Likelihood: HIGH
Impact: HIGH
Treatment: MITIGATE
Confidence: Moderate
Likelihood is high because 900+ ATG systems are confirmed actively exploited by named threat actors (including Iranian-linked groups) using hardcoded credentials and authentication bypasses — not theoretical exposure but ongoing, CISA/FBI/NSA/DOE-confirmed attacks against internet-facing OT assets with no authentication barrier. Impact is high because successful exploitation disables physical leak detection (triggering EPA enforcement, remediation costs, and potential facility shutdown), interrupts fuel supply at critical infrastructure sites, and carries environmental and safety liability that cannot be quickly reversed.
Treatment rationale: Active confirmed exploitation against internet-exposed OT systems with physical safety and environmental consequences makes transfer or acceptance untenable; immediate network isolation, credential remediation, and monitoring controls are the only viable primary response to reduce both likelihood and impact.
Third-Party / Supply-Chain Risk
Multi-vendor exposure across Franklin Fueling, Veeder-Root, and OPW creates a fragmented patch and remediation surface — asset owners depend on vendor firmware updates and vendor-specific hardcoded credential disclosures to close vulnerability windows, consistent with NIST SP 800-161 third-party dependency risk. Organizations operating mixed-vendor ATG fleets cannot apply a single unified control; each vendor's remediation timeline and disclosure posture independently affects residual risk. Shared platform risk is further elevated where ATG systems are connected to site-level or enterprise fuel management networks operated by third-party facility managers.
Loss Exposure (illustrative)
Magnitude: high — illustrative $500K–$5M per incident for a mid-scale fuel operator; upper range applicable to critical infrastructure sites where environmental remediation, regulatory response, and operational shutdown compound
Frequency: For an internet-exposed ATG operator that has not isolated or patched: illustrative 1 incident within a 12-month window given confirmed active exploitation of this asset class across 900+ identified systems
Annualized: Illustrative ALE: $500K–$5M at 1x annual frequency for an exposed mid-scale operator; not meaningful to aggregate across the fleet without site-specific exposure data
Basis: Loss magnitude driven by three compounding cost categories specific to this threat: (1) environmental remediation and EPA/state enforcement response for an undetected fuel leak — cleanup costs for underground storage tank incidents are characteristically high due to soil and groundwater contamination scope; (2) operational shutdown and fuel supply interruption costs for the affected site, including lost revenue and emergency response; (3) regulatory penalty exposure under federal and state environmental statutes. Loss frequency is anchored to the confirmed active exploitation status and the scale of identified exposed systems, not generic ICS base rates. No third-party actuarial data cited.
Illustrative estimate — not actuarially derived.
Insurance / Contractual / Legal — Potential Obligations
Potential triggers, not legal determinations. Verify with counsel/broker before acting.
• Environmental spill resulting from disabled leak detection may invoke EPA CERCLA liability and state environmental enforcement obligations — verify with counsel.
• Confirmed compromise of operational technology at a critical infrastructure site may trigger cyber-incident reporting obligations under CIRCIA or sector-specific regulations — verify with counsel on applicability and timeline.
• Physical damage or service interruption resulting from ATG manipulation may implicate cyber-insurance policy conditions distinguishing cyber-physical loss from traditional property loss — verify with broker.
• Fuel supply disruption at sites operating under government contracts or critical infrastructure designations may invoke contractual notification or continuity obligations — verify with counsel.
