The Indian government has clarified that not all companies should synchronize their system clocks with the time provided by the National Informatics Center (NIC) or the National Physical Laboratory (NPL) and that companies whose infrastructure spans multiple geographies, such as cloud service providers, can use their own time source as long as it does not deviate from NPL and NIC time.
According to the Cyber Security Directive issued by the Computer Emergency Response Team of India (CERT-In) on April 28, companies are required to connect to the NTP (Network Time Protocol) server of the NIC or NPL or to servers traceable to these NTP servers for synchronization of their system clocks. But this requirement has been strongly rejected by cybersecurity experts as it lacks clarity and is impractical. While cybersecurity experts have pointed out that companies already have their own high-quality sources for the weather, a former Council for Scientific and Industrial Research (CSIR) researcher, who heads the National Physics Laboratory, told MediaNama that the NPL does not have the required infrastructure. broadcast the weather to a large group of entities.
The clarification that not all companies are required to connect to NIC/NPL servers is a relief, but even still, the requirement that it “must not deviate” from these servers raises questions.
Dear reader, we urgently need to build capacity to cover the rapidly changing technology policy space. For that, our independent editorial team is counting on you. Subscribe to MediaNama today, and help us report on the policies that govern the internet.
What aspects of time synchronization has the government clarified?
In a CERT-In FAQ document, the Department of Electronics and Information Technology (MeitY) addressed the following issues related to time synchronization:
- Why is it necessary to synchronize system clocks with NIC or NPL NTP servers? A typical cyber incident involves multiple IT systems within and between entities. Without an accurate timestamp, it is extremely difficult to recreate an accurate sequence of events, thus causing serious obstacles when handling cyber incidents. Additionally, security technologies also rely heavily on specific patterns and correlation rules that are often based on time parameters. Therefore, unsynchronized clocks between systems could result in the failure of security systems as well as the entity’s ability to act on CERT’s proactive alerts/advice. -In as well as other agencies.
- Organizations with ICT infrastructures spanning multiple geographies, such as cloud service providers, use internally configured global NTP servers that are typically synchronized with external time sources. Synchronizing the clocks differently in the ICT part located in India could cause technical problems. Can they continue with their original method of time synchronization for the ICT infrastructure in India? The time synchronization requirement is stipulated to ensure that only standard time facilities are used across all entities. Organizations with ICT infrastructures spanning multiple geographies may use accurate, standard time sources other than the National Physical Laboratory (NPL) and the National Informatics Center (NIC), but care should be taken to ensure that their time source does not deviate from NPL and NIC.
- The ICT infrastructure that runs on the Cloud uses time sources inherent in the Cloud. Is it now necessary to break the current practice and only synchronize with the network card and the NPL? Cloud ICT infrastructures that span multiple geographies typically configure their own NTP servers to ensure time compliance across the entire ICT infrastructure as well as to allow them to uniformly handle the complexities arising from situations such as skipping smearing. According to the directive, a common standard time source is required and also allows the use of accurate and standard time sources other than NPL and NIC for large ICT infrastructures, however, it must be ensured that their time source does not not deviate from NPL and NIC. Customers in cloud environments, on the other hand, have the option of using native time services offered by the cloud to synchronize their clock or they can also configure their own NTP server in their cloud environment. Entities relying on native time services offered as part of the Cloud can continue to use them, however, if an entity operates its own NTP service (using an NTP server or other device), that syncs with non-native time sources. cloud time services, these must be synchronized with the NTP servers of the NIC or NPL.
- Is it necessary to synchronize the clocks to Indian Standard Time (IST)? No. The NTP server provides a timestamp in UTC, and the conversion from UTC to local time is performed on the host that receives the NTP synchronization from the NTP server. NPL or NIC also provides UTC time according to world standards. The current directive requires uniform time synchronization across all ICT systems, regardless of time zone. Time zone information should also be recorded with the time to facilitate accurate conversion when needed.
- How to synchronize the system clocks with the NTP server of the National Computing Center or the National Physics Laboratory? System clocks can be synchronized by configuring the NIC’s NTP servers or NPL as the time source in the corporate NTP server. The NTP server details of NIC and NPL are currently as follows:
- National Computer Center (NIC): samay1.nic.in, samay2.nic.in
- National Physics Laboratory: time.nplindia.org
Why is there still some confusion even after the clarification?
“Time is a very difficult issue because it is an ongoing process. Just because you’re synced to a server on the other side of the world doesn’t mean you’ll be synced the next second. Because your system may have unpredictable delays in updating the next second,” Suman Kar, CEO of cybersecurity firm Banbreach, explained to MediaNama.
“If you’re saying we should be in sync, then you have to have this ongoing dialogue with another system where you go every second and update. And it’s not a realistic way to sync your time, so that’s why we do this update from time to time,” Kar explained, “So it’s quite a complex problem and we’re basically guessing what the Peer time and what my time should be and make adjustments. Any dictate that says “must not stray” from NTP servers is essentially useless at this point.”
What other issues are there with CERT management?
Speaking to MediaNama, a number of cybersecurity experts criticized the CERT guidance for various reasons. As for the time sync layout, here are the complaints they had:
- Latency issue: “Let’s say you operate a data center. You must connect all servers to a time server. By the very nature of a data center, imagine you have about 25,000 machines in a single building. Which time server would you bet on? The one near you that you control or the one someone else gives you. You will choose the one over which you have control. And why is that? Latency,” said cybersecurity researcher Anand Venkatanarayanan. Latency is the time it takes for a message to travel from one server to another and higher latency is undesirable. When servers are further apart, latency tends to be higher.
- We don’t know anything about NIC servers: “In a system where everything depends on the time drift not exceeding certain nanoseconds or milliseconds, the most important piece of infrastructure is the time server. Now, if you are running a 25,000 data center, why would you want to use NIC’s time server. Does that make any sense? And what is the configuration of the network card time server, you do not know. What is the latency? You don’t know. We rely on a technology called Anycast to reduce latency. Is the NIC time server Anycast? The answer is no.” remarked Venkatanarayanan. MediaNama has filed an RTI with CERT requesting more technical details about the network card NTP servers mentioned in the directive. We will post an update once we receive a response.
- Why companies will choose NIC servers over much better options: “How do you sync geographically separate servers, unless you have full control over those servers?” So Google basically built a server system called True Time, which keeps all servers participating in a database operation running in a particular time window, by building multiple time master machines per data center and one slave daemon time machine geographically synchronized in time. , even if they are in different geographical locations. It is truly an engineering marvel. Will companies choose NIC servers over this? […] After spending millions of dollars building a time server that uses GPS clocks in multiple geographic locations around the world, why would I bet on the single option of CERT-In,” Venkatanarayanan asked.
- NIC, NPL servers will be overwhelmed: “Even if you were to have this set of servers, you’re going to be a bit overwhelmed if everyone starts hitting the same set of servers. So until CERT has determined a budget and human resources to run dedicated NTP services that a country like India is likely to need, the practical viability of this particular direction seems to me difficult, if not impossible,” Kar said.
- Connecting to NTP servers can affect security: The requirements are “of great concern as they could negatively affect enterprises’ security operations as well as the functionality of their systems, networks and applications, among other reasons”, the Information Technology Industry Council (ITI), which represents some of the biggest tech companies. worldwide, including Apple, Amazon, Meta, Google and Microsoft, noted in its letter to the Indian government.
This post is published under a CC-BY-SA 4.0 License. Feel free to repost on your site, with attribution and a link. Adaptation and rewriting, although permitted, must be faithful to the original.
Read also :
Do you have something to add ? Subscribe to MediaNama here and post your comment.