Ensuring the physical security of technology is one of the fundamental ways of minimising the risks in using technology.
Physical security measures can be divided into two broad categories: security against environmental factors, such as fire, moisture, flood, heat, cold and power failure; and security against human interference, either deliberate or accidental.
Physical Security Against Environmental Factors
The types of environmental security measures that can be taken will depend on the types of technology being considered and where the technology will be used. Security measures appropriate to technology that is designed to travel and/or be used in 'the field' will be very different from technology that is static and used in office environments.
Where technology is powered by electricity (and most electoral technology is), the security of the power source is crucial. Even in developed countries with well established power grids, power can be cut off without warning. In less developed countries power supply can be erratic, intermittent or non-existent. Consequently, in all circumstances, where continuous power supply is essential, backup power supplies should be an integral part of the technology system.
A common source of power backup is known as an Uninterruptible Power Supply (UPS). A UPS is connected between the main power supply and the piece of technology, such as a computer system. If the main power supply fails, the battery included in the UPS kicks into operation and takes over the power supply for the technology.
Some UPS systems are powerful enough to keep the system in operation for an extended period of time, so that users may not even be aware that the main power source has failed and work can proceed. However, as this kind of UPS needs a powerful battery to operate, they are very expensive. Other less expensive UPS systems are not intended to serve as replacement power systems for an extended period. In these cases the UPS will go to a temporary battery backup and trigger a warning to system administrators and users, stating that the main power source has failed and instructing users to close down their systems in an orderly manner. This kind of UPS is intended to prevent accidental data loss or corruption through power failure, by allowing a controlled close down of a system, rather than ensuring that work can proceed on backup power.
The other function of UPS systems is to smooth out 'spikes' in power supplies. While power supplies are meant to supply a constant level of electricity, they can on occasion provide an over-supply of power, called a 'spike'. Spikes can be dangerous to computer equipment and can cause fuses to blow or components to burn out. A UPS system will intercept a spike and prevent it from reaching sensitive equipment.
Another common method of ensuring reliable power supplies is to use a generator. Various kinds of generators can be used, powered by various kinds of fuel, typically petrol or diesel. Generators can be used constantly, particularly where the main power source is unreliable or unavailable, or they can be used as backup if the main power source fails. Generators can be coupled with UPS systems, so that the UPS can handle a transmission from the main power source to generator power.
Where a generator is used as the primary power source, it may be desirable to have one or more backup generators available in case the primary generator fails. Regular maintenance of generators can ensure that they continue to operate effectively.
Another important aspect of physical security is ensuring that technology equipment, particularly computer equipment, is appropriately housed. Ideally, computer equipment should be stored in sealed buildings with climate control, so that temperature and humidity are kept at constant, optimal levels, and dirt, dust, smoke and other contaminants are excluded. In many cases normal building air conditioning systems that control cooling and heating are employed for this purpose.
In particularly harsh environments, however, or in the case of particularly sensitive equipment, normal air conditioning systems may not be sufficient, and special climate control systems may have to be installed. Concentrating equipment in dedicated, sealed rooms, with the climate controlled by a specialised, dedicated air conditioning system is one solution.
The building or rooms housing computer equipment or other technology should be set up to ensure the physical security of the equipment is protected from extremes of weather and from entry of contaminants such as dirt, dust, sand and smoke. Rooms should be regularly cleaned, and in particular dust build-up (attracted by the static electricity generated by computer equipment, especially video display screens) should be carefully cleaned. Cigarette smoke residues can damage computer equipment and ideally smoking should not be permitted in workplaces for both the health of workers and their equipment.
For equipment used out of doors or in unsecured buildings, such as equipment used by remote polling teams or in polling stations, the equipment should ideally come with its own secure housing to ensure that outside environmental factors such as dust or moisture do not affect it. It may be necessary to use equipment that is purposely built for use in remote locations, ensuring that it is robust and capable of functioning under adverse circumstances.
Another form of technology with special physical security needs is communication equipment. In particular, cables connecting computer networks need to be kept safe from harm. Cables are at risk of being gnawed by rodents and being tripped over by humans. Ways of safeguarding cables include shielding the cables inside ducts or strong sheaths, placing them inside walls, below floors and above ceilings, building false floors to enable cables to travel underneath them, burying cables underground or mounting them on poles. Where cables are at risk, alternatives such as microwave links could be considered.
Physical Security Against Human Factors
Many of the measures taken to secure technology against environmental factors can also be used to prevent accidental or deliberate human intervention with technology. Physical isolation, such as placing key items of technology like network servers, inside dedicated rooms, can help to reduce the chance of human intervention. Similarly, placing network cables inside walls, below floors and above ceilings makes them hard to access.
However, the most effective physical measure that can be taken to prevent human intervention in technology is to lock the technology inside secure premises. Modern technology has provided a wide range of sophisticated devices that can restrict entry to buildings and rooms to authorised persons only. These include:
- Old-fashioned locks and keys
- Locks operated by access code numbers (mechanical or computerised)
- Locks operated by cards with magnetic strips
- Locks that recognise biological features, such as finger prints, hand prints or retinas
- Locks that require a combination of two or more of the above methods
The advantage of the more sophisticated locking systems that use computer systems to validate entry is that they can be used to monitor which individuals have accessed a facility and when. Locks that use biological features go one step further and ensure that only identified and verified individuals can enter a facility. Locks that do not incorporate biological features are not as secure as it is always possible for someone to steal someone else's entry card or access code numbers.
Surveillance is another form of security. Security guards can be used to verify entry to a facility. Security cameras can be used by security guards to monitor a range of access areas. Sensors can be used to monitor activity and set off alarms if security is compromised. If on-site security is too expensive, on-call security services can be employed at a lesser rate who can patrol the premises from time to time and respond to alarm calls. Alarm systems can be set up that can not only ring a local alarm but can also set off an alarm at a remote security firm or police station.
While locks and surveillance systems are a good form of security, the overall level of security will only be as good as the weakest point in the security cordon. For example, many office buildings allow human access between floors in service ducts (usually for the purpose of providing air conditioning and cable access). It is important to ensure that access restrictions to technology cannot be overcome simply by a person climbing into an air-conditioning access point outside a secure area and getting into the secure area via the space above the ceiling.
If physical security to electoral technology is of high importance, it may be worth employing a security expert to conduct a security audit on the premises to ensure that all appropriate steps are taken.
The final form of security against human intervention in technology is to make it difficult or impossible for an unauthorised user to access or change the data held in computer systems. This can be achieved by restricting access to data through use of passwords and encryption. For more on these topics, see Data Access Security and Performance Safeguards.
