AI-Driven Automated Warfare: How the Iranian ATG Hacks Expose the Vulnerabilities of U.S. Critical Infrastructure

Recent reports have provided a grim reminder in the cybersecurity community, AI is supercharging attacks on critical infrastructure and geopolitical tensions are pouring fuel on the fire. Officials briefed on the matter have revealed that hackers suspected to be Iranian nationals have breached multiple Automatic Tank Gauges (ATGs) at U.S. gas stations, tampering with display readings and probing for deeper access.

At a time when we are all hyper-aware of global gas prices spiking, a threat to our local fueling stations feels like yet another volatile factor that could directly impact the end consumer and drive costs even higher. This anxiety is amplified as we mark the five-year anniversary of the devastating Colonial Pipeline cyberattack, a milestone that keeps both the industry and the public in a naturally heightened state of alert over fuel security.

To threat actors, these fueling stations represent a soft underbelly of our critical infrastructure. Armis understands this expanding, unseen attack surface. These recent breaches are a textbook definition of why complete asset awareness in operational technology (OT) is no longer optional; it is a matter of urgent national and economic security.

What We Know

The targets of these latest attacks are Automatic Tank Gauges (ATGs). These devices do far more than just measure how much fuel is left in a tank; they monitor for hazardous leaks and coordinate inventory data with supply chains.

According to our Armis Labs analysis, the hackers found the systems exposed on the internet via Shodan and Censys. Most were Read only. They interacted with our ATG deception technology and couldn’t do much with them. They did try to use AI to find out how to operate them. Ultimately our data shows that the attackers gave up after a while.

This is not a new vulnerability, but rather an ongoing exposure crisis. Despite well-documented risks, thousands of ATG systems remain entirely exposed on the public internet, visible to anyone who knows where to look. If an adversary gains full control, the consequences escalate rapidly.

The immediate fallout of these specific risks includes:

• Blinded leak detection and disabled alarms
• Local water supply contamination
• Environmental damage
• Improperly managed pressure 
• Fuel distribution system issues 
• Economic sabotage

Why Is This Happening Now?

To understand why Iran is targeting these specific assets, we must look at the broader geopolitical playbook. Cyber operations offer nation-states a low-cost, easily deniable way to project power and signal capability against technologically superior adversaries like the United States.

Iran’s cyber doctrine has evolved aggressively since the 2010 Stuxnet virus disrupted its nuclear facilities. Tehran transitioned from simple website defacements to targeting industrial control systems (ICS) and programmable logic controllers (PLCs). Historically, they have tested these boundaries in the U.S. before, such as the 2011–2013 DDoS attacks on financial institutions.

A Reflection of Rising Critical Infrastructure Attacks

Are these gas station hacks an isolated incident? Absolutely not. They are part of a compounding trend of escalating attacks against Operational Technology (OT) and critical infrastructure. Threat actors are shifting their focus away from traditional IT data theft and toward OT disruption, recognizing that compromising the systems that control our physical world causes immediate psychological and economic shockwaves.

This systemic crisis extends far beyond the gas pump. The root issue is architectural: these legacy systems were engineered for uptime and reliability, not cyber defense. As a result, far too many critical industrial assets remain directly exposed to the internet, unsegmented, and completely unmonitored.

AI is Supercharging Attackers

AI is fundamentally changing the economics of cyberwarfare, shifting the advantage further toward the attacker. In the past, mapping out thousands of exposed ATGs or industrial control systems required tedious, manual scanning. Today, AI-driven attacks allow adversaries to automate reconnaissance and exploitation at an unprecedented scale:

• Automated Asset Discovery: Attackers use machine learning algorithms to rapidly parse massive datasets of internet-facing devices, instantly flagging unencrypted, unpassworded, or misconfigured OT assets.
• Scalable Exploitation: AI allows threat actors to synthesize vulnerability reports and automatically generate exploit code tailored to specific legacy firmware versions in a fraction of the time it would take a human programmer.
• Speed and Integration: AI empowers adversaries to synchronize their technical cyberattacks with rapid-fire psychological or disinformation campaigns, magnifying the social disruption of a physical hack.

What’s Next?

When critical OT assets are deployed without the knowledge of security teams, or left exposed to the public web, they become immediate liabilities.

To defend against these evolving, AI-fueled threats, asset owners and policymakers must move away from reactive security and adopt a proactive cyber exposure management strategy. In alignment with CISA and federal partners, Armis recommends taking immediate defensive actions:

• Disconnect ATGs and OT Assets from the Public Internet: If remote access or polling is absolutely required, the device must be placed behind a secure VPN gateway.
• Enforce Strong Identity Management: Eliminate factory-default passwords immediately. Implement long, complex, and unique credentials.
• Deploy Industrial Firewalls: Put dedicated firewalls in front of legacy systems to filter unauthorized traffic and restrict incoming connections.
• Implement Strict Network Segmentation: Ensure that back-office and corporate networks are entirely isolated from OT assets. A breach in a payment or administrative system should never grant access to physical infrastructure.
• Maintain Continuous Visibility/Contextual Asset data: Use an automated asset intelligence platform to continuously discover, monitor, and risk-assess every connected device on your network, ensuring no rogue internet-facing assets go unnoticed.

The consequences of OT exploitation go far beyond data loss; they threaten environmental safety, economic stability, and public trust. As state-sponsored adversaries leverage AI to exploit legacy systems, defending our critical infrastructure requires an equal level of speed, intelligence, and total visibility. It’s time to secure the perimeter.