I currently work at a nuclear power station1 and recent developments towards the digital arena have resulted in the implementation of many Windows-based computers. I have heard of incidents in which viruses have crippled power stations, hence my dilemma.
The problem: We are required to perform a yearly virus scan on these computers, but with the following restrictions:
- We cannot install an anti-virus on these computers as it conflicts with custom design turbine control applications
- No internet connection allowed for security purposes
- No Windows updates are allowed to be installed as it results in software conflicts once again
- Not allowed to open computers
- There is a one-month period each year when these computers are not in service and are available for detecting viruses
What is the best method/s possible with the above-mentioned restrictions to ensure that these computers are properly cleansed from viruses?
I love Windows, I really do.
Yes, it has plenty of flaws and detractors, but in the last 30 years, it’s enabled a level of ubiquitous computing for the masses I just don’t think would have happened as quickly any other way.
That being said, it still makes me quite uncomfortable to hear “Windows” and “nuclear power station” in the same sentence.
Become a Patron of Ask Leo! and go ad-free!
Scanning without an internet connection
Even without an internet connection, it’s important to update and run scans regularly. Typically, this means downloading security software on some other internet-connected machine, putting it on portable media, and then running it on the isolated machines. Fortunately, machines unconnected to the internet are less likely to acquire malware, but unfortunately, they’re still not immune.
It’s difficult for malware to arrive
To your company’s or agency’s credit, all those steps making it difficult to perform a security scan also make it very difficult for malware to infiltrate.
That’s the good news. If you ever found a virus, I’d be shocked. Someone would have violated one or more of the rules in order for the virus to make it in.
While I don’t really think malware is a big issue for you, I do have a few concerns. I understand why the rules might be what they are, but there are risks and ramifications that need to be well understood if those rules are to remain.
Updates are more than security
Windows Updates are about more than just security patches.
By disallowing the updates, you may also miss important bug fixes to problems that may manifest in normal usage. From what I understand of the rules you shared, you would not be allowed to take preventative fixes to problems that may cause crashes or other unexpected behaviors.
Obviously, your system is fairly stable, or you wouldn’t be running it. Nonetheless, bugs often manifest after long periods of time when, for example, a statistically-unlikely-but-still-possible series of events finally happens.
A one-month period once a year also seems excessively restrictive. A Windows computer in normal usage should never go 11 months without updates and scans. I realize you’re operating in a controlled and restrictive environment, but still, 11 months is a long time.
I’d rethink policy and consider an approach that allowed more frequent Windows Updates and security scans to take place in some controlled fashion.
Scanning without internet
Several anti-malware companies have tools that you can run stand-alone.
If you have a preferred security software vendor, check with them first to see if they have such a tool. If not, this list of bootable security tools includes several familiar names.
On a machine that is connected to the internet, you would burn such a tool to CD/DVD or install it to a USB stick. Then you could boot the machines needing to be scanned from that media. By default, the tools will not make changes to the hard drive — only scan and report. Most offer an additional step to repair issues found if you choose to.
It’s important that you create security media at the beginning of each maintenance period, of course, to make sure the information is as up-to-date as possible.
If you were in a less restrictive environment, I’d suggest using security programs that run without install: look for “portable” setups. In such a case, you’d boot the machine normally and run the tool directly from a CD or USB stick. It’s still possible doing so may leave traces — perhaps a registry entry, for example — so it’s not ideal for the situation posed here.
Since your machines appear to be networked, it’s also possible to run a scan across the net — simply share the hard drive you want to scan and run the anti-virus software from another machine. There are some problems, risks, and drawbacks, however: it will be slower; sharing out an entire drive is considered bad security; and the scan may not be able to access all files as it would if it were running on the machine.
Windows & nuclear power
I have to comment about the combination of Windows and nuclear power station.
The discomfort I mentioned above is only partly factitious.
Certainly having Windows desktops as office machines for word processing, document management, and so on isn’t an issue. However, Windows running critical control systems could well be an issue, and I hope that’s not the case here.
Windows is a consumer and business-grade operating system. It does fine in data centers, and powers some incredibly complex and large systems. While it’s robust enough for these kinds of applications, it would seem that running a nuclear power station might require an even higher level of reliability than Windows, or any general-purpose operating system, can provide.
I know this isn’t under your control, but personally I’d be very hesitant to put Windows, or any general purpose OS, into life-critical situations. There are alternative commercial real-time operating systems designed for exactly this type of work. They are much simpler, much more robust, and much more secure.
PLEASE keep your nuclear power station secure.
And while you’re doing that, subscribe to Confident Computing as well! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
Footnotes & References
1: Yes, this was a real question I received.