Time Security SIG: coordinating before the clock runs out

Most security properties quietly assume that systems share a correct, coherent sense of time. That assumption is now under pressure from two directions at once. Time sources can be manipulated or spoofed today, whether via NTP in transit or GNSS from the sky. A vast installed base of critical infrastructure still represents time as a fixed-width value that reaches the end of its range in 2038.

On 19 January 2038, the signed 32-bit counter that underpins the ubiquitous software design pattern (seconds ticked since 1 January 1970) commonly called "Unix time" overflows. Affected systems can silently flip to 1901, resulting in miscalculations or misordered time-based operations, which may in some cases cascade into security and public safety failures.

And unfortunately it has friends: the NTP era rolls over 7 February 2036, and the GPS week counter 20 November 2038.

Unlike most vulnerabilities, this class is deterministic (the trigger is a date, not an attacker), simultaneous (it arrives everywhere at once), and already visible in the field — from train-control systems to fuel-gauge controllers to popular contemporary SaaS offerings. The fixes are partially understood. We lack the necessary ecosystem coordination (and possibly the time) to apply them at scale before the rollover date arrives.

The Time Security SIG was founded by co-chairs Trey Darley and Pedro Umbelino to coordinate our community's response to these challenges. The SIG launched with a kick-off BoF at the Copenhagen AGM and has since grown to more than sixty participants, including CSIRTs and PSIRTs, researchers, developers, and people from the standards and policy worlds, drawn from a wide range of industries and countries. What unites so varied a group is a simple recognition that time integrity is shared infrastructure in a digital world, beyond the purview of any single vendor, sector, or nation.

This quarter brought two major milestones worth sharing with the wider FIRST community. The ITU-T Study Group 17 Technical Paper on global coordination requirements for 2038-class rollover events (known as XSTP.epoch, and carried forward with Time SIG involvement) had its text agreed at the June plenary in Geneva. Now over 100 pages, it includes a cross-sector exposure survey spanning thirty sectors. In parallel, IEEE SA approved a new Recommended Practice project (P4150) to develop a Recommended Practice for assessing and documenting rollover preparedness, chaired by Time SIG participant John Lange. The two efforts are deliberately complementary: the ITU-T paper sets out what must be coordinated globally, while the IEEE project is intended to give operators an auditable way to assess and document their own readiness for audits, procurement, and supply-chain assurance.

We have calls the 3rd Tuesday of each month (14:00 Brussels). For new-joiners looking to come up to speed, we have published minutes, recordings, and a growing wiki. The SIG has also stood up its first sub-working group on supply-chain assurance, with more to follow. You are warmly invited to join us, as an observer or participant.

A closing thought. The internet is a distributed system; by design, it has no cockpit. None of us is flying it, but all of us are its stewards. Stewardship means acting decisively with the information we have received. We have been given a fixed date and a long warning. Inventory your exposure, test for it, and demand proof of readiness from your suppliers. Not later. Now.

Trey Darley & Pedro Umbelino, co-chairs, FIRST Time Security SIG

Published on FIRST POST: Apr-Jun 2026