OTPulse
FeedAboutContact

OMNTEC Proteus Tank Monitoring (Update A)

Act Now9.8ICS-CERT ICSA-24-268-06Sep 24, 2024
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

The OEL8000III K/X ATG Generation 3.0 tank monitoring device does not properly authenticate administrative actions, allowing an attacker on the network to perform administrative functions without credentials. Generations 3.5 and 4.0 are not affected. OMNTEC has not released a patch for Generation 3.0; the mitigation is to upgrade to Generation 3.5 or higher.

What this means
What could happen
An attacker could perform administrative actions on a tank level gauge without any credentials, potentially allowing them to modify operational settings, disable alarms, or trigger false readings that disrupt water or fuel inventory management.
Who's at risk
Water utilities, fuel distributors, and chemical plants using OMNTEC Proteus OEL8000III K/X ATG Generation 3.0 tank level monitoring devices. This affects legacy generation equipment used to measure and report tank inventory levels in storage operations.
How it could be exploited
An attacker on the network can send administrative commands to the OEL8000III Generation 3.0 device on its network port without providing credentials. The device accepts these commands and executes them, allowing the attacker to change configuration or operational parameters.
Prerequisites
  • Network access to the OEL8000III Generation 3.0 device
  • Device is reachable from attacker's network (Internet-accessible or compromised internal network)
  • No valid credentials required
Remotely exploitableNo authentication requiredLow complexityHigh CVSS score (9.8)Affects monitoring and control of critical infrastructureLegacy product with no vendor patch available—upgrade required
Exploitability
Low exploit probability (EPSS 0.2%)
Affected products (1)
ProductAffected VersionsFix Status
OMNTEC Proteus Tank Monitoring: OEL8000III_K/X_ATG_Generation_3.0OEL8000III K/X ATG Generation 3.0No fix yet
Remediation & Mitigation
0/4
Do now
0/2
WORKAROUNDImplement network firewall rules to restrict access to the OEL8000III device from Internet and untrusted network segments
HARDENINGMinimize direct Internet exposure of control system devices; verify the device is not accessible from the Internet
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade OMNTEC Proteus OEL8000III K/X ATG Generation 3.0 systems to Generation 3.5 or higher
Long-term hardening
0/1
HARDENINGIsolate tank monitoring device behind firewall from business network; use VPN for remote administrative access if required
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/d2a5e7c4-0585-44e5-9f58-664323dba897