Open topic with navigation

Time Synchronization

Time Synchronization is an important security tool that ensures any logging times are as accurate as possible in order to help you identify any possible intrusion attempts.

There are various options available for use as a time source for time synchronization. GPS based time solutions or LAN based (either a firewall or other LAN NTP time source) are generally used as a reference point, separate from the Corporate, DMZ or business LAN.

If you use a single GPS time source for synchronizing time across a network (such as a shared time source throughout all network and security layers), we recommend that you have a secondary alternative time source available for use as a delta comparison with monitoring rules in place. This is to ensure the integrity of the time signal on the SCADA LAN and that if either source is compromised or becomes unavailable that sufficient notice is provided to the network operators, and time skew kept to a minimum.

Depending on the network infrastructure, we recommend that all Domain Controllers are set to update from an accurate NTP source on a secured LAN, with the domain member machines (Non-DC Servers or Clients) configured to update from the domain controllers using Group Policy enforcement.

To configure a Domain Controller to synchronize with an external common time source, you can either use the command line or modify the registry.

For Virtual environments, the guest has the ability to sync with the local Virtual Server host (such as those provided with VMWare tools and Hyper-V configurations), but it is best practice and we recommended that you disable this option on the guest to reduce excessive CPU for committing time updates.

Using VMWare or Hyper-V

VMWare best practice for time synchronizing is available from the following website.

https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1318

For Virtual Domain Controllers in Hyper-V environments it is recommended to disable the time synchronization to the Hyper-V hosts to prevent any issues with time updates that are incorrectly applied.

Additional information is available from the following link:

https://technet.microsoft.com/en-us/library/d2cae85b-41ac-497f-8cd1-5fbaa6740ffe(v=ws.10)#deployment_considerations_for_virtualized_domain_controllers

Disclaimer

Geo SCADA Expert 2020

© 2020 AVEVA Group Plc.  All Rights Reserved.

The Schneider Electric industrial software business and AVEVA have merged to trade as AVEVA Group plc, a UK listed company. Schneider Electric, Life is On Schneider Electric and EcoStruxure are trademarks and the property of Schneider Electric SE and are being licensed to AVEVA by Schneider Electric.