Time travel for hackers: how clock spoofing threatens oil, gas, and industrial systems in Iran conflict
More than 1000 ships have been disrupted by GPS interference in the Gulf – but navigation is only part of the story. According to an oil and gas security expert, the real danger lies with manipulating time itself.
Since the outbreak of conflict involving the US, Israel, Iran, and the wider Middle East, incidents of GPS jamming – the act of using a frequency transmitting device to block or interfere with radio communications – have surged, disrupting maritime traffic across the Persian Gulf and the Red Sea.
Maritime and energy infrastructure – particularly around the Strait of Hormuz, a critical throughway for the world’s oil supply – are increasingly in the line of fire.
But while much of the attention has focused on ships losing their bearings, industrial cybersecurity experts warn of a less visible threat: the disruption of time itself.
According to Michael Hoffman, an industrial control systems (ICS) cybersecurity expert and field CTO for Oil & Gas at Dragos, modern operational technology (OT) environments – from pipelines to power grids – depend heavily on highly accurate GPS-derived timing signals.
These signals are distributed internally using protocols like NTP, a widely used, standardized protocol designed to synchronize the clocks of computers, servers, and network devices to a common time reference, typically Coordinated Universal Time (UTC).
“From an industrial perspective, where it matters a lot is actually time,” Hoffman says.
“If you spoof GPS, what you can actually do is shift time back and forth.”
Michael Hoffman, an industrial control systems expert and field CTO for Oil & Gas at Dragos
That shift, he explains, can have cascading effects. Systems that rely on precise timing, such as those used in energy transmission (from plants to substations) or the physical transportation of substances like petrol, can become misaligned, generating incorrect data or behaving unpredictably.
Unlike jamming, which simply blocks signals, “spoofing” injects false ones, creating subtle but potentially serious disruption.
“Imagine your system suddenly thinks it’s a different time, then flips back again,” Hoffman says. “Now your control system doesn’t know what’s real.”
For operators who have long treated GPS as a trusted source, that assumption is rapidly eroding.
“GPS used to be reliable,” he says.
“Now you need fallback methods. You need to validate time, not just trust it.”
Hacktivist noise vs real OT threats
While clock spoofing represents a technical risk, much of the cyber activity currently making headlines is far less advanced, according to Hoffman, who remains cynical about the wave of hacktivist claims linked to the regional conflict.
“A lot of what we’re seeing is low-hanging fruit,” he says.
“They’re scanning the internet, finding exposed devices, and going after those not hardened environments.”
These campaigns often target internet-facing industrial assets and involve automated bots testing massive lists of stolen username/password pairs, using trial-and-error hacking methods, or exploiting default passwords.
In many cases, he adds, the impact is overstated.
“They’ll post a screenshot of an HMI and say, ‘look, we’re inside,’” Hoffman explains.
“But sometimes those screenshots are old, or from a completely different site. There’s a lot of misleading information designed to amplify the perception of access.”
Recent incidents, however, underline how this activity can blur into more serious disruption.
An Iran-linked group calling itself Handala claimed responsibility for a cyberattack on US medical device manufacturer Stryker, disrupting global IT systems and operations, including order processing and manufacturing.
While not an OT attack, the incident illustrates how hacktivist or proxy groups can escalate from nuisance activity into real-world operational impact.
According to Hoffman, who is also an industrial cybersecurity trainer at the SANS Institute, this aligns with a broader pattern seen in early-stage cyber conflict: visibility and psychological effect often take precedence over actual disruption.
“The initial phases are reconnaissance and intrusion attempts,” Hoffman says.
“Not immediate operational impact.”
CyberAvengers and the Unitronics problem
That said, there are actors capable of going further. Hoffman highlights the group commonly referred to as BAUXITE – overlapping with the “Cyber Avengers” persona – as one of the few capable of disrupting OT-based systems.
“They’re one of the groups that can actually do what we’d call a stage two attack,” he says, referring to operations that move beyond initial access to manipulating industrial processes.
This attacker’s preferred method involves targeting exposed programmable logic controllers (PLCs) – industrial-grade computers designed to automate, monitor, and control machinery – particularly those manufactured by the Israeli firm Unitronics.
“If a system is poorly exposed, they’ll get in using basic methods,” Hoffman explains.
“But what they actually do is modify the PLC logic – the program that tells the controller how to operate.”
That modification can have immediate physical consequences.
“If you change that logic, the system doesn’t know how to function anymore. It’s a quick way to shut off water, disrupt a process – whatever that PLC is controlling.”
Unitronics devices, widely used in water, energy, and manufacturing sectors, have become a recurring target due to weak security practices, especially default credentials and direct internet exposure.
In the US, similar vulnerabilities have already been exploited in water utilities, where attackers accessed internet-exposed Unitronics controllers using default passwords, prompting CISA to issue warnings to utilities to ramp up their security.
The attackers brazenly left a digital calling card message following one attack on a Pennsylvanian water authority in December 2023.
It said: “You have been hacked. Down with Israel. Every equipment ‘Made in Israel’ is Cyber Avengers legal target.”
Hoffman says the attack path in these cases is straightforward: scan for accessible devices, log in using known defaults, and alter the control logic.
“It’s not highly complex, but it’s effective,” he notes.
Strong defences, weak visibility
Despite these risks, Hoffman, who also spent over 20 years as an owner/operator in the oil and gas industry, stresses that energy operators in the Middle East – particularly in countries such as the UAE – are generally well defended. The issue is visibility and telemetry.
“It’s like a fortress,” he explains.
“The walls are strong, but you can’t see what’s coming in – or whether someone is already inside.”
This lack of monitoring in OT environments creates uncertainty. Even well-secured organizations may struggle to work out whether they’ve been compromised.
Additionally, unlike IT breaches, which can be executed rapidly, industrial disruption can take time.
“You can’t just decide to target a refinery next week,” Hoffman says.
“A stage two attack can take months – six months or more – to develop.”
This is why, despite heightened tensions, there have been no publicly confirmed cyber operations directly impacting industrial systems in the current conflict – at least so far.
“Kinetic attacks are immediate,” he adds. “Cyber in OT takes patience.”
The AI threat: real, but not yet decisive
In terms of artificial intelligence, while Hoffman says it is helping in defense, in OT, its impact remains uneven.
“We’re seeing it used more and more for detection,” Hoffman says.
“Helping correlate large datasets and identify anomalies.”
It is also driving operational efficiency, with companies using AI-enabled systems to optimize production and performance. But this also introduces new risks, he adds.
Strong password generator
“We’re starting to connect cloud systems back into OT,” he notes.
“That increases the attack surface.”
From an offensive perspective, however, AI has yet to revolutionize OT attacks in the way many fear.
According to Hoffman, the limited amount of data available to train OT LLMs is the main reason why.
"In IT, there’s a huge amount of code available to train AI models. In OT, that data just isn’t there.”
Michael Hoffman, an industrial control systems expert and field CTO for Oil & Gas at Dragos
He points to a recent experiment in which an experienced malware researcher attempted to use AI to build OT-specific malicious capabilities.
“It took days,” Hoffman says.
“Even for someone with 15-20 years of experience.”
“AI is being used – by defenders, by attackers, by the business,” Hoffman says.
“But in OT, it’s not a silver bullet. Not yet.”
Unlock more exclusive Cybernews content on YouTube
