The Future of ATGs in UST Release Detection

Background - This paper considers the current adverse effects of Internet technology and cyber security on UST leak detection. It makes suggestions of new methods to minimize releases and it proposes a solution to reduce releases by making available widespread, low cost technology that leverages existing release detection equipment.

USTs and ATGs - Detecting leaks, also known as releases from Underground Storage Tanks (USTs), drove the development of Automatic Tank Gauges (ATGs). The ATGs detect leaks by measuring tank liquid levels and doing calculations as well as monitoring sensors. 
Over time, regulations stopped the use of single wall steel tanks and added sensors to detect fuel in sumps, dispensers and pipes. Present regulations for new installations require double walled tanks with interstitial or annular sensors leaving only fiberglass single wall tanks requiring volumetric calculation type leak detection.
Pressure Line Leakage Detection (PLLD) has gone one step further by shutting down pumping equipment if leaks are detected.

Suggestions - The evolution in leak detection reduces the likelihood and amount of fuel releases, but the regulations need updating to make best use of modern sensor based leak detection.
My first suggestion is to require continuous monitoring of sensors and instantaneous notification of releases so that immediate action can be taken to minimize releases. Although some States require continuous monitoring and instantaneous notification, EPA regulations, which are the basis of many State regulations, only require monthly monitoring. Monthly monitoring means that a release can continue undetected for up to a month. The volume of the release being proportional to the severity of the breach and the time it is undetected.
My second suggestion is to add interlocks that are triggered by sensor alarms, that shutdown equipment to minimize the release similar to PLLD. This will minimize leaks at unattended locations or when the location is closed, or when the attendant ignores or is unaware of notifications.

The Adverse Effect of ATG’s Remote Communications Capability - ATG’s inherent design and implementation adversely affect leak detection. The ATG’s remote communications over the Internet can invalidate the ATG’s use for leak detection and delay reporting sensor alarms. 
Most ATG’s include the capability of remote communications. At the time ATGs were designed, the available remote communications methods were fax, telephone modem and private satellite. For these technologies, simple plain text password protection was sufficient but rarely used as the communication technologies themselves provided protection. The password protection added complexity with little value.
When Internet connections became low cost and prevalent, and modem communications became unreliable due to digital telephone lines, the ATG manufacturers and third parties added communications capability so that the existing Internet connections, available in gas stations could be used instead of phone lines.
The communication capability is added via a convertor that connects between the Internet and the existing serial communications capability inherent in most ATGs. The unfortunate but important ramifications of using the Internet and convertor for communications along with the ATG’s pre Internet communications design results in: 

Non continuous monitoring of alarms.
The automatic alarm “call out” on event, implemented for fax and modem when an alarm occurs, is unavailable or is proprietary and very difficult to implement when Internet communications is added. When implemented, the “call out” feature is only used by the ATG manufacturer and not by monitoring services. As continuous polling for alarms is difficult and expensive, monitoring services may poll as little as once per day and a maximum of once per hour. This can result in releases continuing for up to 24 hours before action is taken.

Open access to ATG configuration that invalidates ATG leak detection. 
The existing inherent password security in ATGs is expensive to implement and easily hacked. Other security measures such as router/firewall and VPN protection are expensive to implement and maintain and also can also introduce site security problems. ATGs connected to the Internet with no or weak security allows anyone, located anywhere, to make changes in ATG configuration without being detected or identified. Configuration changes can easily cause false alarms, mask existing alarms, and cause tests to incorrectly fail or pass. Of great concern is that the ATGs do not detect or report meddling nor do they log changes to their configurations. This means that changes can be made then changed back at a later time. This creates “ghost” events that regulations require to be investigated but are time consuming and expensive to resolve. The convenience of remote access using the Internet can compromise the integrity of the leak detection process. Alarms and reports sourced by the ATG reported at both the fueling location and those reported by remote monitoring can be affected. The ease of access by unskilled hackers also makes fueling stations vulnerable to terrorist as well as Nation State cyber attacks on ATGs. These attacks could affect the logistics of fuel supply which is part of the US critical energy infrastructure. As of March 2018 over 5,000 ATGs can be accessed over the Internet by anyone from anywhere. Using simple, publicly available tools such as Telnet to connect and issue commands, access can be gained for monitoring and making configuration changes. These commands are documented in detail in the Veeder Root Serial Communications document, which is publicly available on the Internet. The list of sites and their Internet addresses is available to anyone via the Shodan web site.

The “Add a Brain” Solution - The solution I propose is adding a modern intelligent device which interfaces with the ATG which performs two functions:

1.  Provides continuous secure remote communication which is used for notifications and configuration. The communications includes secure user authentication and access control as well as logging so that the integrity of the ATG calibration and setup is maintained. The communication uses the “call out” principle and strong point to point encryption which eliminates the need for expensive Internet connections and networking equipment purchase and configuration. Call out technology makes sensor monitoring continuous. It’s low cost and self install makes it suitable and affordable for the 60% of fueling locations managed by “Single Owner Operators” thereby making effective leak detection much more widespread.

2. It includes the ability to create interlock logic using inputs from existing ATG sensors and alarms and remote relay outputs that can be located in the panels where they can easily interlock with pumps and dispensers. This concept avoids the difficulty and expense of hardwiring existing sensors to pumps and dispensers. There is no need to run wires to sensor locations nor deal with the intrinsic safety issues. In addition, the logic in the device can be programmed and monitored remotely and can be overridden remotely by authorized persons in the case of sensor failures. Logging creates an audit trail of what happened when, and who performed the override. 

The benefits of this solution are:

Repurposes existing sensors and ATG functions to provide better release detection AND adding interlocks in addition to notification. This flexibility provides the ability to implement future unknown requirements.

Serves the 60% of C-Stores where their lack of an Internet static IP address and their unmanaged local networks makes the serial to Internet convertor method unreliable and expensive to maintain.

Provides secure remote access for security updates and interlock logic programming.
Configuration management ensures calibration and simplifies periodic sensor testing.
Reduces the requirement for training of C-Store staff by moving responsibility to the monitoring and maintenance staff and giving 24x7 protection.

Is expandable, upgradable and low cost.

Simple DIY plug and play installation.

Generates “large data” so that leak detection implementation and effectiveness can be analyzed and improved.