Today, industrial networks are often used for safety-critical applications with real-time requirements. The architecture of such applications usually has a time-triggered nature that has message scheduling as a core property. Real-time scheduling can be applied only in networks where nodes share the same notion of time, i.e. they are synchronized. Therefore, clock synchronization is one of the fundamental assets of industrial networks with real-time requirements. Usually, standards for clock synchronization, i.e. IEEE 1588, do not provide the required level of security. This raises the question about clock synchronization protection.
We show that it is possible to break clock synchronization established according to IEEE 1588 by conducting a man-in-the-middle (MIM) attack combined with a following up delay attack. A MIM attack can be accomplished through e.g., Address Resolution Protocol (ARP) poisoning.
Network monitoring can be considered as a technique to detect anomalies introduced by an adversary performing attacks targeting clock synchronization. The monitoring capabilities can be added to the network using a Configuration Agent, which, based on data obtained from the network, is capable of detecting certain types of attacks.
We present an analysis of the consequences of the introduced delays. It shows that the attack can, indeed, break clock synchronization. A set of mitigation techniques is presented and evaluated for its applicability in the considered networks.