I currently work at a Nuclear Power Station and recent developments towards the digital arena has resulted in the implementation
of many Windows based computers. I have heard of incidents in which viruses have crippled power stations, hence my dilemma.
The Problem: We require to perform a yearly virus scan on these computers, but with the following restrictions:
1) We cannot install an anti-virus on these computers as it conflicts with custom design turbine control applications
2) No internet connection allowed for security purposes
3) No windows updates are allowed to be installed as it results in software conflicts once again
4) Not allowed to open computers
5) There is a 1 month window period each year when these computers are not in service and is available for detecting viruses
6) Fully kitted computers with Xeon processors, LAN etc.
What is the best method/s possible with the above mentioned restrictions to ensure that these computers can be properly cleansed
I love Windows, I really do. Yes, it has plenty of flaws and detractors, but let’s face it – in the last 20 years it’s enabled a
level of ubiquitous computing for the masses that I just don’t think would have happened as quickly any other way.
That being said … it makes me really uncomfortable to hear “Windows” and “Nuclear Power Station” in the same sentence.
To your company’s or agency’s credit, all those steps that make it difficult to perform a virus scan in the first place also happen to make it very difficult for a virus to infiltrate. That’s the good news – if you ever actually found a virus, I’d actually be pretty shocked. Someone would have had to have violated one or more of the rules in order for the virus to make it in.
While I don’t really think malware is a big issue for you, I do have a few concerns. I understand why the rules might be what they are, but there are risks and ramifications that need to be well understood if those rules are to remain.
Windows Updates are about more than just security patches. By disallowing these updates you may also be missing out on important bug fixes to problems that may manifest in normal usage. From what I understand, you would not be allowed to take preventative fixes to problems that may result in crashes or other unexpected behaviours. Obviously, your system is fairly stable, or you wouldn’t be running it. Nonetheless, bugs often manifest after long periods of time when, for example, a statistically unlikely but still possible series of events finally happen.
I’d rethink that policy, and consider an approach that allowed Windows Updates to take place in some controlled fashion.
A one month window once a year seems excessively restrictive. There’s no way that a Windows computer in normal usage should go anywhere near 11 months without updates and scans. I realize that you’re operating in a much more controlled and restrictive environment, but still. 11 months is a long time – if a virus arrives in month 1, it’s sitting there doing whatever it’s doing for another 10.
All that being said, and living within the restrictions you pose, I do have one recommendation if you still want to scan for malware:
At maintenance time, create a bootable Windows CD using a tool like Bart PE. It’ll be some work, but what I would do is add to that one or more up-to-date anti-malware tools, along with anything else you might want to take this opportunity to use. (You can use a Linux live CD if you like, but my sense is that anti-malware software that runs natively in Windows will be more up-to-date, as it’s constantly updated for the consumer market.)
Then simply boot each machine to be scanned from that CD, and scan the hard drives for malware. Doing so will not install anything onto the machine,; it will simply read the machine’s hard disk for the scan.
It’s important that you create a new CD at the beginning of each maintenance period, of course, to make sure that the information on the CD is as up-to-date as possible.
(For folks in less restrictive environments, some anti-malware programs will run without install – look for “portable” setups. In such a case, it may be possible to boot the machine normally, and then run the anti-malware tool directly from a CD or USB stick. It’s possible that doing so may leave traces – perhaps a registry entry for example, hence it’s not ideal for the situation posed here.)
Since your machines appear to be networked, it’s also possible to run an anti-virus scan across the net – simply share out the hard drive you want to scan, and then run the anti-virus software from another machine. There are some problems, risks and drawbacks however: it will be slower, sharing out an entire drive is bad security, and the scan may not be able to actually access all files as it would if it were running on the machine.
I have to close with a comment about the combination of “Windows” and “Nuclear Power Station”. The discomfort I mentioned above is only partly factitious. Certainly having Windows desktops as office machines for word processing, document management and so isn’t an issue. However Windows running critical control systems could be, and I hope that’s not what it’s actually doing there.
Windows is, fundamentally, a consumer grade operating system. Yep, it does fine in data centers as well, and powers some incredibly complex and large systems. While it’s robust enough for these kinds of applications, it would seem that running a nuclear power station would require a much higher level of reliability than Windows, or any general purpose operating system, could provide.
I know this isn’t under your control, but personally I’d be very hesitant to put Windows, or any general purpose OS into mission critical situations. There are alternative commercial real-time operating systems that are designed for this type of work which end up being much simpler, much more robust, and much more secure.
And for which you won’t need to run virus scans.