Reckless Approaches to ATG Security

One buzz word getting more and more traction these days is the Internet of Things, or more simply known as the IoT. Essentially IoT is the intersection of seemingly normal, everyday devices with the internet, smartphones, and tablets.  One example is the home thermostat that can be controlled from your smartphone, or the garage door opener that reminds you if you forgot to close it.  In our industry, the ATG has also begun moving in this direction, but in a very thoughtless and reckless manner.Recently Rapid 7, an internet security firm, revealed that:

"an Internet-wide scan on January 10th, 2015 identified approximately 5,800 ATGs with TCP port 10001 exposed to the internet and no password set."

For those who don't speak nerd, this basically means that Rapid 7 was able to access nearly 5,800 ATGs that are insecurely, and in our minds incorrectly, connected to the internet. You might be wondering what this means and what kind of threat actually exists.  The researchers at Rapid 7 had this to say:

An attack may be able to prevent the use of the fuel tank entirely by changing access settings and simulating false conditions, triggering a manual shutdown. Theoretically, an attacker could shut down over 5,300 fueling stations in the United States with little effort.

One reason this issue exists is due to the fact that practically every monitoring service out there, including Veeder Root Insite 360 and the Titan Cloud, uses a fetch/polling service.  A fetch service requires that a site's network has an open firewall port to allow the monitoring company to retrieve the necessary information from the ATG.  This opening in the firewall is where the vulnerability lies.This is by no means the responsible way of doing things,  especially by any tech savvy monitoring company which may or may not have been listed as one of the "50 Most Promising Internet of Things Companies of 2014."  Think about it a for a moment.  What's really more important to your business: "sub-second monitoring" and "high definition wet stock management," or a company that respects your data and does everything possible to protect it?  Sorry, I just hate pretend buzz words. Oh and just so you know:  "sub-second" anything is just how computers and the internet work, and high definition is better suited to televisions, so we don't see the need in inserting it all over our marketing materials and press releases.Another response is VPN gateway.  This was suggested by Mr. Moore at Rapid 7.  This is still not the answer.  With a VPN, the device user is responsible for configuring the device's core security.  The user should need to do some basic configuration but not as much as a VPN would require. The Internet of Things is still in its infancy and while ATG manufacturing and monitoring companies have had many chances to build in new approaches to security, most have failed to do so.   More secure embedded operating systems and applications, more scalable approaches to continuous monitoring and threat mitigation, and new ways of detecting and blocking active threats are evolving and can be tremendously effective.That being said, there is a safer, more responsible alternative to fetching services, called Push.  Push services are configured so that all necessary data is "pushed" from the IoT device, which in our case would be the ATG, to the cloud.  This method does not require opening up the firewall and uses existing trusted security standards developed by the community to ensure that data is protected.The push method typically requires an additional piece of hardware to be attached the ATG, usually via a serial or ethernet port.  The device collects the pertinent information from your ATG and pushes it to the cloud at standard intervals or if important triggers occur, such as alarms or warnings.Rapid 7's findings highlight the careless disregard that some of our industry leaders have shown for their customers' information.  Regardless of whether a company uses the push or fetch method, there are existing proven security standards that could be easily adopted and incorporated into these systems to ensure that these vulnerabilities are addressed by the ATG manufacturing and monitoring communities.  IoT security is critical.Here at PASS, we partner with companies that get it, like MyTankInfo.  MyTankInfo's device connects to a site's ATG via serial or ethernet and utilizes the more secure push method.  We have also developed a highly secure integration between MyTankInfo and PASS Tools which can display and report all relevant information from within PASS and notify customers of any pertinent activities recorded by the ATG.Before choosing which company or brand of compliance/fuel monitoring to invest in, consider that for the price you pay, they better have your security in mind.~Raymond ReesVice President, Operations

General, TechnologyRaymond Rees