Time synchronization is the unglamorous foundation of OT security. Every log message, every firewall rule timestamp, every forensic investigation depends on accurate time. Yet most manufacturing facilities have production networks running with clock skew of hours or days. We have seen incidents where conflicting timestamps across devices made sequence-of-event reconstruction impossible, turning a measurable breach into an unquantifiable loss.
Time synchronization is both critical infrastructure and attack surface. An attacker who can control system time can disable security controls, forge log entries, and cover their tracks. A proper OT time architecture requires attention to both availability and authenticity of time sources.
Requirement for Compliance and Forensics
NERC CIP, ISA-62443, and most manufacturing compliance frameworks explicitly require synchronized time across all security-relevant devices, typically within 5 seconds. Forensic analysis of industrial incidents depends on accurate timestamps to reconstruct what happened and when. If logs on your PLC show action X at 10:02:15 UTC but your firewall shows a connection at 10:02:45, you cannot definitively prove causation.
More critically, certificate-based authentication, logging retention policies, and security rules that reference time windows all depend on synchronized clocks. A system with incorrect time will reject valid certificates, age out logs prematurely, or fail to enforce time-based access controls.
OT Time Architecture
- Stratum Hierarchy: Deploy an internal NTP server (stratum 2) fed by a reference clock or GPS receiver (stratum 1) isolated from the internet. This prevents external time sources from being weaponized against your network. The internal NTP server sits in the DMZ and serves time to all production zones via authenticated, rate-limited NTP queries.
- Authenticated Time Protocol: Use NTPv4 with symmetric key authentication or crypto-key authentication, not open NTP. Authenticate each device to the time server to prevent time injection attacks from compromised network segments.
- Redundant Time Sources: Never depend on a single NTP source. If the internal NTP server fails, time synchronization fails, and security controls degrade. Deploy two independent time servers, each fed from different reference sources or carriers.
- Monitoring and Alerting: Monitor time offset continuously across all critical devices. Alert if any system drifts more than 5 seconds from NTP. This catches both legitimate clock failures and deliberate time manipulation attempts.
Common Misconfigurations
Many industrial networks pull time from internet NTP pools (pool.ntp.org), trusting the public internet for time accuracy. This is fine for rough synchronization, but unacceptable for security-critical systems. Internet NTP is unauthenticated and can be manipulated by anyone on the path between your network and the NTP pool.
Worse, some facilities have production devices manually time-synced via SNTP queries to corporate servers outside the OT perimeter. This forces OT traffic through firewalls to corporate networks unnecessarily and creates dependency on corporate infrastructure stability. Time synchronization should be solved entirely within OT, fed from isolated reference clocks.
If you'd like to discuss time architecture for your facility, reach out.
This article was written by the Cascadia OT Security practice, which advises Pacific Northwest data centers and manufacturers on industrial cybersecurity. For engagement inquiries, reach our practice team.