Protecting Clock Synchronization: Adversary Detection through Network Monitoring

Today, industrial networks are often used for safetycritical applications with real-time requirements. The architecture of such applications usually has a time-triggered nature that has message scheduling as a core property. Real-time scheduling can be applied only in networks where nodes share the same notion of time, i.e., they are synchronized. Therefore, clock synchronization is one of the fundamental assets of industrial networks with real-time requirements. However, standards for clock synchronization, i.e., IEEE 1588, do not provide the required level of security. This raises the question about clock synchronization protection. In this paper we identify a way to break synchronization based on the IEEE 1588 standard by conducting a man-in-the-middle (MIM) attack followed by a delay attack. MIM attack can be accomplished through e.g., Address Resolution Protocol (ARP) poisoning. Using AVISPA tool we evaluate the potential to perform an ARP poisoning attack. Next, an analysis of the consequences of introducing delays is made, showing both that the attack can, indeed, break clock synchronization and that some design choices, such as a relaxed synchronization condition mode, delay bounding and using knowledge of environmental conditions, can be made to make the network more robust/resilient against these kinds of attacks. Lastly, network monitoring is proposed as a technique to detect anomalies introduced by an adversary performing attacks targeting clock synchronization. The monitoring capabilities are added to the network using a Configuration Agent, which, based on data obtained from the network, is able to detect an attack. The main contribution of the paper is a detailed problem description and evaluation of a security vulnerability in IEEE 1588 against delay attacks together with an evaluation of several approaches as possible mitigation techniques for the attack.