Home »
Viruses and Malware
»
Malware Detection
Comments
Read the article that everyone's commenting on.
Subscribe to the RSS Feed for comments on this article.
I'm a control system security designer at a major power engineering firm, and have been doing the type of work in the above article for 4 and a half years.
A few issues:
1. Full anti-virus scans are resource intensive, and can cause slowdowns. Slowdowns often cause alarms to queue up, and remove the operators awareness of the process. It's best to perform scans when equipment is offline, i.e. during a planned or short notice outage window.
2. Patches and updates to these systems can be done, but should be done during regularly scheduled maintenance intervals, and performed by your vendor as part of your support agreement. If it isn't in there, NEGOTIATE it in. Believe me, you aren't the first to ask your vendor to provide support for cyber security.
3. You need to do a risk analysis on your systems to identify what impact they have to your operations if degraded or destroyed. Often times you can perform cyber security activities on a field HMI with few consequences, but the same on an OPC server may wipe out your ability to control plant hardware.
And lastly, the NRC has been developing cyber security standards and guidance. Get involved! There is an incredible amount of guidance coming from NRC, NEI, NERC, NIST, and several other acronym organizations. Or, you can give me a call, it's what I do for a living.
Mike Toecker
Burns and McDonnell Engineering
22-Aug-2009
Using Windows PE is the best way. All it is is an extremely stripped down version of windows (Vista) which is used as a flatbed for many maintanace tools that require some sort of bootable windows environment.
You can execute executables just like you could on your normal windows environment and it gives you full access to NTFS partitions so it will allow you to scan the full drive for potential risks. WinPE = the way to go.
Posted by: Chris at August 22, 2009 7:27 AMI would recommend you contact the OEM of your HMIs to determine what services they offer to support your control systems. Most reputable HMI suppliers have a program to test and validate any patches/updates/services packs etc. on a system configured to match yours BEFORE sending the patches to site. Please feel free to contact me if the system in question is provided by GE Energy - we provide an HMI CAP offering that is designed to address these concerns.
Regards,
Jack Shoffstall
[phone number removed]
Oh, come on. This is CLEARLY a hoax. Like anyone legitimate from a nuclear plant doesn't have access to the government's top IT people on an instant's demand. Really, Leo, you are slipping.
). I found it an interesting and provocative question, and given all the issues, politics, personalities and bureaucracy that's typical of government services, reaching for outside advice seems totally plausible. Even if not, it's clearly piqued people's interest.26-Aug-2009
Posted by: anne at August 25, 2009 8:40 AM
If no internet connection is allowed and assuming a nuclear facility would have very tight security what would be the real virus risk here?
Regardless - I also agree with "Anne" - I think the question is a complete hoax. If not we have a very serious problem here... the management of that "Nuclear Power Station" is working way out of their experience level.
26-Aug-2009
"The Problem: We require to perform a yearly virus scan on these computers..." This reads like an e-mail from Nigeria, and was my first hint that this inquiry was indeed, a hoax. Nice to see my favorite genius is also human. (and if I'm wrong, well I am human, too)
26-Aug-2009
Posted by: Charles Wellen at August 25, 2009 9:18 AM
I support a couple of Windows 98 computers at a manufacturing facility that I can only get to a couple of times a year. I use Clamwin portable from http://portableapps.com/
I install it to a thumb drive, open and update it. Copy it to a CD then to the target computer hard drive. I can then scan. With a more modern operating system that will recognize a thumb drive you can leave off the CD part but it is easier to do it that way than try to find a 98 driver for this year's thumb drive.
AG
Posted by: AG Wright at August 25, 2009 9:36 AMI don't believe that BartPE is needed. Scanning a PC from a Live Anti-Virus CD couldn't be easier. Several of the major AV Vendors offer Live CDs for download as ISO files.
1. Download ISO
2. Burn CD
3. Pop it into the infected PC
4. Reboot
How hard is that?
Here's a google search that turns up a few:
http://www.google.com/search?hl=en&q=live+antivirus+cd+iso+emergency+rescue&aq=f&oq=&aqi=
If this is really from a nuke plant, the fact that they are not going through their I.S. group is scary.
Some idiot thinking that they have to "fix" things through a non-approved channel is what is most likely to cause a virus to be present (maybe they brought one in on a disk with a game and are trying to prevent getting fired).
We would like to think that we hire people at the plants that are not dumb enough to do things like that but I know of an engineer with multiple degrees that would be likely to do this type of thing and used to work (he quit, they couldn't get rid of him) at a nuke plant.
Posted by: Bill at August 25, 2009 11:50 AMMy initial reaction was the same as Leo's... Windows running a nuclear power plant? Then I started thinking about some of the other incredibly stable control systems I've worked with that were built on very stripped down versions of Windows. Even our phone system runs an old version of NT as it's OS. It stays up for years at a time easily with no patches or virus scans because it is a static closed system.
What scares me WAY more is the possibility that there is an IT Tech at such a facility who has to ask Leo the answer to this question.
Posted by: Kirk at August 25, 2009 12:39 PM
Subscribe to the RSS Feed for comments on this article.
To post a comment on "How do I scan computers at my nuclear power station for viruses without an internet connection?", please return to that article's main page.
