Helping people with computers... one answer at a time.

Scanning your nuclear power station's Windows computers for malware can present some challenges if the machines have been secured properly.

I currently work at a Nuclear Power Station and recent developments towards the digital arena has resulted in the implementation of many Windows based computers. I have heard of incidents in which viruses have crippled power stations, hence my dilemma.

The Problem: We require to perform a yearly virus scan on these computers, but with the following restrictions:

1) We cannot install an anti-virus on these computers as it conflicts with custom design turbine control applications

2) No internet connection allowed for security purposes

3) No windows updates are allowed to be installed as it results in software conflicts once again

4) Not allowed to open computers

5) There is a 1 month window period each year when these computers are not in service and is available for detecting viruses

6) Fully kitted computers with Xeon processors, LAN etc.

What is the best method/s possible with the above mentioned restrictions to ensure that these computers can be properly cleansed from viruses?

I love Windows, I really do. Yes, it has plenty of flaws and detractors, but let's face it - in the last 20 years it's enabled a level of ubiquitous computing for the masses that I just don't think would have happened as quickly any other way.

That being said ... it makes me really uncomfortable to hear "Windows" and "Nuclear Power Station" in the same sentence.

To your company's or agency's credit, all those steps that make it difficult to perform a virus scan in the first place also happen to make it very difficult for a virus to infiltrate. That's the good news - if you ever actually found a virus, I'd actually be pretty shocked. Someone would have had to have violated one or more of the rules in order for the virus to make it in.

"... if you ever actually found a virus, I'd actually be pretty shocked."

While I don't really think malware is a big issue for you, I do have a few concerns. I understand why the rules might be what they are, but there are risks and ramifications that need to be well understood if those rules are to remain.

Windows Updates are about more than just security patches. By disallowing these updates you may also be missing out on important bug fixes to problems that may manifest in normal usage. From what I understand, you would not be allowed to take preventative fixes to problems that may result in crashes or other unexpected behaviours. Obviously, your system is fairly stable, or you wouldn't be running it. Nonetheless, bugs often manifest after long periods of time when, for example, a statistically unlikely but still possible series of events finally happen.

I'd rethink that policy, and consider an approach that allowed Windows Updates to take place in some controlled fashion.

A one month window once a year seems excessively restrictive. There's no way that a Windows computer in normal usage should go anywhere near 11 months without updates and scans. I realize that you're operating in a much more controlled and restrictive environment, but still. 11 months is a long time - if a virus arrives in month 1, it's sitting there doing whatever it's doing for another 10.

All that being said, and living within the restrictions you pose, I do have one recommendation if you still want to scan for malware:

At maintenance time, create a bootable Windows CD using a tool like Bart PE. It'll be some work, but what I would do is add to that one or more up-to-date anti-malware tools, along with anything else you might want to take this opportunity to use. (You can use a Linux live CD if you like, but my sense is that anti-malware software that runs natively in Windows will be more up-to-date, as it's constantly updated for the consumer market.)

Then simply boot each machine to be scanned from that CD, and scan the hard drives for malware. Doing so will not install anything onto the machine,; it will simply read the machine's hard disk for the scan.

It's important that you create a new CD at the beginning of each maintenance period, of course, to make sure that the information on the CD is as up-to-date as possible.

(For folks in less restrictive environments, some anti-malware programs will run without install - look for "portable" setups. In such a case, it may be possible to boot the machine normally, and then run the anti-malware tool directly from a CD or USB stick. It's possible that doing so may leave traces - perhaps a registry entry for example, hence it's not ideal for the situation posed here.)

Since your machines appear to be networked, it's also possible to run an anti-virus scan across the net - simply share out the hard drive you want to scan, and then run the anti-virus software from another machine. There are some problems, risks and drawbacks however: it will be slower, sharing out an entire drive is bad security, and the scan may not be able to actually access all files as it would if it were running on the machine.

I have to close with a comment about the combination of "Windows" and "Nuclear Power Station". The discomfort I mentioned above is only partly factitious. Certainly having Windows desktops as office machines for word processing, document management and so isn't an issue. However Windows running critical control systems could be, and I hope that's not what it's actually doing there.

Windows is, fundamentally, a consumer grade operating system. Yep, it does fine in data centers as well, and powers some incredibly complex and large systems. While it's robust enough for these kinds of applications, it would seem that running a nuclear power station would require a much higher level of reliability than Windows, or any general purpose operating system, could provide.

I know this isn't under your control, but personally I'd be very hesitant to put Windows, or any general purpose OS into mission critical situations. There are alternative commercial real-time operating systems that are designed for this type of work which end up being much simpler, much more robust, and much more secure.

And for which you won't need to run virus scans.

Article C3848 - August 21, 2009 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

24 Comments
Mike T
August 21, 2009 2:49 PM

I'm a control system security designer at a major power engineering firm, and have been doing the type of work in the above article for 4 and a half years.

A few issues:
1. Full anti-virus scans are resource intensive, and can cause slowdowns. Slowdowns often cause alarms to queue up, and remove the operators awareness of the process. It's best to perform scans when equipment is offline, i.e. during a planned or short notice outage window.
2. Patches and updates to these systems can be done, but should be done during regularly scheduled maintenance intervals, and performed by your vendor as part of your support agreement. If it isn't in there, NEGOTIATE it in. Believe me, you aren't the first to ask your vendor to provide support for cyber security.
3. You need to do a risk analysis on your systems to identify what impact they have to your operations if degraded or destroyed. Often times you can perform cyber security activities on a field HMI with few consequences, but the same on an OPC server may wipe out your ability to control plant hardware.

And lastly, the NRC has been developing cyber security standards and guidance. Get involved! There is an incredible amount of guidance coming from NRC, NEI, NERC, NIST, and several other acronym organizations. Or, you can give me a call, it's what I do for a living.

Mike Toecker
Burns and McDonnell Engineering

Thanks for your great thoughts. If I were to emphasize any concept to people attempting to put in a Window s (or heck, any system) into a mission critical role such as this, it's what you brought up: a detailed risk analysis. Understand and plan for the probability and the cost of failure and make sure that all is handled appropriate to your application.
Leo
22-Aug-2009
Chris
August 22, 2009 7:27 AM

Using Windows PE is the best way. All it is is an extremely stripped down version of windows (Vista) which is used as a flatbed for many maintanace tools that require some sort of bootable windows environment.

You can execute executables just like you could on your normal windows environment and it gives you full access to NTFS partitions so it will allow you to scan the full drive for potential risks. WinPE = the way to go.

Jack Shoffstall
August 24, 2009 8:52 AM

I would recommend you contact the OEM of your HMIs to determine what services they offer to support your control systems. Most reputable HMI suppliers have a program to test and validate any patches/updates/services packs etc. on a system configured to match yours BEFORE sending the patches to site. Please feel free to contact me if the system in question is provided by GE Energy - we provide an HMI CAP offering that is designed to address these concerns.
Regards,
Jack Shoffstall
[phone number removed]

anne
August 25, 2009 8:40 AM

Oh, come on. This is CLEARLY a hoax. Like anyone legitimate from a nuclear plant doesn't have access to the government's top IT people on an instant's demand. Really, Leo, you are slipping.

Whether or not I'm slipping isn't really at issue (and I won't bother debating it - you could be right Smile). I found it an interesting and provocative question, and given all the issues, politics, personalities and bureaucracy that's typical of government services, reaching for outside advice seems totally plausible. Even if not, it's clearly piqued people's interest.
Leo
26-Aug-2009

Abby Normal
August 25, 2009 8:50 AM

If no internet connection is allowed and assuming a nuclear facility would have very tight security what would be the real virus risk here?

Regardless - I also agree with "Anne" - I think the question is a complete hoax. If not we have a very serious problem here... the management of that "Nuclear Power Station" is working way out of their experience level.

Unfortunately viruses are being propagated even without internet connections. The most recent conficker worm spread extensively through USB keys, for example.
Leo
26-Aug-2009
Charles Wellen
August 25, 2009 9:18 AM

"The Problem: We require to perform a yearly virus scan on these computers..." This reads like an e-mail from Nigeria, and was my first hint that this inquiry was indeed, a hoax. Nice to see my favorite genius is also human. (and if I'm wrong, well I am human, too)

I did stumble on that as well, but let's face it - not everyone's English is perfect, and there are lots of completely qualified nuclear power plant personal for whom English is their second language. I thought it was an interesting and provocative question, regardless of the source.
Leo
26-Aug-2009

AG Wright
August 25, 2009 9:36 AM

I support a couple of Windows 98 computers at a manufacturing facility that I can only get to a couple of times a year. I use Clamwin portable from http://portableapps.com/
I install it to a thumb drive, open and update it. Copy it to a CD then to the target computer hard drive. I can then scan. With a more modern operating system that will recognize a thumb drive you can leave off the CD part but it is easier to do it that way than try to find a 98 driver for this year's thumb drive.

AG

Clif
August 25, 2009 9:51 AM

I don't believe that BartPE is needed. Scanning a PC from a Live Anti-Virus CD couldn't be easier. Several of the major AV Vendors offer Live CDs for download as ISO files.

1. Download ISO
2. Burn CD
3. Pop it into the infected PC
4. Reboot

How hard is that?

Here's a google search that turns up a few:
http://www.google.com/search?hl=en&q=live+antivirus+cd+iso+emergency+rescue&aq=f&oq=&aqi=

Bill
August 25, 2009 11:50 AM

If this is really from a nuke plant, the fact that they are not going through their I.S. group is scary.
Some idiot thinking that they have to "fix" things through a non-approved channel is what is most likely to cause a virus to be present (maybe they brought one in on a disk with a game and are trying to prevent getting fired).

We would like to think that we hire people at the plants that are not dumb enough to do things like that but I know of an engineer with multiple degrees that would be likely to do this type of thing and used to work (he quit, they couldn't get rid of him) at a nuke plant.

Kirk
August 25, 2009 12:39 PM

My initial reaction was the same as Leo's... Windows running a nuclear power plant? Then I started thinking about some of the other incredibly stable control systems I've worked with that were built on very stripped down versions of Windows. Even our phone system runs an old version of NT as it's OS. It stays up for years at a time easily with no patches or virus scans because it is a static closed system.

What scares me WAY more is the possibility that there is an IT Tech at such a facility who has to ask Leo the answer to this question.

JH
August 25, 2009 12:51 PM

I wouldn't have thought nuclear plants would have been running Windows, rather some kind of embedded proprietary OS. I think the Windows EULA says somewhere that its not suitable for critical environments, such as 'aircraft control systems and nuclear power plants'.

Nigel Broder
August 25, 2009 3:35 PM

A nuclear plant running Windows? LOL!

David
August 25, 2009 3:53 PM

I checked the question to make sure it wasn't signed Homer Simpson.

jOHN hEALY
August 25, 2009 6:18 PM

lEO, YOU'VE BEEN HOOKED, THAT LETTER HAS TO BE A SCAM. pERIOD

Scam or not, it's an interesting discussion. (Please fix your CapsLock key, ok?)
Leo
26-Aug-2009

Norm
August 25, 2009 6:36 PM

This Nuclear Power station has got to be a hoax. If they really took their system down for one month a year everyone would know. The mushroom cloud would be a dead giveaway! Thanks though for treating it that way. The scenario while highly unlikely, may do show a "most ignorant" case and logical response. Of course, I would also have requested the name of the Nuke Plant so I could advice the appropriate authorities! Great answer to a scam question.

I'm not convinced it's a scam but either way it's an interesting discussion with applicability to scenarios well beyond nuclear plants. (And yes, they do take plants offline periodically for maintenance without blowing them up.)
Leo
26-Aug-2009

Tony Martin
August 25, 2009 8:19 PM

Before I retired I used window computers to control laboratory instruments. Since they were not networked and never connected to the internet. We never had any problems. They were never scanned for malware. How could they catch one?

These days via USB keys and other devices that are physically moved from machine to machine. The Conficker worm and others are known to spread this way.
Leo
26-Aug-2009

Larry
August 25, 2009 10:22 PM

Scary maybe. If Windows is the OS of choice, then for this application I would use an "embedded version" of Windows. Customized to work with only the services needed. All the fluff, all the services that can break or be a path to instability can be removed. What's left is much more secure, uses less resources, much smaller in size and quicker (another benefit: the user license is much less in cost).
A Windows embedded setup like this would be much safer; XPe (Windows XP Embedded) has been around for years and works very well in static applications like this one..

Jon
August 26, 2009 12:40 AM

Forgetting about whether or not this is a bogus question, why couldn't they just use a portable app like I have on my USB flash drive?

You mean like I mentioned in the article? He could.
Leo
26-Aug-2009

Jim
August 26, 2009 12:52 AM

If this was real, it would be pretty scary that the bloke in charge of the computer system in a nuclear power station has so little knowledge that he has to ask this question.

Frank Garza
August 26, 2009 9:06 AM

I ran into a similar situation except that the PC was on board a ship. Could not install windows updates nor an antivirus program because it required windows be at a certain level. I found an antivirus program that run on a U3 drive and used the U3 drive to scan the computers on the ship for virus.

andrew
August 26, 2009 9:08 AM

viruses come from somewhere (the internet)
if there is no connection, then there would be no viruses

Very dangerous, and incorrect, assumption. Latest round of viruses and malware also travel via USB sticks and other external drives that get moved from system to system.
Leo
27-Aug-2009

David Nuttall
August 27, 2009 5:35 AM

Is this question legitimate? It could be.
It sound like this guy inherited the can of worms left by the last guy and he is wondering what he can do under all these security restrictions. I would have thought Windows would have failed the security audit that would have been required in cases like this, before the system could be installed.

Allan
September 15, 2009 3:09 PM

Leo said:
bugs often manifest after long periods of time when, for example, a statistically unlikely but still possible series of events finally happen.

I heard a good example of this when I was first learning to program, in the 1980's... I don't know if this is a true story, but I think it is, and it's certainly the type of story that COULD be true.

Even back in the 1980's, it was true that most mainframe computer systems were owned by big businesses, and big businesses generally kept their computers on 24 hours a day, 7 days a week, except during scheduled maintenance periods. But obviously there were exceptions to that policy.

The problem first showed up on February 29, 1976. Some people had shut down their computers for various reasons, but when they tried to re-start them, the computer simply wouldn't boot. Naturally, the operators called for repair. However, most of the shops that called in didn't have 7-day-a-week maintenance contracts. February 29 was a Sunday, so the repairman didn't show up until March 1. By then, most of the computers were able to boot again.

However, it was a different story 4 years later. February 29, 1980 was a Friday. This time, it was hundreds (maybe even thousands?) of operators that all called IBM at the same time, complaining that their computers wouldn't boot - and theoretically, IBM had 4 hours to respond to every one of these calls at the same time.

The problem turned out to be in software. Computers at that time didn't have built-in battery-operated real-time clocks; every time you started up the computer, a human had to type in the correct date and time. At some point in 1973 or 1974, an IBM programmer decided that the code that allowed this was bloated, so he re-wrote it, making it smaller (and thus wasting less memory). But the new version of this routine didn't know that sometimes February has 29 days!

An obscure bug, but one that only potentially raised it's ugly head every 4 years... and in fact it took at least 6 years to discover the bug!

Again, I don't pretend to know for sure that this is a true story, but...

Imagine what would happen if Microsoft discovered, TODAY (September 15, 2009) that they had a bug in their boot-up routines. Say they discovered that if December 31 happened to be a Thursday, then the computer would crash during boot-up... That isn't likely, but it certainly isn't impossible either. If this was a real problem, I'm sure that they could come up with a hot-fix within a week, and the next Service Pack in October or November would include the fix.

This gives everybody AT LEAST 6 weeks to apply the service pack before Thursday December 31. What percentage of Windows systems would crash this year?

I don't know the stats (I doubt that anybody does), but I'm sure it would be a lot..

snail
November 12, 2009 9:01 PM

If only more people would follow this advice(no Internet, no updates, no foreign media(hardware or software...) instead of treating their computers as a throw-away appliance, then work done on and through computers(in closed networks such as at home, small businesses, and other "closed circuits") would be done more efficiently and save countless hours spent on security paranoia(though sometimes rightly felt).
Think about how many times you look up an article, follow a lead about security for computers. Imagine if you put that time to a task because you knew you had good practices in habit which almost eliminated security risks.
Unfortunately, computers, peripherals, backup media and device drivers(to name a few) can all be shipped with tainted data. You just never know who will have a bad day and take it out on the world.
Smile.

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.