Control systems rely on correct causal ordering and typically also on exact times and time relationships between events. For non-trivial systems, this implies synchronisation between distributed components, potentially from sensors and actuators to SCADA hierarchies. Whilst this can be accomplished by point-to-point synchronisation against a common reference such as GNSS (global navigation satellite) signals, common practice and codification in the ISO/IEC 60870-5-104 protocol widely used in the power control domain calls for the Network Time Protocol (NTP). In this paper we therefore describe attack patterns allowing the undetected partial re-play of legitimate messages and injection of messages even in the presence of ISO/IEC 62351 protective measures in a multi-staged attack targeting time synchronisation protocols and specifically the NTP protocol, and resulting in a de-synchronisation between a PLC/RTU and higher-level SCADA components. We demonstrate the feasibility of such attacks in a co-emulation environment.