Protecting Clock Synchronization: Adversary Detection through Network Monitoring

Nowadays, industrial networks are often used for safety-critical applications with real-time requirements. Such applications usually have a time-triggered nature with message scheduling as a core property. Scheduling requires nodes to share the same notion of time, that is, to be synchronized. Therefore, clock synchronization is a fundamental asset in real-time networks. However, since typical standards for clock synchronization, for example, IEEE 1588, do not provide the required level of security, it raises the question of clock synchronization protection. In this paper, we identify a way to break synchronization based on the IEEE 1588 standard, by conducting a man-in-the-middle MIM attack followed by a delay attack. A MIM attack can be accomplished through, for example, Address Resolution Protocol ARP poisoning. Using the AVISPA tool, we evaluate the potential to perform a delay attack using ARP poisoning and analyze its consequences showing both that the attack can, indeed, break clock synchronization and that some design choices, such as a relaxed synchronization condition mode, delay bounding, and using knowledge of environmental conditions, can make the network more robust/resilient against these kinds of attacks. Lastly, a Configuration Agent is proposed to monitor and detect anomalies introduced by an adversary performing attacks targeting clock synchronization.

[1]  M. Ullmann,et al.  Delay attacks — Implication on NTP and PTP time synchronization , 2009, 2009 International Symposium on Precision Clock Synchronization for Measurement, Control and Communication.

[2]  T. Mizrahi A game theoretic analysis of delay attacks against time synchronization protocols , 2012, 2012 IEEE International Symposium on Precision Clock Synchronization for Measurement, Control and Communication Proceedings.

[3]  Mats Björkman,et al.  Towards secure wireless TTEthernet for industrial process automation applications , 2014, Proceedings of the 2014 IEEE Emerging Technology and Factory Automation (ETFA).

[4]  Sasikumar Punnekkat,et al.  A configuration agent based on the time-triggered paradigm for real-time networks , 2015, 2015 IEEE World Conference on Factory Communication Systems (WFCS).

[5]  Kang Lee,et al.  IEEE 1588 standard for a precision clock synchronization protocol for networked measurement and control systems , 2002, 2nd ISA/IEEE Sensors for Industry Conference,.

[6]  Sebastian Mödersheim,et al.  OFMC: A Symbolic Model-Checker for Security Protocols , 2004 .

[7]  Todd L. Heberlein,et al.  Network intrusion detection , 1994, IEEE Network.

[8]  Glenn A. Fink,et al.  A metrics-based approach to intrusion detection system evaluation for distributed real-time systems , 2002, Proceedings 16th International Parallel and Distributed Processing Symposium.

[9]  Moses Garuba,et al.  Intrusion Techniques: Comparative Study of Network Intrusion Detection Systems , 2008, Fifth International Conference on Information Technology: New Generations (itng 2008).

[10]  Biswanath Mukherjee,et al.  A network security monitor , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[11]  Albert Treytl,et al.  Validation and verification of IEEE 1588 Annex K , 2011, 2011 IEEE International Symposium on Precision Clock Synchronization for Measurement, Control and Communication.

[12]  Elisabeth Uhlemann,et al.  A Survey of Security Frameworks Suitable for Distributed Control Systems , 2015, 2015 International Conference on Computing and Network Communications (CoCoNet).

[13]  Kang B. Lee,et al.  Standard for a Precision Clock Synchronization Protocol for Networked Measurement and Control Systems , 2004 .

[14]  Thomas P. von Hoff,et al.  Security for Industrial Communication Systems , 2005, Proceedings of the IEEE.

[15]  Peter Maynard,et al.  Investigating cyber-physical attacks against IEC 61850 photovoltaic inverter installations , 2015, 2015 IEEE 20th Conference on Emerging Technologies & Factory Automation (ETFA).

[16]  Sebastian Mödersheim,et al.  The AVISPA Tool for the Automated Validation of Internet Security Protocols and Applications , 2005, CAV.

[17]  Sasikumar Punnekkat,et al.  Learning the parameters of periodic traffic based on network measurements , 2015, 2015 IEEE International Workshop on Measurements & Networking (M&N).

[18]  Mats Björkman,et al.  Risk evaluation of an ARP poisoning attack on clock synchronization for industrial applications , 2016, 2016 IEEE International Conference on Industrial Technology (ICIT).

[19]  Maryam Var Naseri,et al.  Periodicity classification of HTTP traffic to detect HTTP Botnets , 2015, 2015 IEEE Symposium on Computer Applications & Industrial Electronics (ISCAIE).

[20]  David Tipper,et al.  ptp++: A Precision Time Protocol Simulation Model for OMNeT++ / INET , 2015, ArXiv.

[21]  Sebastian Mödersheim,et al.  OFMC: A symbolic model checker for security protocols , 2005, International Journal of Information Security.

[22]  Olivier Heen,et al.  A Security Protocol Animator Tool for AVISPA , 2006 .