Iran-Linked Fuel Infrastructure Cyber Intrusion Raises New Questions About U.S. OT Security Readiness

Critical infrastructure security experts, Federal departments aligned with CI, and recently depleted U.S. cybersecurity and intelligence agencies have been warning that it was not a matter of if, but when, aggressive state actors such as Iran would launch cyberattacks on this country’s infrastructure. That fear seems to have materialized.

CNN and several other major news outlets reported on Friday (May 15) that Federal officials and private-sector cybersecurity researchers are investigating what appears to be a coordinated cyber intrusion targeting fuel infrastructure technology used at U.S. gas stations and fuel distribution networks; an incident that is intensifying concerns about the cybersecurity resilience of America’s operational technology environment.

The attack reportedly targeted automated tank-monitoring and fuel-management systems, often referred to as “tank readers,” that help gas stations and distributors manage underground fuel storage, leak detection, pressure monitoring, and replenishment logistics. While the activity has not resulted in widespread fuel shortages or operational shutdowns, investigators are treating the incident as a serious warning sign because these systems frequently connect to broader industrial control system (ICS) and operational technology (OT) networks across the fuel supply chain.

Early intelligence assessments reportedly point toward Iranian-linked threat actors, though attribution remains preliminary and federal officials have not publicly identified a specific group.

"These highlights persistent flaws in the United States' critical infrastructure, and many outdated OT systems remain inadequately safeguarded and exposed to the internet. Although the current suspected Iranian breach incident appears limited and more of a nuisance than destructive, it highlights actual risks amid heightened threats,” says Chuck Brooks, President of Brooks Consulting International, with over 25 years of experience in industrial and government cybersecurity policy.

The incident comes amid escalating geopolitical tensions involving Iran, Israel, and the United States and follows repeated warnings from federal cybersecurity agencies that Iranian-affiliated hackers are increasingly targeting American critical infrastructure sectors, including energy, water, transportation, and industrial operations.

A Potentially Significant Entry Point

Unlike ransomware attacks focused primarily on financial extortion, the latest incident appears aimed at operational disruption and infrastructure manipulation. Security analysts say compromised fuel-monitoring systems could allow attackers to falsify inventory data, disrupt fuel-delivery schedules, trigger false environmental alarms, interfere with pump operations, or serve as an initial foothold for lateral movement deeper into petroleum distribution networks.

“Automatic tank gauges are a prime example of the industrial control systems that underpin our most critical physical infrastructure, silently monitoring fuel levels at gas stations, military bases, airports, and hospitals around the clock,” Bitsight Principal Research Scientist Ben Edwards explains,”  “What today's reported activity makes clear is that these systems are active targets, and the attack surface is larger than most people realize.”

Authorities are also monitoring for signs of lateral movement into broader fuel supply chain networks.

Why Iran Is Suspected

Although federal officials have stopped short of formally attributing the incident to Tehran, investigators reportedly identified several indicators consistent with previous Iranian cyber operations and the fact that the U.S. has been at war with the country for almost three months.

According to cybersecurity analysts and intelligence reports, the tactics, infrastructure, and operational patterns resemble those of recent campaigns associated with Iranian state-aligned actors. The incident also follows multiple federal warnings issued earlier this year about escalating Iranian cyber activity targeting U.S. infrastructure.

John Gallagher, Vice President of Viakoo Labs at Viakoo, a California-based provider of automated IoT cyber hygiene, says that malicious hackers will often target Operational Technology (OT) and IoT systems because, unlike IT systems, they often were not planned with cybersecurity in mind, they are not managed by IT professionals, and they are spread far and wide, unlike IT systems inside data centers.  

“Because these are fuel pumps operated by gas stations and fuel distributors, it is also likely that their network access is not managed well.  How many are on the gas station's guest Wi-Fi system versus being strictly controlled and monitored on separate networks?” asks Gallagher.

“It's unknown how many 'test runs' Iranian hackers have performed, or the depth of their intrusions.  Ideally, if there were a quick, lightweight scanning method that fuel system operators could use to detect indicators of compromise, we would have a better sense of the scale of this issue.”  

In April, the Cybersecurity and Infrastructure Security Agency, the Federal Bureau of Investigation, the National Security Agency, and the Department of Energy jointly warned that Iranian-affiliated hackers were actively targeting programmable logic controllers (PLCs), SCADA systems, and internet-connected industrial devices used across American critical infrastructure sectors.

Analysts note that Iran’s cyber doctrine has increasingly emphasized asymmetric retaliation through targeting civilian infrastructure, particularly during periods of geopolitical escalation.

“The larger issue is that many of these OT systems were never designed with cybersecurity in mind. They were built for reliability and availability, not to withstand modern nation-state cyber threats. Unfortunately, many remain internet-facing, poorly segmented, and inadequately monitored,” argues Louis Eichenbaum, Federal CTO at ColorTokens, a San Jose firm specializing in Zero Trust microsegmentation solutions. “This is exactly why the cybersecurity conversation must move beyond prevention alone. We are never going to patch fast enough or prevent every intrusion. The focus now must be on resilience, assuming an adversary may gain access and ensuring they cannot move laterally or manipulate critical operations at scale.”

Eichenbaum adds that granular microsegmentation and Zero Trust principles are essential in OT environments because they help contain breaches, restrict unauthorized communications, and reduce the blast radius in the event of a compromise, with an ultimate goal that may not stop every attack, but to ensure that a localized intrusion does not become a catastrophic operational event.

A Familiar Pattern for Energy Infrastructure

The latest intrusion attempt reflects a broader trend of escalating cyber conflict involving fuel and energy systems worldwide.

In 2021, Iran itself experienced a massive cyberattack that disrupted approximately 4,300 gas stations nationwide after fuel management systems were compromised. Tehran blamed the United States and Israel for the operation.

That same year, the United States experienced the highly disruptive Colonial Pipeline ransomware attack, which triggered fuel shortages across the Southeast and exposed significant weaknesses in energy-sector cybersecurity preparedness.

Since late 2025, cybersecurity researchers say several Iran-linked groups, including Handala and other state-associated actors, have shifted beyond traditional espionage operations toward more disruptive campaigns targeting operational environments and critical infrastructure systems.

The concern among infrastructure defenders is that fuel infrastructure presents an especially attractive target because even localized disruptions can quickly create public panic, economic ripple effects, and supply chain instability.

The OT Security Problem

For many cybersecurity experts, the latest incident underscores longstanding concerns about America’s operational technology security posture.

Unlike enterprise IT systems, many industrial environments still rely on aging infrastructure, legacy software, internet-exposed devices, and minimal segmentation between corporate networks and operational systems.

Experts say the petroleum retail sector continues to face a range of serious cybersecurity weaknesses, including legacy industrial systems that remain directly connected to the public internet, poor segmentation between corporate IT and operational technology networks, and third-party vendor remote access pathways that can provide attackers with entry into sensitive environments.

Researchers also warn that many fuel operators rely on insecure telemetry devices and cloud-connected monitoring platforms that were designed for operational convenience rather than cyber resilience. Compounding the problem is the limited cybersecurity maturity of many independently operated gas stations and regional fuel distributors, which often lack dedicated security personnel, formal incident response plans, and advanced OT monitoring capabilities.

“This incident should serve as an important warning to every critical infrastructure operator in the United States. While no physical damage was reported this time, the implications are far more serious than simply manipulating fuel gauge readings on a screen,” says Eichenbaum. “Operational Technology (OT) environments rely heavily on Human Machine Interfaces (HMIs) and monitoring systems to give operators accurate situational awareness. If an adversary can compromise those systems and present false data, operators can be tricked into making dangerous decisions based on inaccurate information.”

Experts say the petroleum retail sector faces unique challenges because thousands of gas stations are independently operated, unevenly regulated, and often lack dedicated cybersecurity personnel or mature incident response capabilities.

Questions About U.S. Cyber Preparedness

The incident has also reignited debate over whether America’s cybersecurity preparedness, particularly within critical infrastructure sectors, has failed to keep pace with evolving nation-state threats.

Critics argue that fragmented regulation, inconsistent security standards, aging OT environments, and insufficient mandatory cybersecurity requirements have collectively left U.S. infrastructure exposed.

Some analysts and lawmakers have further criticized what they describe as instability and resource strain within federal cyber agencies during the current administration.

Critics argue that the nation’s cybersecurity posture has been weakened by delayed modernization of critical infrastructure security mandates, inconsistent funding for local utilities and infrastructure operators, leadership turnover within federal cyber agencies, and persistent gaps in public-private information sharing and coordination. Together, they say, these issues have slowed efforts to strengthen resilience across critical infrastructure sectors at a time when nation-state cyber threats against operational technology environments are rapidly escalating.

“A pipeline shut down. A water authority breached. Ambulances and ships diverted. An automaker idled for weeks. Now a fuel tank reader. Shareholder value erodes, productivity stalls, lives are endangered, and credibility diminishes. Similar vulnerabilities lurk in the security systems of controllers, sensors, and actuators across all 16 critical infrastructure sectors,” says Steven Brown, Vice President for Prometheus Security Group Global in Texas. “It's time to reevaluate the wisdom of risks that have long been accepted or dismissed. A Zero Trust construct incorporating technology, processes, and procedures from the edge to the enterprise can counter these threats and mitigate their consequences, but only if applied comprehensively.”

Cybersecurity researchers have repeatedly warned that many OT security standards remain largely voluntary, particularly in sectors such as municipal utilities and petroleum distribution. Others caution against framing the issue as solely the result of any single administration’s policies.

Several former intelligence officials and infrastructure security experts note that Iranian cyber operations targeting U.S. infrastructure have persisted for more than a decade under multiple administrations and that many vulnerabilities predate current leadership.

That being said. Viakoo’s Gallagher stresses that security administrators can create strategies to help mitigate these evolving threats.

“To mitigate these risks, fuel system operators should urgently review their network setup, remove or block external network access.  In addition, the manufacturers of fuel systems should provide guidance on key basic cyber hygiene requirements, such as how to set up multi-factor authentication, how to update firmware, and how to change passwords,” he explains. “These functions don't require manual changes to each gas pump (which would take forever and still leave these systems vulnerable); automated methods for firmware, password, and other security functions can make all fuel system operators capable of maintaining a strong cyber defense.” 

Experts also emphasize that cybersecurity preparedness can no longer be viewed as solely an IT issue.

For now, federal officials say there is no indication of catastrophic disruption to fuel availability. But the incident serves as another reminder that relatively obscure operational systems can serve as gateways into nationally significant infrastructure networks, and that America’s cybersecurity preparedness challenges remain far from resolved.