Detecting clock synchronization attacks in time sensitive networks using key performance indicators

What is claimed is: 1. A computing-implemented method, comprising: establishing a data stream between a first device and a second device, the data stream comprising a plurality of switching nodes; providing an indication of a protected transmission window to each of the plurality of switching nodes; receiving, from one of the plurality of switching nodes, a key performance indicator (KPI) relative to the timing of the protected transmission window for the one of the plurality of switching nodes, wherein the KPI represents a delay time or a time buffer of a packet from the data stream within the protected transmission window; and determining whether the one of the plurality of switching nodes is subject to a timing attack based on the KPI. 2. The computing-implemented method of claim 1 , comprising: receiving an indication of values of the KPI over a time period; determining a mean of the values of the KPI over the time period; and determining a standard deviation of the values of the KPI over the time period. 3. The computing-implemented method of claim 2 , wherein the time period is a first time period, wherein receiving, from the one of the plurality of switching nodes, the KPI relative to the timing of the protected transmission window for the one of the plurality of switching nodes comprises receiving a value of the KPI over a second time period subsequent to the time period. 4. The computing-implemented method of claim 3 , determining whether the one of the plurality of switching nodes is subject to a timing attack based on the KPI comprising: determining a mean of the values of the KPI over the second time period; determining whether an absolute value of the mean of the values of the KPI over the second time period minus the mean of the values of the KPI over the first time period is greater than or equal to a threshold value; and determining whether the one of the plurality of switching nodes is subject to a timing attack based on a determination that the absolute value of the mean of the values of the KPI over the second time period minus the mean of the values of the KPI over the first time period is greater than or equal to the threshold value. 5. The computing-implemented method of claim 4 , wherein the threshold is based on the standard deviation of the values of the KPI over the time period. 6. The computing-implemented method of claim 5 , wherein the threshold value is three (3) times the standard deviation of the values of the KPI over the time period. 7. The computing-implemented method of claim 4 , determining whether the one of the plurality of switching nodes is subject to a timing attack based on a determination that the absolute value of the mean of the values of the KPI over the second time period minus the mean of the values of the KPI over the first time period is greater than or equal to the threshold value comprising: incrementing a positive event counter based on a determination that the absolute value of the mean of the values of the KPI over the second time period minus the mean of the values of the KPI over the first time period is greater than or equal to the threshold value; or incrementing a negative event counter based on a determination that the absolute value of the mean of the values of the KPI over the second time period minus the mean of the values of the KPI over the first time period is not greater than or equal to the threshold value; and determining the one of the plurality of switching nodes is subject to a timing attack based on a determination that an absolute value of the positive event counter minus the negative event counter is greater than an event counter threshold. 8. The computing-implemented method of claim 1 , wherein the data stream is established in accordance with the Institute of Electrical and Electronics Engineers (IEEE) 802.1AS and/or 802.1Qbv standards. 9. A computing apparatus comprising: a processor at a control device for a time sensitive network (TSN) of devices; and a memory storing instructions that, when executed by the processor, configure the apparatus to: establish a data stream between a first device and a second device in the TSN of devices, the data stream comprising a plurality of switching nodes in the TSN of devices; provide an indication of a protected transmission window to each of the plurality of switching nodes; receive, from one of the plurality of switching nodes, a key performance indicator (KPI) relative to the timing of the protected transmission window for the one of the plurality of switching nodes, wherein the KPI represents a delay time or a time buffer of a packet from the data stream within the protected transmission window; and determine whether the one of the plurality of switching nodes is subject to a timing attack based on the KPI. 10. The computing apparatus of claim 9 , the instructions, when executed by the processor, configure the apparatus to: receive an indication of values of the KPI over a time period; determine a mean of the values of the KPI over the time period; and determine a standard deviation of the values of the KPI over the time period. 11. The computing apparatus of claim 10 , wherein the time period is a first time period, the instructions, when executed by the processor, configure the apparatus to receive a value of the KPI over a second time period subsequent to the time period. 12. The computing apparatus of claim 11 , the instructions, when executed by the processor, configure the apparatus to: determine a mean of the values of the KPI over the second time period; determine whether an absolute value of the mean of the values of the KPI over the second time period minus the mean of the values of the KPI over the first time period is greater than or equal to a threshold value; and determine whether the one of the plurality of switching nodes is subject to a timing attack based on a determination that the absolute value of the mean of the values of the KPI over the second time period minus the mean of the values of the KPI over the first time period is greater than or equal to the threshold value. 13. The computing apparatus of claim 12 , wherein the threshold is based on the standard deviation of the values of the KPI over the time period. 14. The computing apparatus of claim 13 , wherein the threshold value is three (3) times the standard deviation of the values of the KPI over the time period. 15. The computing apparatus of claim 12 , the instructions, when executed by the processor, configure the apparatus to: increment a positive event counter based on a determination that the absolute value of the mean of the values of the KPI over the second time period minus the mean of the values of the KPI over the first time period is greater than or equal to the threshold value; or increment a negative event counter based on a determination that the absolute value of the mean of the values of the KPI over the second time period minus the mean of the values of the KPI over the first time period is not greater than or equal to the threshold value; and determine the one of the plurality of switching nodes is subject to a timing attack based on a determination that an absolute value of the positive event counter minus the negative event counter is greater than an event counter threshold. 16. The computing apparatus of claim 9 , wherein the data stream is established in accordance with the Institute of Electrical and Electronics Engineers (IEEE) 802.1AS and/or 802.1Qbv standards. 17. A non-transitory computer-readable storage device, s