Arbiter Systems created a new product that does not suffer from the GPS clock spoofing vulnerability in its 1094B clock, according to a report on ICS-CERT.
Arbiter Systems’ model 1094B GPS Substation Clock suffers from the remotely exploitable vulnerability.
An attacker who exploits this vulnerability may be able to affect the accuracy of the clock.
Arbiter Systems manufactures time clocks, power measurement, and power calibration products for use in electricity generation and transmission. These products see use primarily in the United States with minor deployment to South America and Europe.
An attacker with specialized radio equipment and knowledge could transmit signals that can disrupt the clock.
CVE-2014-9194 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 5.4.
No known public exploits specifically target this vulnerability. In addition, crafting a working exploit for this vulnerability would be difficult.
Arbiter Systems created a new product line, the 1200 series, which is not vulnerable to this type of attack.
Arbiter Systems plans to continue to sell the 1094B model clock, because it is difficult to spoof the GPS signal and not likely to happen. In the unlikely event the 1094B suffers a compromise, it is possible to recover it by removing and replacing the internal receiver battery.
Arbiter Systems plans to investigate the feasibility of changing this model to protect against this type of exploit.