Dust:, a physical security risk

If you have ever worked in an IT operations or PC support role, you will probably recognize these filthy PCs,  dust-encrusted fans, cases and circuit boards.  If not, have you ever looked inside your own PCs and servers?  Are they running slowly, perhaps making strange noises or smells?  Perhaps it's time to get the lid off and give them a good clean out before something truly awful evolves in there.

The physical threats - accumulated dust, hair and miscellaneous critters - are pretty obvious.  Most would qualify as biohazards.  The vulnerabilities mostly relate to the need to pass lots of cooling air across the heat sinks keeping the CPU and other hot components from meltdown.  Some might the lack of preventive maintenance and regular cleaning are vulnerabilities too, though personally I'd call those control failures.  The impacts include overheating, fires, short circuits, that sort of thing, leading to unreliability and failure of the equipment and consequential interruption to the business processes that depend upon them. 

IT systems located in places where the dust is conductive are particularly at risk: examples are metalwork and engineering workshops, buildings near the sea and coal-fired power stations (coal dust is mostly carbon). 

ISO/IEC 27002:2005 only mentions 'dust' once.  Section 9.2.1 offers a not-very-helpful sugestion to 'consider controls to protect equipment', saying 'Controls should be adopted to minimize the risk of potential physical threats, e.g. theft, fire, explosives, smoke, water (or water supply failure), dust, vibration, chemical effects, electrical supply interference, communications interference, electromagnetic radiation, and vandalism'.  It doesn't actually say what those controls might be.

Regular preventive maintenance and cleaning of IT equipment is important, particularly where the risks are significant (e.g. business-critical systems in dusty places), along with additional controls such as dust filters, stocks of spare parts and our old friend, regular offsite backups and business continuity plans.

Hopefully the updated ISO/IEC 27002 will be more explicit on this kind of issue.  I included the following control in a proposed rewrite of the physical security section: "cleaning and other measures to reduce the build up of dust, waste, stores etc. that may occlude air filters, cause electrical short-circuits, reduce the reliability of electronic equipment and may cause safety issues".  Who knows whether my suggestion will be accepted and or what the final version will look like but I hope it will end up being a tad less vague than the current 'controls should be adopted'!