Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

How Do I Scan Nuclear Power Station Computers Without an Internet Connection?

Very carefully.

Nuclear Power Plant
(Image: canva.com)
Scanning your nuclear power station's Windows computers for malware can present some challenges if the machines have been secured properly.
Question:

I currently work at a nuclear power station1 and recent developments towards the digital arena have resulted in the implementation of many Windows-based computers. I have heard of incidents in which viruses have crippled power stations, hence my dilemma.

The problem: We are required to perform a yearly virus scan on these computers, but with the following restrictions:

  1. We cannot install an anti-virus on these computers as it conflicts with custom design turbine control applications
  2. No internet connection allowed for security purposes
  3. No Windows updates are allowed to be installed as it results in software conflicts once again
  4. Not allowed to open computers
  5. There is a one-month period each year when these computers are not in service and are available for detecting viruses

What is the best method/s possible with the above-mentioned restrictions to ensure that these computers are properly cleansed from viruses?

I love Windows, I really do.

Yes, it has plenty of flaws and detractors, but in the last 30 years, it’s enabled a level of ubiquitous computing for the masses I just don’t think would have happened as quickly any other way.

That being said, it still makes me quite uncomfortable to hear “Windows” and “nuclear power station” in the same sentence.

Become a Patron of Ask Leo! and go ad-free!

TL;DR:

Scanning without an internet connection

Even without an internet connection, it’s important to update and run scans regularly. Typically, this means downloading security software on some other internet-connected machine, putting it on portable media, and then running it on the isolated machines. Fortunately, machines unconnected to the internet are less likely to acquire malware, but unfortunately, they’re still not immune.

It’s difficult for malware to arrive

To your company’s or agency’s credit, all those steps making it difficult to perform a security scan also make it very difficult for malware to infiltrate.

That’s the good news. If you ever found a virus, I’d be shocked. Someone would have violated one or more of the rules in order for the virus to make it in.

While I don’t really think malware is a big issue for you, I do have a few concerns. I understand why the rules might be what they are, but there are risks and ramifications that need to be well understood if those rules are to remain.

Updates are more than security

Windows Updates are about more than just security patches.

By disallowing the updates, you may also miss important bug fixes to problems that may manifest in normal usage. From what I understand of the rules you shared, you would not be allowed to take preventative fixes to problems that may cause crashes or other unexpected behaviors.

Obviously, your system is fairly stable, or you wouldn’t be running it. Nonetheless, bugs often manifest after long periods of time when, for example, a statistically-unlikely-but-still-possible series of events finally happens.

A one-month period once a year also seems excessively restrictive. A Windows computer in normal usage should never go 11 months without updates and scans. I realize you’re operating in a controlled and restrictive environment, but still, 11 months is a long time.

I’d rethink policy and consider an approach that allowed more frequent Windows Updates and security scans to take place in some controlled fashion.

What about Windows Defender Offline?

In years past, Windows Defender Offline was exactly the tool I’d recommend. You could download it from Microsoft, boot from it, and run a complete scan using the tool.

As of Windows 10, you can only run Windows Defender Offline from within Windows itself. Rather than creating bootable media, the process reboots into the tool directly. This makes it impossible to put on a thumb drive and take it to a different, offline, machine.

Scanning without internet

Several anti-malware companies have tools that you can run stand-alone.

If you have a preferred security software vendor, check with them first to see if they have such a tool. If not, this list of bootable security tools includes several familiar names.

On a machine that is connected to the internet, you would burn such a tool to CD/DVD or install it to a USB stick.  Then you could boot the machines needing to be scanned from that media. By default, the tools will not make changes to the hard drive — only scan and report. Most offer an additional step to repair issues found if you choose to.

It’s important that you create security media at the beginning of each maintenance period, of course, to make sure the information is as up-to-date as possible.

Additional options

If you were in a less restrictive environment, I’d suggest using security programs that run without install: look for “portable” setups. In such a case, you’d boot the machine normally and run the tool directly from a CD or USB stick. It’s still possible doing so may leave traces — perhaps a registry entry, for example — so it’s not ideal for the situation posed here.

Since your machines appear to be networked, it’s also possible to run a scan across the net — simply share the hard drive you want to scan and run the anti-virus software from another machine. There are some problems, risks, and drawbacks, however: it will be slower; sharing out an entire drive is considered bad security; and the scan may not be able to access all files as it would if it were running on the machine.

Windows & nuclear power

I have to comment about the combination of Windows and nuclear power station.

The discomfort I mentioned above is only partly factitious.

Certainly having Windows desktops as office machines for word processing, document management, and so on isn’t an issue. However, Windows running critical control systems could well be an issue, and I hope that’s not the case here.

Windows is a consumer and business-grade operating system. It does fine in data centers, and powers some incredibly complex and large systems. While it’s robust enough for these kinds of applications, it would seem that running a nuclear power station might require an even higher level of reliability than Windows, or any general-purpose operating system, can provide.

I know this isn’t under your control, but personally I’d be very hesitant to put Windows, or any general purpose OS, into life-critical situations. There are alternative commercial real-time operating systems designed for exactly this type of work. They are much simpler, much more robust, and much more secure.

Do this

PLEASE keep your nuclear power station secure.

And while you’re doing that, subscribe to Confident Computing as well! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

Podcast audio

Play

Footnotes & References

1: Yes, this was a real question I received.

31 comments on “How Do I Scan Nuclear Power Station Computers Without an Internet Connection?”

  1. I’m a control system security designer at a major power engineering firm, and have been doing the type of work in the above article for 4 and a half years.

    A few issues:
    1. Full anti-virus scans are resource intensive, and can cause slowdowns. Slowdowns often cause alarms to queue up, and remove the operators awareness of the process. It’s best to perform scans when equipment is offline, i.e. during a planned or short notice outage window.
    2. Patches and updates to these systems can be done, but should be done during regularly scheduled maintenance intervals, and performed by your vendor as part of your support agreement. If it isn’t in there, NEGOTIATE it in. Believe me, you aren’t the first to ask your vendor to provide support for cyber security.
    3. You need to do a risk analysis on your systems to identify what impact they have to your operations if degraded or destroyed. Often times you can perform cyber security activities on a field HMI with few consequences, but the same on an OPC server may wipe out your ability to control plant hardware.

    And lastly, the NRC has been developing cyber security standards and guidance. Get involved! There is an incredible amount of guidance coming from NRC, NEI, NERC, NIST, and several other acronym organizations. Or, you can give me a call, it’s what I do for a living.

    Mike Toecker
    Burns and McDonnell Engineering

    Thanks for your great thoughts. If I were to emphasize any concept to people attempting to put in a Window s (or heck, any system) into a mission critical role such as this, it’s what you brought up: a detailed risk analysis. Understand and plan for the probability and the cost of failure and make sure that all is handled appropriate to your application.

    Leo
    22-Aug-2009
    Reply
  2. Using Windows PE is the best way. All it is is an extremely stripped down version of windows (Vista) which is used as a flatbed for many maintanace tools that require some sort of bootable windows environment.

    You can execute executables just like you could on your normal windows environment and it gives you full access to NTFS partitions so it will allow you to scan the full drive for potential risks. WinPE = the way to go.

    Reply
  3. I would recommend you contact the OEM of your HMIs to determine what services they offer to support your control systems. Most reputable HMI suppliers have a program to test and validate any patches/updates/services packs etc. on a system configured to match yours BEFORE sending the patches to site. Please feel free to contact me if the system in question is provided by GE Energy – we provide an HMI CAP offering that is designed to address these concerns.
    Regards,
    Jack Shoffstall
    [phone number removed]

    Reply
  4. Oh, come on. This is CLEARLY a hoax. Like anyone legitimate from a nuclear plant doesn’t have access to the government’s top IT people on an instant’s demand. Really, Leo, you are slipping.

    Whether or not I’m slipping isn’t really at issue (and I won’t bother debating it – you could be right Smile). I found it an interesting and provocative question, and given all the issues, politics, personalities and bureaucracy that’s typical of government services, reaching for outside advice seems totally plausible. Even if not, it’s clearly piqued people’s interest.

    Leo
    26-Aug-2009

    Reply
    • That may have been submitted as a question, but I highly suspect the person asking the question isn’t serious. A nuclear power station would have a staff of IT security specialists and that would be the first and only place to go for this kind of question, and I doubt if a nuclear power station would be running a commercial OS like Windows.
      I don’t believe commercial versions of Windows should be used in bank ATMs. I’ve seen them boot into Windows 7 years after end of support. It seems like a customized version of Linux would be safer. There’s so much bloat in Windows making it ripe for vulnerabilities. A Linux system developed specifically for those applications seems like it would be much less vulnerable.

      Reply
      • Some bank ATMs and some hospital medical equipment are still running on Windows XP here. This is due to things like the manufacturer no longer trading and other factors.

        Reply
        • I was at a big box retailer and noticed a new-ish self-checkout machine booting up. I was floored when a Windows98 welcome screen opened!

          Reply
  5. If no internet connection is allowed and assuming a nuclear facility would have very tight security what would be the real virus risk here?

    Regardless – I also agree with “Anne” – I think the question is a complete hoax. If not we have a very serious problem here… the management of that “Nuclear Power Station” is working way out of their experience level.

    Unfortunately viruses are being propagated even without internet connections. The most recent conficker worm spread extensively through USB keys, for example.

    Leo
    26-Aug-2009
    Reply
    • This article was written about a year before the Stuxnet Virus brought down the Iranian nuclear reactor. It was most likely a cyber attack by US and Israel. The Iranian power plant was run on a Windows system and was likely introduced via a USB flash drive. One step I’d take to prevent this kind of sabotage would be to install an alarm to indicate whenever an external drive is plugged in. I don’t know how much this would help, but it would be one more layer of protection.

      Reply
  6. “The Problem: We require to perform a yearly virus scan on these computers…” This reads like an e-mail from Nigeria, and was my first hint that this inquiry was indeed, a hoax. Nice to see my favorite genius is also human. (and if I’m wrong, well I am human, too)

    I did stumble on that as well, but let’s face it – not everyone’s English is perfect, and there are lots of completely qualified nuclear power plant personal for whom English is their second language. I thought it was an interesting and provocative question, regardless of the source.

    Leo
    26-Aug-2009

    Reply
  7. I support a couple of Windows 98 computers at a manufacturing facility that I can only get to a couple of times a year. I use Clamwin portable from http://portableapps.com/
    I install it to a thumb drive, open and update it. Copy it to a CD then to the target computer hard drive. I can then scan. With a more modern operating system that will recognize a thumb drive you can leave off the CD part but it is easier to do it that way than try to find a 98 driver for this year’s thumb drive.

    AG

    Reply
  8. If this is really from a nuke plant, the fact that they are not going through their I.S. group is scary.
    Some idiot thinking that they have to “fix” things through a non-approved channel is what is most likely to cause a virus to be present (maybe they brought one in on a disk with a game and are trying to prevent getting fired).

    We would like to think that we hire people at the plants that are not dumb enough to do things like that but I know of an engineer with multiple degrees that would be likely to do this type of thing and used to work (he quit, they couldn’t get rid of him) at a nuke plant.

    Reply
  9. My initial reaction was the same as Leo’s… Windows running a nuclear power plant? Then I started thinking about some of the other incredibly stable control systems I’ve worked with that were built on very stripped down versions of Windows. Even our phone system runs an old version of NT as it’s OS. It stays up for years at a time easily with no patches or virus scans because it is a static closed system.

    What scares me WAY more is the possibility that there is an IT Tech at such a facility who has to ask Leo the answer to this question.

    Reply
  10. I wouldn’t have thought nuclear plants would have been running Windows, rather some kind of embedded proprietary OS. I think the Windows EULA says somewhere that its not suitable for critical environments, such as ‘aircraft control systems and nuclear power plants’.

    Reply
  11. This Nuclear Power station has got to be a hoax. If they really took their system down for one month a year everyone would know. The mushroom cloud would be a dead giveaway! Thanks though for treating it that way. The scenario while highly unlikely, may do show a “most ignorant” case and logical response. Of course, I would also have requested the name of the Nuke Plant so I could advice the appropriate authorities! Great answer to a scam question.

    I’m not convinced it’s a scam but either way it’s an interesting discussion with applicability to scenarios well beyond nuclear plants. (And yes, they do take plants offline periodically for maintenance without blowing them up.)

    Leo
    26-Aug-2009

    Reply
  12. Before I retired I used window computers to control laboratory instruments. Since they were not networked and never connected to the internet. We never had any problems. They were never scanned for malware. How could they catch one?

    These days via USB keys and other devices that are physically moved from machine to machine. The Conficker worm and others are known to spread this way.

    Leo
    26-Aug-2009

    Reply
  13. Scary maybe. If Windows is the OS of choice, then for this application I would use an “embedded version” of Windows. Customized to work with only the services needed. All the fluff, all the services that can break or be a path to instability can be removed. What’s left is much more secure, uses less resources, much smaller in size and quicker (another benefit: the user license is much less in cost).
    A Windows embedded setup like this would be much safer; XPe (Windows XP Embedded) has been around for years and works very well in static applications like this one..

    Reply
  14. If this was real, it would be pretty scary that the bloke in charge of the computer system in a nuclear power station has so little knowledge that he has to ask this question.

    Reply
  15. I ran into a similar situation except that the PC was on board a ship. Could not install windows updates nor an antivirus program because it required windows be at a certain level. I found an antivirus program that run on a U3 drive and used the U3 drive to scan the computers on the ship for virus.

    Reply
  16. viruses come from somewhere (the internet)
    if there is no connection, then there would be no viruses

    Very dangerous, and incorrect, assumption. Latest round of viruses and malware also travel via USB sticks and other external drives that get moved from system to system.

    Leo
    27-Aug-2009

    Reply
    • Love your answer
      It is a common etiquette not to write in all caps – equal shouting, just plain rude;(

      Agree, that it’s ridiculous for nuclear plant for not to have a sound DR (IMHO – patching and malware scanning is part of Disaster Recovery), but never less if they use Windows they can have one single server to obtain WU as well as virus/malware definitions and then distribute to a small group (pilot), if and when found that they won’t damage their environment then distribute to the rest of the network.

      I remember time when we was going with single 3 1/4 ” diskette and run antivirus scan on individual Windows computers, it was very time consuming;(
      However, even though times are changing there are plenty of reputable stand alone tools to perform it.
      Like previous posters I agree that it’s ridiculous to run even hardening Windows on crucial computer it is possible that they use for day to day office work.

      Thank you for great resources you keep sharing with all your subscribes.

      PS, with regard of USB and other removable media – one of the worst default Windows settings is: Devices>AutoPlay>ON, IMHO it has to be OFF, a while ago Microsoft put an advise to change it, but still ships new systems with AoutoPlay = ON;(

      Reply
    • TWO THINGS:
      1. I didn’t see anything saying it was a U.S. nuclear power station. Security protocols we consider as essential may not be the norm in Farawaystan.
      2. My understanding is that PCs at US nuclear facilities are not permitted to have USB ports, all being sealed permanently or removed if present.

      Reply
  17. If only more people would follow this advice(no Internet, no updates, no foreign media(hardware or software…) instead of treating their computers as a throw-away appliance, then work done on and through computers(in closed networks such as at home, small businesses, and other “closed circuits”) would be done more efficiently and save countless hours spent on security paranoia(though sometimes rightly felt).
    Think about how many times you look up an article, follow a lead about security for computers. Imagine if you put that time to a task because you knew you had good practices in habit which almost eliminated security risks.
    Unfortunately, computers, peripherals, backup media and device drivers(to name a few) can all be shipped with tainted data. You just never know who will have a bad day and take it out on the world.
    Smile.

    Reply
  18. Three points:

    First, Bart’s PE is now defunct. You’ll need to find another way — perhaps via a Puppy Linux live distro?

    Second, I very much agree: “Windows” and “Nuclear Power Plant” really don’t go together. THAT makes me nervous as all h*ll.They should be using Linux, but in any case not Windows — not only is it too much of a target, but it’s too easy a target.

    And third, I agree with Leo — whether this was a spoof or not isn’t important: the issues the article raises are.

    Reply
  19. I’ve worked on mission critical systems. Among many of the issues raised in this article there is one that is just as important, or more important, than anything else: System stability. Knowing exactly what’s in our system and how the different elements interact and behave as expected and as tested. Testing and certification is done with a given configuration. Anytime you change something, especially if it’s the OS, you need to retest and re-certify. Retesting and re-certification are expensive and monumental tasks. If something goes wrong you can’t just throw up your hands and blame Microsoft. In this situation the rules of the nuclear plant are well justified, including, and especially, not updating Windows – which can brick your system. Updates may be good for your home computer and getting on Facebook, but don’t mess with critical systems

    A little more detail. Critical systems have custom software running on them. Such software interacts closely with OS services, such as microsecond timing, system interrupts, juggling task priorities, interfacing with hardware devices (and I don’t mean printers). Any change that relies on UNTESTED Microsoft software may break things. And we know that Microsoft doesn’t do much testing on its updates.

    Fortunately, most critical systems don’t use Windows OS.

    Reply
    • EXACTLY…Windows is a great general purpose OS but not what you want to use for critical missions, like nuclear power station controls or NASA’s Apollo program. For an absolutely fascinating presentation on the Apollo11 onboard computer (light years ahead of its time and very fault-tolerant) see this YouTube video: https://youtu.be/B1J2RMorJXM

      Reply
  20. This article was originally written in 2009. By now, I hope this Nuclear Power Plant the person asked about is using something other than Windows.

    Reply
  21. It was reported in the news, a while ago, that an American Navy ship was using Windows. As far as I remember, some negative consequences ensued, otherwise it wouldn’t have made the news. Also, if one Navy ship used Windows, others did, too. That’s not the sort of choice captains are allowed to make on their own.

    And no, those computers were probably not used only to print the menu, otherwise they wouldn’t have made the news, either.

    Reply
    • On a platform as complex as a ship or airplane there isn’t one computer or one OS. Every subsystem will have its own computer and OS. These can all be different, but communicate over a network. The only use of almost commerical-off-the-shelf OS is in systems such as an entertainment systems for the passengers. Even those are typically based on Linux and sometimes on Android. If you’re lucky enough to see one of these boot up you may recognize the typical Linux boot display and maybe the distribution name.

      Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.