Monitoring for Securing Clock Synchronization

Sammanfattning: In today's society, more and more embedded computer systems are connecting. There are many different types of embedded systems including industrial networks, Internet of Things (IoT), distributed control systems, connected vehicles, etc. Most such cyber-physical systems (CPS), regardless of their specifics, have a communication part that enables data exchange between system entities and external entities. Today, many commercial systems adopt heterogeneous solutions including a combination of wired and wireless communication. Using both technologies together brings benefits in terms of flexibility and reliability, but it also imposes new challenges, such as maintaining system security. Security of connected CPS therefore becomes paramount to address.One of the most critical properties of CPS is related to timing, as the vast majority of all CPS have real-time requirements due to interaction with a physical process, and communication therefore follows some kind of schedule with deadlines. In time-triggered networks, transmissions occur at pre-defined instants in time, but also in event-driven communication, data usefulness can be based on a timestamp, and consequently, to judge data validity and order of events, nodes need to interpret the received timestamp based on its own time. Both implementations make clock synchronization an essential network asset. Therefore, the first step in securing CPS is an investigation of ways to break clock synchronization. The next step is development of a solution that allows detection of malicious influence in the system and mitigates its consequences.In this thesis, a threat model and a vulnerability analysis of clock synchronization is built upon IEEE 1588, a standard widely used in industry for establishing and maintaining clock synchronization. As a mitigation strategy, a distributed monitoring solution is proposed to detect if an adversary is influencing clock synchronization in the network. The monitor strategy is based on dynamic rules for switching between different network states: no adversary present, quarantine mode and attack detected. Next, game theory is used to investigate the interaction between an adversary and the monitor. Furthermore, the time chase between an adversary and the monitor is examined to see how the monitor strategy influences the outcome of the adversary actions. Safety and security interaction is also considered to see which implications the proposed security solution has on the safety domain. Finally, the monitoring approach is abstracted and analyzed for different estimations of channel reliability to investigate the applicability of the solution in different settings, and as a result a methodology for black channel state manager design is presented.