S. gas stations. More specifically, hackers targeted automated tank monitoring and fuel management systems. They were breached via weak or non-existent password protections on internet-accessible controls.
The hackers manipulated display readings on instrumentation used by gas stations and fuel distributors to monitor underground fuel storage levels, pressure, leak detection, and replenishment logistics.
While the intrusions do not appear to have directly shut down any operations, officials are concerned because these systems are often connected to broader operational technology and industrial control system environments. Compromising them could allow attackers to manipulate inventory data, disrupt fuel deliveries, trigger false alarms, or potentially interfere with pump operations.
At this time, there is no evidence of equipment damage or personal harm, but the breaches have raised concerns over how this intrusion could lead hackers to bigger instrumentation manipulations, such as allowing a gas leak to go undetected. While investigators cannot prove it was an Iranian group that is responsible, there is a history of these bad actors targeting gas tank systems.
Industry stakeholders offered the following thoughts.
Denis Calderone, CTO, Suzu Labs
“OK, so maybe we don't have 100 percent attribution that this is Iran, but the pattern makes it seem highly likely. Back in April, we saw the six-agency PLC advisory come out of the federal government pointing out that Iran had moved well past hacktivism and was actively pursuing operational disruption of critical infrastructure.
"Attacking gas station tank gauges is a logical next target. These automatic tank gauge systems at U.S. gas stations are internet connected and have been shown in the past to have no built-in authentication mechanism. Because these ATGs have not been better protected, despite repeated warnings from CISA, BitSight, Rapid7 and others, the front door has essentially been left unlocked.
"The officials are saying actual fuel levels weren't affected, but the real threat here isn't someone changing how much fuel is in a tank. It's someone changing what the operator sees on the screen.
"This is a similar concern to HMI and SCADA displays where if your monitoring system is showing you normal readings and the actual conditions are different, then you are making safety and operational decisions based on false data.
“What's genuinely frustrating here is that none of this is new information. Rapid7 documented over 5,800 exposed tank gauges with no passwords back in 2015. BitSight found thousands more in 2024. This vulnerability research has resulted in CISA issuing multiple advisories. Researchers have been publishing on this for over a decade, but still these devices remain unprotected and vulnerable. And yet here we are in 2026 with Iranian-linked actors accessing these same systems because they're still sitting on the public internet with no credentials.
"The prescriptive advice hasn't changed because it doesn't need to: take these systems off the internet. If you need remote monitoring, put them behind a protective layer of some sort, like a VPN or some other form of a private network. Just like in April with the exposed PLCs, there just is no scenario where an unauthenticated fuel monitoring system should be directly reachable from the open internet.”
Louis Eichenbaum, Federal CTO at ColorTokens
"This incident should serve as an important warning to every critical infrastructure operator in the United States. While no physical damage was reported this time, the implications are far more serious than simply manipulating fuel gauge readings on a screen.
"Operational Technology environments rely heavily on Human Machine Interfaces and monitoring systems to give operators accurate situational awareness. If an adversary can compromise those systems and present false data, operators can be tricked into making dangerous decisions based on inaccurate information.
"In a gas station environment, manipulated tank readings could potentially lead an operator to overfill a tank, fail to detect a leak, or improperly manage pressure and fuel distribution systems. In other OT environments such as water treatment facilities, pipelines, manufacturing plants, or energy infrastructure, false telemetry could have even more severe consequences ranging from environmental damage to safety incidents and operational outages.
"The larger issue is that many of these OT systems were never designed with cybersecurity in mind. Unfortunately, many remain internet-facing, poorly segmented, and inadequately monitored. This is exactly why the cybersecurity conversation must move beyond prevention alone. We are never going to patch fast enough or prevent every intrusion. The focus now must be on resilience"
"Granular microsegmentation and Zero Trust principles are essential in OT environments. The goal is not simply to stop every attack, but to ensure that a localized intrusion does not become a catastrophic operational event. Today it was false tank readings. Tomorrow it could be manipulated safety systems, disrupted fuel distribution, or compromised industrial controls."
John Gallagher, Vice President of Viakoo Labs
"It's unknown how many "test runs" Iranian hackers have performed, or the depth of their intrusions. Ideally if there was a quick and lightweight method of scanning that could be performed by fuel system operators to discover indicators of compromise, we would have a better sense of the scale of this issue.
"To mitigate these risks, fuel system operators should urgently review their network setup to remove or block external network access. Additionally, the manufacturers of fuel systems should be providing guidance on key basic cyber hygiene requirements: how to set up multi-factor authentication, how to update firmware, how to change passwords, and so forth.
"These functions don't require manual changes to each gas pump (which would take forever and still leave these systems vulnerable); automated methods for firmware, password, and other security functions can make all fuel system operators capable of maintaining a strong cyber defense."
