Adding Tank Gauge Security can facilitate C-Store Cyber Attacks
Unlike Kachoolie, firewalls and VPN's may protect the Tank Gauge, but make the C-Store and corporate networks vulnerable to the popular and common financial gain Cyber Attacks.
Apart from mischievious and terror Cyber Attacks, Tank Gauges are not a popular target because there is no apararent financial gain. Most attacks are for stealing credit card information, ransoms or using devices as cyber currency mills.
The two most popular and most effective Tank Gauge protection methods can enable the financial gain type cyber attacks on individual C-Stores and their corporate computers.
Here is how.
Router/Firewall Protection via an access control list (ACL), is a popular form of protection. It works by allowing only the messages from IP addresses in the ACL. In this case the IP's of polling computers, to reach the Tank Gauge.
The IP addresses of the monitoring service company computers must be common knowledge, and are difficult to change. Being known they can be targeted by phishing and other attacks. Once breached, hackers have access to the C-Store IP addresses which are then targets for focused financially motivated attacks. This single point breach at the monitoring service computers can provide unlimited monitoring AND configuration access to thousands of Tank Gauges. Far more than the present 7,000 unprotected gauges. Its very unlikely that the site information, name, address, IP address, port, password etc. are encrypted and securely stored at the monitoring companies. Even if they are, a malware task can easily monitor the unencryted traffic to the tank gauges and read the information.
VPN Protection requires providing the monitoring service, a third party, with access to the corporate network. The attacks on chains such as Target used credentials given to a HVAC contractor. VPN's only protect against Internet attacks. Unlike Kachoolie, they are network to network and not point to point. Once a VPN is breached, network connected devices and not only the Tank Gauge can be vulnerable. This article "It’s time to rethink using remote access VPNs for third-party access" illustrates this vulnerability.
If US fueling stations are considered to be "critical infrastructure" per the PRESIDENTIAL POLICY DIRECTIVE/PPD-21of Feb. 2013, then monitoring companies, could be considered to have significant security oversights that could allow hackers to gain remote access to thousands of fueling stations. They could face multi-million dollar penalties similar to the $2.7m settlement imposed on a power company.
