Very carefully.
I currently work at a nuclear power station1 and recent developments towards the digital arena have resulted in the implementation of many Windows-based computers. I have heard of incidents in which viruses have crippled power stations, hence my dilemma.
The problem: We are required to perform a yearly virus scan on these computers, but with the following restrictions:
- We cannot install an anti-virus on these computers as it conflicts with custom design turbine control applications
- No internet connection allowed for security purposes
- No Windows updates are allowed to be installed as it results in software conflicts once again
- Not allowed to open computers
- There is a one-month period each year when these computers are not in service and are available for detecting viruses
What is the best method/s possible with the above-mentioned restrictions to ensure that these computers are properly cleansed from viruses?
I love Windows, I really do.
Yes, it has plenty of flaws and detractors, but in the last 30 years, it’s enabled a level of ubiquitous computing for the masses I just don’t think would have happened as quickly any other way.
That being said, it still makes me quite uncomfortable to hear “Windows” and “nuclear power station” in the same sentence.
Become a Patron of Ask Leo! and go ad-free!
Scanning without an internet connection
Even without an internet connection, it’s important to update and run scans regularly. Typically, this means downloading security software on some other internet-connected machine, putting it on portable media, and then running it on the isolated machines. Fortunately, machines unconnected to the internet are less likely to acquire malware, but unfortunately, they’re still not immune.
It’s difficult for malware to arrive
To your company’s or agency’s credit, all those steps making it difficult to perform a security scan also make it very difficult for malware to infiltrate.
That’s the good news. If you ever found a virus, I’d be shocked. Someone would have violated one or more of the rules in order for the virus to make it in.
While I don’t really think malware is a big issue for you, I do have a few concerns. I understand why the rules might be what they are, but there are risks and ramifications that need to be well understood if those rules are to remain.
Updates are more than security
Windows Updates are about more than just security patches.
By disallowing the updates, you may also miss important bug fixes to problems that may manifest in normal usage. From what I understand of the rules you shared, you would not be allowed to take preventative fixes to problems that may cause crashes or other unexpected behaviors.
Obviously, your system is fairly stable, or you wouldn’t be running it. Nonetheless, bugs often manifest after long periods of time when, for example, a statistically-unlikely-but-still-possible series of events finally happens.
A one-month period once a year also seems excessively restrictive. A Windows computer in normal usage should never go 11 months without updates and scans. I realize you’re operating in a controlled and restrictive environment, but still, 11 months is a long time.
I’d rethink policy and consider an approach that allowed more frequent Windows Updates and security scans to take place in some controlled fashion.
Scanning without internet
Several anti-malware companies have tools that you can run stand-alone.
If you have a preferred security software vendor, check with them first to see if they have such a tool. If not, this list of bootable security tools includes several familiar names.
On a machine that is connected to the internet, you would burn such a tool to CD/DVD or install it to a USB stick. Then you could boot the machines needing to be scanned from that media. By default, the tools will not make changes to the hard drive — only scan and report. Most offer an additional step to repair issues found if you choose to.
It’s important that you create security media at the beginning of each maintenance period, of course, to make sure the information is as up-to-date as possible.
Additional options
If you were in a less restrictive environment, I’d suggest using security programs that run without install: look for “portable” setups. In such a case, you’d boot the machine normally and run the tool directly from a CD or USB stick. It’s still possible doing so may leave traces — perhaps a registry entry, for example — so it’s not ideal for the situation posed here.
Since your machines appear to be networked, it’s also possible to run a scan across the net — simply share the hard drive you want to scan and run the anti-virus software from another machine. There are some problems, risks, and drawbacks, however: it will be slower; sharing out an entire drive is considered bad security; and the scan may not be able to access all files as it would if it were running on the machine.
Windows & nuclear power
I have to comment about the combination of Windows and nuclear power station.
The discomfort I mentioned above is only partly factitious.
Certainly having Windows desktops as office machines for word processing, document management, and so on isn’t an issue. However, Windows running critical control systems could well be an issue, and I hope that’s not the case here.
Windows is a consumer and business-grade operating system. It does fine in data centers, and powers some incredibly complex and large systems. While it’s robust enough for these kinds of applications, it would seem that running a nuclear power station might require an even higher level of reliability than Windows, or any general-purpose operating system, can provide.
I know this isn’t under your control, but personally I’d be very hesitant to put Windows, or any general purpose OS, into life-critical situations. There are alternative commercial real-time operating systems designed for exactly this type of work. They are much simpler, much more robust, and much more secure.
Do this
PLEASE keep your nuclear power station secure.
And while you’re doing that, subscribe to Confident Computing as well! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
Podcast audio
Footnotes & References
1: Yes, this was a real question I received.
I’m a control system security designer at a major power engineering firm, and have been doing the type of work in the above article for 4 and a half years.
A few issues:
1. Full anti-virus scans are resource intensive, and can cause slowdowns. Slowdowns often cause alarms to queue up, and remove the operators awareness of the process. It’s best to perform scans when equipment is offline, i.e. during a planned or short notice outage window.
2. Patches and updates to these systems can be done, but should be done during regularly scheduled maintenance intervals, and performed by your vendor as part of your support agreement. If it isn’t in there, NEGOTIATE it in. Believe me, you aren’t the first to ask your vendor to provide support for cyber security.
3. You need to do a risk analysis on your systems to identify what impact they have to your operations if degraded or destroyed. Often times you can perform cyber security activities on a field HMI with few consequences, but the same on an OPC server may wipe out your ability to control plant hardware.
And lastly, the NRC has been developing cyber security standards and guidance. Get involved! There is an incredible amount of guidance coming from NRC, NEI, NERC, NIST, and several other acronym organizations. Or, you can give me a call, it’s what I do for a living.
Mike Toecker
Burns and McDonnell Engineering
22-Aug-2009
Using Windows PE is the best way. All it is is an extremely stripped down version of windows (Vista) which is used as a flatbed for many maintanace tools that require some sort of bootable windows environment.
You can execute executables just like you could on your normal windows environment and it gives you full access to NTFS partitions so it will allow you to scan the full drive for potential risks. WinPE = the way to go.
I would recommend you contact the OEM of your HMIs to determine what services they offer to support your control systems. Most reputable HMI suppliers have a program to test and validate any patches/updates/services packs etc. on a system configured to match yours BEFORE sending the patches to site. Please feel free to contact me if the system in question is provided by GE Energy – we provide an HMI CAP offering that is designed to address these concerns.
Regards,
Jack Shoffstall
[phone number removed]
Oh, come on. This is CLEARLY a hoax. Like anyone legitimate from a nuclear plant doesn’t have access to the government’s top IT people on an instant’s demand. Really, Leo, you are slipping.
26-Aug-2009
That may have been submitted as a question, but I highly suspect the person asking the question isn’t serious. A nuclear power station would have a staff of IT security specialists and that would be the first and only place to go for this kind of question, and I doubt if a nuclear power station would be running a commercial OS like Windows.
I don’t believe commercial versions of Windows should be used in bank ATMs. I’ve seen them boot into Windows 7 years after end of support. It seems like a customized version of Linux would be safer. There’s so much bloat in Windows making it ripe for vulnerabilities. A Linux system developed specifically for those applications seems like it would be much less vulnerable.
Some bank ATMs and some hospital medical equipment are still running on Windows XP here. This is due to things like the manufacturer no longer trading and other factors.
I was at a big box retailer and noticed a new-ish self-checkout machine booting up. I was floored when a Windows98 welcome screen opened!
If no internet connection is allowed and assuming a nuclear facility would have very tight security what would be the real virus risk here?
Regardless – I also agree with “Anne” – I think the question is a complete hoax. If not we have a very serious problem here… the management of that “Nuclear Power Station” is working way out of their experience level.
26-Aug-2009
This article was written about a year before the Stuxnet Virus brought down the Iranian nuclear reactor. It was most likely a cyber attack by US and Israel. The Iranian power plant was run on a Windows system and was likely introduced via a USB flash drive. One step I’d take to prevent this kind of sabotage would be to install an alarm to indicate whenever an external drive is plugged in. I don’t know how much this would help, but it would be one more layer of protection.
“The Problem: We require to perform a yearly virus scan on these computers…” This reads like an e-mail from Nigeria, and was my first hint that this inquiry was indeed, a hoax. Nice to see my favorite genius is also human. (and if I’m wrong, well I am human, too)
26-Aug-2009
I support a couple of Windows 98 computers at a manufacturing facility that I can only get to a couple of times a year. I use Clamwin portable from http://portableapps.com/
I install it to a thumb drive, open and update it. Copy it to a CD then to the target computer hard drive. I can then scan. With a more modern operating system that will recognize a thumb drive you can leave off the CD part but it is easier to do it that way than try to find a 98 driver for this year’s thumb drive.
AG
I don’t believe that BartPE is needed. Scanning a PC from a Live Anti-Virus CD couldn’t be easier. Several of the major AV Vendors offer Live CDs for download as ISO files.
1. Download ISO
2. Burn CD
3. Pop it into the infected PC
4. Reboot
How hard is that?
Here’s a google search that turns up a few:
http://www.google.com/search?hl=en&q=live+antivirus+cd+iso+emergency+rescue&aq=f&oq=&aqi=
If this is really from a nuke plant, the fact that they are not going through their I.S. group is scary.
Some idiot thinking that they have to “fix” things through a non-approved channel is what is most likely to cause a virus to be present (maybe they brought one in on a disk with a game and are trying to prevent getting fired).
We would like to think that we hire people at the plants that are not dumb enough to do things like that but I know of an engineer with multiple degrees that would be likely to do this type of thing and used to work (he quit, they couldn’t get rid of him) at a nuke plant.
My initial reaction was the same as Leo’s… Windows running a nuclear power plant? Then I started thinking about some of the other incredibly stable control systems I’ve worked with that were built on very stripped down versions of Windows. Even our phone system runs an old version of NT as it’s OS. It stays up for years at a time easily with no patches or virus scans because it is a static closed system.
What scares me WAY more is the possibility that there is an IT Tech at such a facility who has to ask Leo the answer to this question.
I wouldn’t have thought nuclear plants would have been running Windows, rather some kind of embedded proprietary OS. I think the Windows EULA says somewhere that its not suitable for critical environments, such as ‘aircraft control systems and nuclear power plants’.
This Nuclear Power station has got to be a hoax. If they really took their system down for one month a year everyone would know. The mushroom cloud would be a dead giveaway! Thanks though for treating it that way. The scenario while highly unlikely, may do show a “most ignorant” case and logical response. Of course, I would also have requested the name of the Nuke Plant so I could advice the appropriate authorities! Great answer to a scam question.
26-Aug-2009
Before I retired I used window computers to control laboratory instruments. Since they were not networked and never connected to the internet. We never had any problems. They were never scanned for malware. How could they catch one?
26-Aug-2009
Scary maybe. If Windows is the OS of choice, then for this application I would use an “embedded version” of Windows. Customized to work with only the services needed. All the fluff, all the services that can break or be a path to instability can be removed. What’s left is much more secure, uses less resources, much smaller in size and quicker (another benefit: the user license is much less in cost).
A Windows embedded setup like this would be much safer; XPe (Windows XP Embedded) has been around for years and works very well in static applications like this one..
If this was real, it would be pretty scary that the bloke in charge of the computer system in a nuclear power station has so little knowledge that he has to ask this question.
I ran into a similar situation except that the PC was on board a ship. Could not install windows updates nor an antivirus program because it required windows be at a certain level. I found an antivirus program that run on a U3 drive and used the U3 drive to scan the computers on the ship for virus.
viruses come from somewhere (the internet)
if there is no connection, then there would be no viruses
27-Aug-2009
Love your answer
It is a common etiquette not to write in all caps – equal shouting, just plain rude;(
Agree, that it’s ridiculous for nuclear plant for not to have a sound DR (IMHO – patching and malware scanning is part of Disaster Recovery), but never less if they use Windows they can have one single server to obtain WU as well as virus/malware definitions and then distribute to a small group (pilot), if and when found that they won’t damage their environment then distribute to the rest of the network.
I remember time when we was going with single 3 1/4 ” diskette and run antivirus scan on individual Windows computers, it was very time consuming;(
However, even though times are changing there are plenty of reputable stand alone tools to perform it.
Like previous posters I agree that it’s ridiculous to run even hardening Windows on crucial computer it is possible that they use for day to day office work.
Thank you for great resources you keep sharing with all your subscribes.
PS, with regard of USB and other removable media – one of the worst default Windows settings is: Devices>AutoPlay>ON, IMHO it has to be OFF, a while ago Microsoft put an advise to change it, but still ships new systems with AoutoPlay = ON;(
TWO THINGS:
1. I didn’t see anything saying it was a U.S. nuclear power station. Security protocols we consider as essential may not be the norm in Farawaystan.
2. My understanding is that PCs at US nuclear facilities are not permitted to have USB ports, all being sealed permanently or removed if present.
If only more people would follow this advice(no Internet, no updates, no foreign media(hardware or software…) instead of treating their computers as a throw-away appliance, then work done on and through computers(in closed networks such as at home, small businesses, and other “closed circuits”) would be done more efficiently and save countless hours spent on security paranoia(though sometimes rightly felt).
Think about how many times you look up an article, follow a lead about security for computers. Imagine if you put that time to a task because you knew you had good practices in habit which almost eliminated security risks.
Unfortunately, computers, peripherals, backup media and device drivers(to name a few) can all be shipped with tainted data. You just never know who will have a bad day and take it out on the world.
Smile.
Three points:
First, Bart’s PE is now defunct. You’ll need to find another way — perhaps via a Puppy Linux live distro?
Second, I very much agree: “Windows” and “Nuclear Power Plant” really don’t go together. THAT makes me nervous as all h*ll.They should be using Linux, but in any case not Windows — not only is it too much of a target, but it’s too easy a target.
And third, I agree with Leo — whether this was a spoof or not isn’t important: the issues the article raises are.
I’ve worked on mission critical systems. Among many of the issues raised in this article there is one that is just as important, or more important, than anything else: System stability. Knowing exactly what’s in our system and how the different elements interact and behave as expected and as tested. Testing and certification is done with a given configuration. Anytime you change something, especially if it’s the OS, you need to retest and re-certify. Retesting and re-certification are expensive and monumental tasks. If something goes wrong you can’t just throw up your hands and blame Microsoft. In this situation the rules of the nuclear plant are well justified, including, and especially, not updating Windows – which can brick your system. Updates may be good for your home computer and getting on Facebook, but don’t mess with critical systems
A little more detail. Critical systems have custom software running on them. Such software interacts closely with OS services, such as microsecond timing, system interrupts, juggling task priorities, interfacing with hardware devices (and I don’t mean printers). Any change that relies on UNTESTED Microsoft software may break things. And we know that Microsoft doesn’t do much testing on its updates.
Fortunately, most critical systems don’t use Windows OS.
EXACTLY…Windows is a great general purpose OS but not what you want to use for critical missions, like nuclear power station controls or NASA’s Apollo program. For an absolutely fascinating presentation on the Apollo11 onboard computer (light years ahead of its time and very fault-tolerant) see this YouTube video: https://youtu.be/B1J2RMorJXM
I had seen that video before, but it was worth watching it again. Thanks.
This article was originally written in 2009. By now, I hope this Nuclear Power Plant the person asked about is using something other than Windows.
It was reported in the news, a while ago, that an American Navy ship was using Windows. As far as I remember, some negative consequences ensued, otherwise it wouldn’t have made the news. Also, if one Navy ship used Windows, others did, too. That’s not the sort of choice captains are allowed to make on their own.
And no, those computers were probably not used only to print the menu, otherwise they wouldn’t have made the news, either.
On a platform as complex as a ship or airplane there isn’t one computer or one OS. Every subsystem will have its own computer and OS. These can all be different, but communicate over a network. The only use of almost commerical-off-the-shelf OS is in systems such as an entertainment systems for the passengers. Even those are typically based on Linux and sometimes on Android. If you’re lucky enough to see one of these boot up you may recognize the typical Linux boot display and maybe the distribution name.