Security advisory: Bad timing – or how a master clock vulnerability could disrupt complex maritime control systems

Executive Summary
As the digital transformation in the maritime sector continues to accelerate, the complexity – and potential vulnerability – of integrated systems that support safe and efficient operations at sea grow. During a penetration test engagement for a major ship owner client, Mate J Csorba, PhD, and Zoltan Kato of DNV Cyber's Technical Assessments team discovered a vulnerability affecting a widely deployed master clock system, MOBATIME Network Master Clock. The finding was reported to the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and published as advisory ICSA-24-345-01, following responsible disclosure with the equipment vendor. The finding itself highlights how even seemingly peripheral devices can become critical vectors for cyberattacks.

Alerts issued
CISA ICSA-24-345-01 and CVE-2024-12286

The hidden risk in time synchronization
When considering maritime cybersecurity risks, master clocks might not be the first devices that come to mind. However, these clocks play an essential role in modern ships, as well as in automation systems, both onshore and offshore, including in critical infrastructure. Onboard ships, they synchronise time across various onboard systems, ranging from navigation and communication to safety and engine control, ensuring reliable coordination and accurate timestamping for operations and logging.

Historically, time synchronization relied on relatively obscure protocols, such as NMEA, over serial lines, providing a degree of inherent protection. But as maritime systems increasingly adopt the Network Time Protocol (NTP) over Ethernet and TCP/IP for convenience and scalability, these clocks have essentially become network-connected devices, which opens up new possibilities for cyber exploits.
 
Anatomy of the vulnerability
The vulnerability identified by DNV in the network-connected master clock could allow for remote code execution. This means an attacker could potentially take control of the device and use it to move laterally further into the target network, an alarming scenario for any networked infrastructure. What makes this vulnerability increasingly critical is the typical architectural design, which mirrors that of many industrial control systems relying on NTP time synchronization.  

Typical Industrial Control System (ICS) architectures using central clock signal distribution utilize a flat network where multiple control systems are able to connect to a central clock server. While clock synchronization is meant to solely use the NTP protocol, strict network filtering rules are not always applied on these networks to limit access between the master clock and automation systems connected to this network.  

^{Potential access route via master clock to critical OT systems (simplified view)} 

Due to this architectural pattern, not only can the master clock and its exposed services, some of which also allow logins to the master clock (e.g., Telnet, or SSH), be accessed from multiple systems onboard, but also multiple automation systems can potentially be accessed from the master clock itself if there is a lack of proper segregation. The end result of this arrangement is that critical automation systems onboard, which are designed to be segregated from a cybersecurity perspective, are connected to a network considered trusted by these systems. However, this network in turn implements a choke point terminated in a potentially vulnerable device, the shared master clock.

An onboard technical assessment conducted by DNV revealed that proactive testing and collaboration with equipment manufacturers can uncover weaknesses before they are exploited in the wild. 
 
Implications for maritime cyber resilience
According to DNV’s assessment, exploitation of this vulnerability can lead to multiple critical scenarios for connected control systems. It could allow an attacker to disrupt time synchronization between connected systems, a scenario that is known to have led to undesired events, such as crashes in critical safety systems. Additionally, it could allow attackers to gain access to connected systems, using the master clock as a stepping stone to more critical assets onboard.

This vulnerability underscores a broader concern: the cyber resilience of a vessel is only as strong as its least secure device. Onboard networks often consist of multiple interconnected systems with varying levels of protection. Without strict network segmentation and robust monitoring, attackers can move laterally across these systems, compromising core operations.

If the master clock were compromised, its impact could ripple through dependent subsystems. Navigation logs may become unreliable, communication events could become misaligned, and automated operations might be thrown off schedule. In the worst-case scenarios, such disruptions could pose significant risks to crew safety and vessel maneuverability.

This becomes especially concerning as ships continue to digitize and become more autonomous, increasing their reliance on tightly coordinated systems. The ability to trust every timestamp, across every application, becomes not just a matter of efficiency, but also a critical factor for safety and compliance.
 
Remediation
The vendor of the device strongly recommends that all users update their devices to the latest firmware version available on their official website to address the identified vulnerability. As part of a broader mitigation strategy, users should ensure that control systems are not exposed to the internet, are placed behind firewalls, and remain isolated from business networks. If remote access is necessary, it should be secured using up-to-date VPNs, with the understanding that VPNs themselves must be properly maintained and monitored. Organizations are also encouraged to perform a thorough risk assessment before implementing any changes to critical ICS and network architecture. While there are currently no known public exploits targeting this vulnerability, aside from the proof-of-concept developed by DNV Cyber, a defense-in-depth approach and implementing monitoring strategies are advised. 

Conclusion and way forward
The master clock vulnerability we explored in this case serves as a reminder that maritime cybersecurity must account for every device on the network – no matter how seemingly innocuous. While the vendor has released firmware updates to address the issue, we encourage asset owners to ensure timely patching, verify proper segmentation of time synchronization systems and networks, and consider enhanced monitoring of clock traffic to detect anomalous behaviour.

For industrial control systems utilizing central clock distribution, the way forward lies in vulnerability assessments, proactive collaboration with industry partners and manufacturers, and taking a holistic view of cyber-risks – one that includes fundamental infrastructure like master clocks.

By addressing vulnerabilities like the one presented, before they can be exploited, we can help the maritime sector move toward a more resilient and secure digital future at sea.

    •    CISA - https://www.cisa.gov/news-events/ics-advisories/icsa-24-345-01
    •    CVE - https://www.cve.org/CVERecord?id=CVE-2024-12286
    •    Vendor page for firmware updates - https://www.mobatime.com/resource/282/dts-4801-masterclock

6/24/2025 7:38:00 AM