An Analysis of Internal Attacks on PTP-based Time Synchronization Networks

Abstract

The IEEE 1588 precision time protocol (PTP) is very important for many industrial sectors and applications that require time synchronization accuracy between computers down to microsecond and even nanosecond levels. Nevertheless, PTP and its underlying network infrastructure are vulnerable to cyber-attacks, which can stealthily reduce the time synchronization accuracy to unacceptable and even damage-causing levels for individual clocks or an entire network, leading to financial loss or even physical destruction. Of particular concern are advanced persistent threats (APT), where an actor infiltrates a network and operates stealthily and over extended periods of time before being discovered. Existing security protocol extensions only partially address this problem. This thesis provides a comprehensive analysis of strategies for advanced persistent threats to PTP infrastructure, possible attacker locations, and the impact on the clock and network synchronization in the presence of security protocol extensions, infrastructure redundancy, and protocol redundancy. It distinguishes between attack strategies and attacker types as described in RFC7384 but further distinguishes between the spoofing and time source attack, the simple internal attack, and the advanced internal attack. Our analysis shows that a sophisticated attacker has a range of methodologies to compromise a PTP network. Moreover, all PTP infrastructure components can host an attacker, making the comprehensive protection of a PTP network against malware infiltration, as for example exercised by Stuxnet, a very difficult task. Some experiments were conducted to demonstrate the impact of PTP attacks, using a fully programable and customizable man in the middle device, thereby considering the two most popular PTP slave daemons PTPd and PTP4l. In doing so, it determines suitable attack patterns and parameters to compromise the time synchronization covertly. This thesis also contributes to the detection of PTP attacks and the attacker location using a trusted supervisor node (TSN). This node collects and analyses delay and offset outputs of monitored slaves as well as timestamps sent by Sync messages, allowing it to detect abnormal patterns in the data provided. Depending on the attack scope, the TSN uses two different algorithms to detect all PTP attacks. This proposal is in line with the prong D as specified in IEEE 1588-2019.