Elections ACT
Upgrade of eVACS® for the 2020
ACT Legislative Assembly Election

HAZOPS Analysis

Document Status: Final
Version 1.0
January 2020

Commercial-in-Confidence

Software Improvements Pty Ltd © 2019

HAZOPS Analysis

Page 2
Copyright Notice
Copyright Software Improvements Pty Ltd
This document has been produced by Software Improvements Pty Ltd on behalf of the ACT Electoral
Commission (Elections ACT).
This document is the property of Elections ACT who shall retain its copyright jointly with Software
Improvements Pty Ltd. It may not be reproduced or recorded in whole or part in any form or media
without the explicit written approval of Elections ACT.
Disclaimer
In compiling this HAZOPS Analysis, Software Improvements Pty Ltd has relied upon the accuracy and
completeness of information provided by Elections ACT.
eVACS®
eVACS® is a registered Trade Mark of Software Improvements Pty Ltd.
Where used in this HAZOPS Analysis, eVACS has the same meaning as eVACS®.

Commercial-in-Confidence

Software Improvements Pty Ltd © 2019

HAZOPS Analysis

Page 3
Document Control Information
The control ed version of this document is in electronic form.
Al  hardcopy versions are uncontrolled.
Modifications
Date of this
Version  Comment
Author
Reviewer  Release
Revision
2019-10-09
0.1
Initial Draft
CJB
CVB

2019-09-16
0.2
Post review of structure and inclusion of HAZOPS
CJB
RB, CVB

table
2019-10-28
0.3
Revision based on reviewers comments
CJB
CVB

2019-12-28
0.4
Revision based on comments from EACT
CJB
CVB
2020-01-03
Note: file was label ed v0.5
2020-01-14
1.0
Inclusion of EACT edits and revision after meeting  CJB

2020-01-21
with EACT
Distribution
Name and Appointment
Document Name
Date of Issue
Version
Jiv Sekon, Project Manager, EACT
HAZOPS Analysis
2019-10-31
0.3
Rohan Spence, DEC, EACT
Rohan Spence, DEC, EACT
HAZOPS Analysis
2020-01-03
0.4
Jiv Sekon, Project Manager, EACT
Rohan Spence, DEC, EACT
HAZOPS Analysis
2020-01-21
1.0
Jiv Sekon, Project Manager, EACT

Commercial-in-Confidence

  Software Improvements Pty Ltd © 2019

link to page 2 link to page 2 link to page 2 link to page 3 link to page 3 link to page 3 link to page 4 link to page 6 link to page 6 link to page 6 link to page 7 link to page 8 link to page 8 link to page 10 link to page 10 link to page 11 link to page 11 link to page 11 link to page 13 link to page 13 link to page 14 link to page 16 link to page 17 link to page 18 link to page 19 link to page 20 link to page 20 link to page 21 link to page 23

link to page 25 link to page 27 link to page 29 link to page 29 link to page 29 link to page 30 link to page 31

link to page 6

HAZOPS Analysis

Page 6
1.  Introduction
1.1  Document purpose
One of the Contract requirements for the upgrade of eVACS® [2] is to create a HAZOPS document.
The rationale behind requiring a Hazard of Operations Study (HAZOPS) is that in order to minimise
the potential for fraud and vote manipulation it is important to:
1)  identify potential hazards and risk exposure (probability and consequence of occurring),
2)  assess the consequences and probability of those identified hazards occurring, and
subsequently the risk exposure, and
3)  devise means to reduce the consequences or probability of occurrence down to an
acceptable level (R41 in [1] and [2]).
In this context both real and perceived electoral integrity issues need to be considered in order to
identify safe-guards to be put in place so as to minimise the risk exposure[1].
Elections ACT identified the document as being “used when communicating the effective mitigation
practices in place when faced with outside queries over the system’s integrity”  (R4 in [1]).
1.2  Defining the HAZOPS analysis
HAZOP usually refers to a Hazard and Operability study (initial y HazOPS but now generally referred
to as HAZOPS), being a structured and systematic technique for system examination and risk
management.  Initially developed in the 1960s to analyse major chemical process systems, the
approach has since been extended to other industrial operations, other types of process systems, and
other complex systems such as software development and operation.
A HAZOP study is therefore being used to expose potential hazards/threats in regard to the eVACS®
election system, and to identify ways to mitigate the risk of harm when such a system is exposed to
such hazards or threats. In the elections context, the system for analysis therefore includes not just
the development of the eVACS® software but equal y importantly the environments in which eVACS®
operates (section 1.3).
A HAZOP study is typical y conducted by:
1)  systematically progressing through a design (or model) of a system,
2)  evaluating each component – corresponding to an attribute - of the design, and
3)  applying a set of relevant guidewords to each attribute,
in order to identify a deviation from what might be assumed or expected.
Each potential hazard/threat is exemplified in terms of a deviation or valid attribute-guideword
combination.

1 R4 is a reference to Requirement 4 in the cited documents
Commercial-in-Confidence

  Software Improvements Pty Ltd © 2019

HAZOPS Analysis

Page 7
The cause of each deviation is recorded (if known) together with any of one or more consequences
surrounding the deviation.
If a safeguard exists to counteract the potential hazard/threat (deviation), then that is also recorded.
Recommendations to prevent the cause or diminish the consequence(s) of a potential hazard typical y
are to describe new/extra safeguards to be instal ed/implemented.
Finally, the severity of the consequence is assessed in terms of Minor, Moderate, Critical or
Catastrophic.
A HAZOPS is presented in tabular form containing six columns defined as follows:
Column  Column Label
Description
1
Item #
A unique identifier assigned to each row in the table
representing a deviation
2
Deviation (hazard/threat)  Anything credible that might cause
unexpected/inappropriate operation of the system
3
Cause
One or more events that might have caused a deviation
4
Consequence
Outcome of a deviation becoming a harmful incident
5
Safeguards
Any existing equipment or processes that counteract the
consequence or cancel out the causes
6
Recommendations
Identified as having potential to prevent the cause or
diminish the consequence
The detailed HAZOPS for eVACS® is provided at Appendix 3 and builds on an earlier HAZOP study
[6] and the description of the security features of eVACS® [5].
In election systems the main hazards/threats surround activities that have the potential to expose how
one or more electors have voted, and/or the potential to corrupt votes. These potential
hazards/threats are not unique to electronic election system; indeed, Elections ACT has in place
various processes/procedures (safeguards) associated with paper-based voting to reduce the risk of
such hazards/threats causing ’harm’ to individual electors and the community as a whole.
1.3  Reference documents
References where cited in this document are referenced by number, e.g. a reference to the HAZOP
Study from March 2019 is referenced as [6]
1.  Business Requirements Specification ICT business System upgrade - eVACS®, version 1.0;
2.  Contract – Electronic Voting and Counting System (eVACS®) Enhancements, Services and
Support: ACTGS reference 636238 Final Version 23 July 2019, including the Statement of
Requirements at Schedule 2 being a modified version of the Business Requirements Specification
[1];
3.  Software Improvements Pty Ltd, eVACS® Operational Concept Description, 2019
Commercial-in-Confidence

  Software Improvements Pty Ltd © 2019

HAZOPS Analysis

Page 8
4.  Software Improvements Pty Ltd, eVACS® Systems Specification Parts 1 and 2, 2019
5.  Software Improvements Pty Ltd, Security and eVACS®, May 2019
6.  Software improvements Pty Ltd, HazOP Study for ACT Election System, Final, 15 March 2019
7.  Boughton, CJ (2006), Maintaining Democratic Values in e-Voting with eVACS®, Proceedings of
the 2nd International Workshop on Electronic Voting, Bregenz, Austria
8.  IEC 61508 - Functional Safety of Electrical/Electronic/Programmable Electronic Safety-related
Systems.
1.4  Acronyms
ACT
Australian Capital Territory
BVI
Blind or Vision Impaired
CJB
Carol Boughton
CVB
Clive Boughton
EACT
Elections ACT (ACT Electoral Commission)
EMS
Election Management System
eVACS® / eVACS / EVACS
electronic Voting and Counting System
HAZOPS
Hazard and Operability Study
HTTPS
HyperText Transfer Protocol Secure
IEC
International Electrotechnical Commission
IVR
Interactive Voice Response
LAN
Local Area Network
PIN
Personal Identification Number
RB
Russell Baird
UPS
Uninterrupted Power Supply
USB-FD
USB Flash Drive cleaned and secure

Commercial-in-Confidence

  Software Improvements Pty Ltd © 2019

HAZOPS Analysis

Page 9
1.5 Definitions
e-voting
electronic voting
e-voting card
A card with a QR code used by voters to start and end
their electronic voting session
Master Admin barcode
A location specific card with a QR code used by an official
to authorise administrative activities
QR code
Two dimensional barcode
Voting Token
A randomly generated 7 digit numeric code issued to
registered telephone voters
Commercial-in-Confidence

Software Improvements Pty Ltd © 2019

HAZOPS Analysis

Page 10
2.  Understanding eVACS®
2.1  Election principles
There are six principles of democratic elections [7]:
1)  The doorkeeper principle
Each person desirous of voting must be personal y and positively identified as an eligible
voter and permitted to complete no more than the correct number of bal ot papers.
2)  The secrecy principle
Admitted voters must be permitted to vote in secret.
3)  The verification, tal y and audit principle
There must be some mechanism to ensure that valid votes, and only valid votes, are
received and counted. This mechanism must be sufficiently open and transparent to allow
scrutiny of the votes.
4)  Equality (in political participation)
•  Racial equality
•  Multi-lingual access
•  Disability access
•  Inter-jurisdictional access (no differential treatment to voters based on where they
reside)
5)  Security
The resistance of votes and vote totals to fraud and other forms of manipulation
6)  Transparency
The capacity to produce auditable results in which both candidates and voters can justifiably
have confidence.
These six principles are not only reflected in the design of eVACS®, but they also provide a guide as
to how to consider the deviations referred to in section 1.2 in the context of elections by asking
questions of the form listed in Table 1.
Table 1 – Linking election principles and HAZOP deviations
Principle
Question
Doorkeeper
How could a person impersonate someone else on the electoral rol ?
How could a person receive, or access, more bal ot papers than they
are entitled to?
Secrecy
How could the secrecy arrangements be violated?
Verification, tally & audit  Could the mechanisms in place be modified without detection?
Equality
By introducing special arrangements to ensure equality, can the
processes to support other principles be weakened?
Security
How could the security procedures be breached?
Transparency
Are there ways for nefarious activities to be undertaken without an
observable impact on the transparency procedures in place?

Commercial-in-Confidence

  Software Improvements Pty Ltd © 2019

HAZOPS Analysis

Page 11
A high level description of the application within eVACS® of the six election principles is provided at
Appendix 1.
2.2  eVACS® operating environments
In the elections context, the system for HAZOP analysis includes not just the development of the
eVACS® software but equal y importantly the environments in which eVACS® operates (section 1.2).
There are three different physical environments in which different modules of eVACS® operate (Figure
1), and a fourth environment that impacts on the operations of eVACS®:
1.  an access control ed location where the election server is located and scanning of ballot
papers is undertaken,
2.  multiple pol ing places where electronic voting takes place,
3.  a secure location where the telephone voting system is located, and
4.  the public environment through which votes are transported from voting servers to the election
server location, or the locations where telephone voting takes place.
In this section the hazards of each environment are considered, whereas hazards with the actual
operation of eVACS® and how they are being addressed, including security, are presented in sections
2.3 and 2.4.
2.2.1  Election server environment
In order to ensure only authorised access to the Election server, the server is located in an access
controlled environment.  As well, access to the server is controlled (with two factor authentication,
being password and Master Admin barcode) and logged.
Hazards associated with the election server relate primarily to:
•  destruction of the server
•  introduction of nefarious code
•  uploading incorrect election information,
•  misspelling and/or mispronouncing party and candidate names,
•  entered passwords (e.g. end of day password) not protected appropriately, and
•  having the network for creating voting servers instal ed appropriately to support installation of
voting server software.
The setup of voting servers requires a local area network connected to the election server, but only
for the time required to complete the installation of a server for each polling place (represented by the
Temporary LAN in Figure 1 with up to n servers as part of the temporary network).
Although data entry also requires a network connected to the election server, this is less of an issue
as data entry, if used, occurs after pol ing closes and any problems with the network can be resolved
without the same critical time pressures.
2.2.2  Polling place environment
Ensuring that only those enrolled to vote are able to vote, and only in elections to which they are
entitled to vote, is the responsibility of polling officials either at a polling place or when a person is
seeking to register to vote by telephone (section 2.2.3).
Commercial-in-Confidence

  Software Improvements Pty Ltd © 2019

HAZOPS Analysis

Page 12

Figure 1 – eVACS physical operating environments
When voting at polling places a polling official issues the elector with an e-voting card that contains a
barcode identifying the electorate in which the person is enrolled to vote and the specific pol ing place
for which the barcode can be used. The e-voting card when scanned determines the electorate and
hence the correct ballot to be displayed, and associated audio to be played if the elector is using
headphones.
At each pol ing place supporting electronic voting, multiple voting clients are connected via a LAN to
the polling place server, with the latter located in a secure cabinet. Voting clients have minimal
software instal ed from the voting server, basical y supporting the reading of e-voting cards, use of
keypad where provided, and communication with the voting server. Al  actions on the voting client and
voting server are logged.
Risks associated with the setup for voting at polling places are addressed in section 2.4.4.
Al  of the pol ing place servers (referred to in section 2.1.2) are identical when setup and can be
delivered to any electronic polling places.  Therefore, before voting can commence at a pol ing place,
the polling place at which the server is located must become known to the server in order for the
Commercial-in-Confidence

  Software Improvements Pty Ltd © 2019

HAZOPS Analysis

Page 13
issued e-voting cards to be accepted by the server.. This requires an official to select from a list of
names initially displayed on the server and then to scan the Master Admin barcode for the polling
place. There must be a match between the name selected and that of the Master Admin barcode
identified pol ing place name.
There is the potential for an incorrect selection from the list of polling place names and/or for the
wrong Master Admin barcode to be delivered to a particular pol ing place.  Although this has no impact
on vote data, the outcome is a potential delay in the commencement of electronic voting at the polling
place.
2.2.3  Telephone voting system environment
The telephone voting system (IVR servers and telephone voting server) location is within a Security
Operations Centre of a Government Community Infrastructure providing secure cloud services.
Access to the Centre is controlled and logged.  Access to the telephone voting server is also logged
and, for anything other than starting and stopping voting services, requires use of a Master Admin
barcode or password.
When registering to vote by telephone, the elector once established as enrol ed in the ACT provides a
Personal Identification Number (PIN) and subsequently receives a Voting Token linked to their PIN
and based on the electorate in which they are enrolled to vote. When voting by telephone, the elector
first enters their PIN and then their Voting Token, if the pair match with a pair in the database the
electorate information in the Voting Token is used to ensure the audio for the ballot for that electorate
is transferred to the IVR servers in response to key presses on the voter’s telephone.
In the case of the telephone voting system, functions equivalent to those of the voting clients at polling
places, are performed as part of the IVR functionality within the telephone voting system.
In order for the telephone voting system to operate, the PIN/Voting Token pairs must be available in
the Telephone Voting Server database.  As proposed by Elections ACT, registering for telephone
voting can only occur during hours when normal voting is available, and uploading of PIN/Voting
Token pairs is expected to occur on multiple occasions during each day in which registration is to be
made available. Delays in uploading PIN/Voting Token pairs beyond voter expectations could impact
negatively on the outcomes of the initial trial of telephone voting.
2.2.4  Public environment
At the close of polling on each pre-pol ing day and election day, cumulative votes are downloaded
from each voting server (at each polling place and for telephone voting) and physical y transported to
the location of the election server.
There are two obvious concerns associated with such transportation:
1)  safety of individuals involved in such transportation, and
2)  security of vote data.
Specific hazards derived from the first concern relate to the means of transport utilised, currently
motor vehicles for travel ing from polling places and most likely on foot from the telephone voting
location and electronic voting centres close to Elections HQ. In the ACT the risk of involvement in a
traffic accident or the possibility of being harmed whilst a pedestrian are both very low.
Security of the vote data is addressed in section 2.4.2 but from a ‘harm’ perspective having the data
stolen is not real y of consequence as the vote data can easily be downloaded again and importantly
the data cannot be read from the transportation media (as data is encrypted), nor modified without
detection should an attempt be made to upload the votes to the election server.
The second type of public environment covers those locations where telephone voting takes place.
Commercial-in-Confidence

  Software Improvements Pty Ltd © 2019

link to page 14

HAZOPS Analysis

Page 14
2.3  A model/design of the eVACS® software system
As mentioned in section 1.2, in order to undertake a HAZOPS effectively it is necessary to have a
model or design of the system under study. It is not necessary that the model/design be detailed, but
it does need to at least represent essential characteristics of the system.  eVACS® is a critical
information system for Elections ACT, and from a software perspective an entity-relationship model is
appropriate.
Figure 2 depicts the major data entities (Vote_Entity, Barcode_Entity2, and Elector_Entity) and the
relationships that pertain to electors and their votes within eVACS®.  In this case there is only one
relationship: R1 - showing that one Barcode_Entity is not related to a vote, or just one Vote_Entity
expressed as 0..1 in Figure 2.  Initial y barcodes are listed in the database without any relationships to
anything else, albeit that the barcode contains an electorate and pol ing place identifier. The
relationship R1 is formed when a barcode is scanned and a bal ot for the particular electorate is
identified/displayed.  Once the vote is committed (with or without any preferences) the relationship R1
is severed and the barcode is marked as used and thus cannot be used again to form another R1
relationship, hence the description 0..1.
As per Figure 1, each polling place at which electronic voting is available, contains a pol ing place
server to which many voting clients are connected.  Each pol ing official at each polling place has
access to an electronic copy of the complete electoral roll for the ACT (completely separate from
eVACS®).  As an elector enters a polling place, she/he is guided to an official who obtains the
elector's name and address details and then marks them on the roll as ‘voted’ before issuing the
elector with a barcode, now e-voting card, (containing a QR barcode to vote electronical y) or a paper
ballot (to fil  out with a pencil).  Barcodes are issued in random order and are not related to the elector,
except that the barcode is selected to enable electronic voting in the electorate in which the voter is
enrolled.
Apart from the voter, the only person who potentially knows the details of the barcode issued to them
is the pol ing official who has just marked off their name on the electoral roll. Hence, the pol ing official
has access to two pieces of the information necessary to link a vote to a voter. In order to actual y link
the barcode with a vote, the official has to gain access to the votes database on the voting server
while a vote is in progress. The fol owing security features of eVACS® exclude the possibility of such
access ever being attained: limited menu functions available during voting, unused ports are
inoperative both via programming and physical y, and the server is located in a secure box.
The important thing to note in Figure 2 is that there is no intended relationship between the
Elector_Entity and the Vote_Entity, which is as it should be. Essential y this means that elector
privacy should not be at risk.

2 The relationship R1 also applies for telephone voting in which Voting_Token_Entity can be substituted for Barcode_Entity .
Relationships R2 to R4 do not apply to telephone voting
Commercial-in-Confidence

  Software Improvements Pty Ltd © 2019

HAZOPS Analysis

Page 15

Figure 2 – The main data entities and relationships and their respective locations within
eVACS®
However, undertaking a HAZOPS on the model/design in Figure 2 suggests that there could be
unintended relationships between the Elector_Entity and Vote_Entity as in Figure 3.
If a Timestamp were attached to a committed vote as well as when changing an elector’s
Voting_Status from ‘Not voted’ to ‘Voted’ on the electoral rol , an unintentional relationship between an
elector and their vote, could be potentially possible. However, eVACS® does not store a Timestamp
with a vote, in addition when a vote is committed to store it is encrypted and assigned a random
number, and votes are then stored in order of the random numbers, ensuring there can be no
relationship between time of voting and sequential order of votes in the votes database.
As part of automatic logging of events, a Timestamped entry is still made to the audit log when a vote
is committed, but there is no mechanism by which an entry in the audit log can be linked with a
particular entry in the list of randomly ordered votes.
A relationship (R2) between an elector and their vote may exist more deliberately, if an elector
attempts to form a unique Preference_List that is able to be identified in the published data.  This
circumstance is addressed in Appendix 3 at ITEM# 1.
Additionally, an unintentional relationship (R3) between an elector and their vote may be identified
when an elector is alone in a pol ing place and voting electronically at the very beginning or end of an
election.  However, the random ordering of votes within eVACS® ensures this relationship cannot be
established and the elector’s vote cannot be identified in the published data.  This circumstance is the
topic of ITEM# 2 in Appendix 3.
Final y, an accidental relationship (R4) may exist when very few electors (in total) vote at a polling
place.  This could occur when voters go to a polling place with electronic voting, but the pol ing place
is remote from the voters’ electorates. This circumstance is described at ITEM# 3 in Appendix 3.
Commercial-in-Confidence

  Software Improvements Pty Ltd © 2019

HAZOPS Analysis

Page 16

Figure 3 – Some possible relationships that may be formed between an elector and their vote
2.4  eVACS® and security
The electronic voting system implemented by Elections ACT comprises more than eVACS® software.
The software operates on hardware, in various environments (section 2.2) and involves different
authorised users. As a consequence, there are multiple avenues that could be potential threats to
maintaining security of the end-to-end electronic voting process.
Looking at security issues is another way of examining threats in the context of a HAZOPS since:
•  ‘security’ is the state of being free from danger or threat, and
•  ‘security risk’ is a person or situation which poses a possible threat to security
where:
•  ‘hazard’ or ‘threat’ is something that could cause harm, and
•  ‘risk’ is the potential impact (probability and consequence) of such harm
In the elections context the unacceptable outcome of a breach in security is a failure to meet one or
more of the election principles identified in section 2.1.

Commercial-in-Confidence

  Software Improvements Pty Ltd © 2019

HAZOPS Analysis

Page 17
Security threats can be grouped as fol ows:
•  Software related
•  Vote protection
•  Protection of hardware
•  Environment controls
•  Access controls
Mitigation strategies are addressed in the fol owing sections describing different aspects of the
eVACS® electronic voting system.
2.4.1  Software related security
2.4.1.1
Software development
Implementing sound software engineering practices is critical to ensuring delivered software is fit for
purpose.  Practices adopted for eVACS® include:
•  Accurate documentation with traceable requirements, which have been elicited and agreed
with Elections ACT
•  Repository with version control (GIT)
•  A comprehensive (executable) model of the system to capture and verify that requirements
are dealt with appropriately
•  Well-documented code (ideally code is auto-generated from the models, but in any case is
closely associated with model elements)
•  Reviews and extensive testing of model and code
•  Repository of code issues identified and how addressed (Bugzilla), together with change
control management
Threats centre on failure with these practices, either intentional y or unintentionally, such that poor or
malicious code is included in the system.
Mitigation is dependent on:
•  each member of the eVACS® team abiding by the practices
•  reuse of code that has been shown to do what it is intended to do
•  regular review of the model/code, and
•  the final audit (see section 2.4.1.2).

In addition, team members have extensive experience either with electronic voting systems or new
elements (e.g. IVR server development and deployment) over many years and are long-time
employees of their respective company. Given the quality of the individual team members and the
engineering practices in place, it is difficult to see any intentional or unintentional injurious code
making it into the final delivered code.

2.4.1.2
Software in operation
A key security feature is that the eVACS® software (with supporting documentation and model) is
independently audited and locked down prior to use in an election, to ensure that the software only
does what it is intended to do, and votes cannot be added, deleted or amended, and no changes can
be made to the system when in operation.
The eVACS® system is a closed system in which the software to set up an election first creates an
Election server which is then used to instal  software to create voting servers (connected by a LAN to
the Election server) which then have the functionality to install software to create voting clients
(connected via a LAN to the voting server at a polling place).  Before use in an election, the eVACS®
Commercial-in-Confidence

  Software Improvements Pty Ltd © 2019

HAZOPS Analysis

Page 18
setup election software is independently audited, along with the Data Entry Client software which is
the only other component of eVACS® not contained within the setup election software.
Setting up for an election is two-factor authentication access controlled and is undertaken by the
Electoral Commissioner or Deputy Electoral Commissioner who hold security clearances.
When any of the eVACS® software is loaded onto hardware, any software of any nature existing on
that hardware is removed before the relevant eVACS® software is loaded.  After loading, the BIOS is
used to set the Boot sequence to ‘Boot from Hardware’ so that any attempt to load other/nefarious
software via USB ports is thwarted.  Access to the BIOS is password control ed.
The operating system used is a cut down version of Linux, only containing the functionality necessary
to support eVACS® operations. Providing limited functionality mitigates against attempts to modify the
software whilst in operation.
Decommissioning unused ports via the operating system further mitigates attempts to interfere with
the operation of the system.  .Also, al  hardware has their boot sequence set to boot only from hard
disk so that an external source wil  be ignored even if access via a port were achieved.
The voting client and data entry client are both basical y dumb terminals, only requiring sufficient
software to enable communication with the relevant server, and do not contain any specific election
information, and importantly no vote data.
Once the election information for a particular election is available and input to the Election Server, the
Voting Server application together with its operating system can be instal ed on hardware connected
via an isolated LAN to the Election Server.
Similarly, once the Voting Server is located at a pol ing place, the Voting Server is able to instal  the
voting client application and operating system on hardware connected to the Voting Server via an
isolated LAN
This closed-system approach addresses potential risks of incorrect, interfered with or substituted
software being loaded onto voting server and voting client hardware, by personnel other than the
approved Elections ACT officers (EC or DEC) that are provided with access for the purpose of
establishing the election event via the Election Server set-up procedures.
2.4.2  Vote protection
Electronic votes have similar safeguards to those in place for paper ballots as wel  as additional
safeguards as fol ows:
i)
votes are encrypted and stored in a physical y secure ballot box (a database on the polling
place server on two separate disks)
ii)
votes cannot be counted until after pol ing closes (system is configured to prohibit access
to election results until the ‘polls close’ date and time have passed, the option is not made
available as a menu item beforehand and access once available is password controlled)
iii)
the results of a first preference count, for each electorate, are printed at the pol ing place,
minimising the potential for transposition of results.
iv)
the number of e-voting cards (see section 2.4.5 on authorisation) issued are compared
with the number of votes in the first preference count and a printed report is available to
identify the number of times an e-voting card was scanned to commence a voting session
but was not scanned a second time to conclude the voting session
v)
at the end of each pol ing day (pre-poll and election day) votes are exported to media
(clean USB-FD).  To ensure data is not tampered with during transfer a SHA2 hash code
is generated, printed as a QR code and transported, with appropriate security measures,
to the security controlled central scrutiny location, with the two copies of vote data.
Commercial-in-Confidence

  Software Improvements Pty Ltd © 2019

HAZOPS Analysis

Page 19
vi)
the hash codes provided at v) are scanned at the Election Server and compared with a
hash code calculated by the server for the data received before votes are able to be
uploaded.
Information transmitted between the voting server and voting clients uses HTTPS (TLS1.2).  Further,
the vote preferences held on the server are compared with the touchscreen presses or key strokes
that generated those preferences to ensure the voter’s actual preferences are what are stored in the
database as the elector’s vote.
2.4.3  Hardware protection
The fol owing hardware is expected to be used with eVACS® in 2020:
Election Server - is located in multiaccess-controlled premises, and has two-factor access available
only to the Electoral Commissioner or Deputy Electoral Commissioner.
Polling Place Server – one at each pol ing place where electronic voting is available. The Pol ing Place
Server is located out of sight of electors, placed within a locked server cabinet, in locations with limited
access after-hours.  Access to vote data is date/time and password-controlled. Unused ports are
decommissioned both through software and physical y.  The server is also connected to a UPS.
Voting Clients – are connected via a LAN to the Pol ing Place server and are placed in separate voting
booths. Ethernet and power supply cables are located behind the voting booths out of sight of the
public. The use of Al -In-One touch screen computers in eVACS® al ows for the computer back to be
hidden with the screen placed face-up on the voting booth shelf.  A fixed barcode scanner is provided
for the voter to scan their e-voting card. No vote information is stored on the voting client so that no
additional physical protection is provided; however, unused ports are decommissioned both via the
operating system and physically.
A separate voting client to support B&VI voters is available, with the addition of a keypad for voting.
Telephone voting server and IVR server – are located in a Security Operations Centre of a
Government Community Infrastructure providing secure cloud services.  Access to the Centre is
controlled and logged. Telephone voting server is also password and Master Admin QR code
controlled.
Data Entry Clients – are connected via a LAN to the Election Server and are therefore located in
secure Elections ACT controlled premises. Access is password-controlled.
Data Entry Server – is an application on the Election Server and does not have separate hardware.
Activation is password-controlled via a Data Entry Client.
Threats to eVACS® operations via the hardware arise from:
•  Hardware failure, such as failure of scanner, keyboard/keypad, hard disk and touch screen.
•  Power supply interrupted, either because power cable is disconnected or from electricity
supply interruption from an external cause.
Apart from a disk failure, none of these hardware related threats impact on the election’s integrity and
wil  therefore not be considered further, noting that Elections ACT already has in place processes to
deal with such threats e.g. polling place servers are maintained on a UPS.
Disk failure has the potential to lose votes but this threat is mitigated by the inclusion of two hard disks
in the voting servers. However, replacement of a failed disk and/or attempting to read votes off a
failed hard disk may be perceived as an opportunity to tamper with votes unless handled
transparently.
Commercial-in-Confidence

  Software Improvements Pty Ltd © 2019

HAZOPS Analysis

Page 20
2.4.4  Environment controls
As indicated in section 2.2 the Election Server and Telephone Voting Server are setup in access-
controlled environments and are thereby physically protected.
At polling places, there are legislative controls that govern what can and cannot happen at the pol ing
place when voting is occurring. However, there is stil  the potential for an individual to be
unreasonable in their behaviour either during voting or when the pol ing centre is closed.  Mitigation
measures implemented include:
•  having the pol ing place server hidden from public view and physically secure.
•  having the voting clients positioned in the voting booths so that only the screen and scanner,
and keypad if connected, are visible to the public
•  not having any important information on the voting clients, so that if one is damaged in any
way no information can be lost
•  securing unused barcodes in a similar manner to unused ballot papers
•  restrictions on what electors and others can do in a pol ing place, e.g. photography is not
permitted without authorisation
•  polling place out-of-hours protections
To mitigate against a natural disaster or failed out-of-hours protection, on a daily basis after pol ing
closes cumulative votes are exported at each electronic pol ing place and transported to central
scrutiny, as per 2.4.2 (v).
2.4.5  Access controls
Access controls are not the same across al  eVACS® modules:
•  For the Election server two factor access authentication is provided, where both a password
and scanning of a Master Admin QR code are required.
•  The Polling Place server menu is very limited and hence not password controlled, except for
accessing first preference counts which are password accessible and only after polling closes
on election day.  Voting operations are barcode control ed.
•  Voting clients are only accessible with an authorised barcode.
•  Telephone voting is only accessible via a PIN and Voting Token. The Telephone Voting
server menu is very limited and requires authorised barcode and/or password to upload
PIN/Voting Token pairs and access first preference counts.
•  Data Entry is only accessible via individual-assigned passwords
Where access is provided, the only possible actions are those available from the menu displayed. In
addition, certain menu items are not available until after polling closes. Further, all passwords must
meet ACT Government and ASD password security requirements, meaning that no password wil  be
accepted by eVACS® unless it complies with these standards.
After selecting a preferred language, for an elector using a barcode to access the voting client, the
only actions possible are to select candidates in order of preference, modify selections, and confirm
preferences.
In the case of telephone voting, access to voting is dependent on a voter registering to vote by
telephone, providing a PIN of their choosing, receiving a Voting Token for the electorate in which they
are enrol ed to vote, and then entering their PIN and Voting Token. Fol owing access, the voter can
only select candidates in order of preference, modify selections, choose to listen to what each key
does and confirm preferences, as is the case with voting electronically at a polling place.
Commercial-in-Confidence

  Software Improvements Pty Ltd © 2019

HAZOPS Analysis

Page 21
3.  Acceptability and Tolerability of Hazards
How wel  the ACT public is likely to accept or tolerate risks associated with electronic voting as offered
via eVACS® is difficult to estimate, as there have been few instances of reported concerns from ACT
electors. Those concerns that have been raised have, in the main, arisen from researchers and the
issues raised have had no real impact on the outcome of elections.
At one extreme, an Australian electoral population would almost certainly not tolerate a gross election
failure where it is known that votes have been corrupted in some way.
At the other extreme, in the ACT there has been no public protestation against the use of electronic
voting, suggesting that the ACT community assumes a low probability of their vote being exposed or
corrupted, especially as eVACS® has removed the human element in handling and counting votes via
the Hare Clark system, and consequently improved the accuracy of the count. Incidents have
occurred surrounding pol ing place server disk failures, but the RAID configuration (with dual disks)
has enabled complete recovery of votes stored on those servers.
In other arenas risks to hazards are measured in terms of the probability of death, but this doesn’t
apply within the elections context.  Nevertheless, the community is not likely to tolerate their votes
being exposed/corrupted to any less degree than (say) losing their lives on the road or perhaps in an
aircraft accident. Studies in other domains (such as medicine) have revealed similar levels of
tolerance to death in regard to surviving surgery or taking prescribed medicinal drugs.
Frequency is only one element of acceptance/tolerance. Any one incident where there are multiple
deaths leads to significantly greater community concern than several independent incidents where one
person dies.
Relating acceptability/tolerance in terms of frequency and/or multiplicity of some drastic outcome
enables the establishment of protective barriers in order to ensure that otherwise
hazardous/dangerous systems are adequately safe.  The same mentality, of reducing (at least) known
hazards to acceptable levels, applies to election systems as it does to transport and medical systems.
Identifying and reducing known hazards to acceptable levels, that would otherwise lead to easily
corruptible and untrusted electoral systems, is an essential starting point to obtaining elector
confidence and trust in the system.
It is very important to Elections ACT that the community be able to trust the election system that is
used to help determine who governs.  Nonetheless, Elections ACT officials know only too well that any
election system has its hazards, and ensuring those hazards are reduced to acceptable levels of
occurrence is important - especially when they also know that no system is going to be absolutely risk
free.
Based on the quoted levels of tolerance (in terms of fatalities) within different transport and medical
arenas, it is possible that the ACT community would tolerate, for example, 1 elector in 100,000 having
their vote made public - but only if the cause for the exposure is adequately explained and not likely to
have applied to electors more generally. However, it is doubtful that the community would tolerate,
for example,10 such incidents in the same election. Obviously, Elections ACT and the vendors of its
election system aim for zero incidents of exposure, as well as zero incidents of vote corruption and
counting errors.
IEC 61508 - Functional Safety of Electrical/Electronic/Programmable Electronic Safety-related
Systems provides a generic description of hazards and risks in the electronic safety domain [8].
These descriptions (Appendix 2) have been modified for the elections domain (Table 2 and section
A.2.2) and are referred to in the HAZOPS descriptions in Appendix 3.

The category definitions developed for the elections domain (Table 2 and section A.2.2) are based on
‘Votes corrupted, lost or publicly identified’ (as opposed to deaths and injuries).  Reputational damage
Commercial-in-Confidence

  Software Improvements Pty Ltd © 2019

HAZOPS Analysis

Page 22
in the category definitions refers to Elections ACT experiencing any of negative publicity, public
perception or uncontrollable events that affects the ability of the Commission to fulfil its charter.

Table 2 – Consequence categories for the Elections Domain
Elections Domain
Category
Definition
Election results so impacted that the Court of Disputed Elections
Catastrophic
requires the election to be re-held and/or irreparable reputational
damage.
Significant election concerns however the Court of Disputed
Critical
Elections does not rule for an election re-run and/or major
reputational damage.
Moderate
Vote preferences of a smal  number of people are impacted.
Moderate reputational damage. Election result not contested in
the courts.
Minor
Issues with votes of one or a few people are raised but they have
no possible impact on election results. Minor to no reputational
damage.

Commercial-in-Confidence

  Software Improvements Pty Ltd © 2019

HAZOPS Analysis

Page 23
4. eVACS® – possible deviations
As identified in section1.2 the purpose of the HAZOP study is to identify a deviation from what might
be assumed or expected, and/or design intent.
Based on the descriptions in sections 2 and 3, deviations expressed in terms of guidewords and
attributes have been identified and are listed in Table 3. These deviations are the numbered items
that form the basis of the HAZOPS report provided as Appendix 3.
Table 3 – Guidelines and their application to eVACS® attributes
Guideword
Attribute
Item # in Appendix 3
Accessible
Password
30
Extra/unintentional
Relationship
1, 2 and 3
Inaccessible
Password
14
Inaccurate
Counting
4
Incorrect
Electorate - e-voting card
5
Electorate - Voting Token
7
Password
13
Information
15
Location – Master Admin QR
16
code
PIN/Voting Token link
8
Insecure
Hardware
17
Network communication
19
Vote transportation
27
Invalid
e-voting card
6
Voting Token/Pair
9
PIN
12
Less
Votes – electronic at polling
20
place
Commercial-in-Confidence

Software Improvements Pty Ltd © 2019

HAZOPS Analysis

Page 24
Votes - telephone
23
Modified
Votes – electronic at polling
22
place
Votes - telephone
25
More
Votes – electronic at polling
21
place
Votes - telephone
24
Nonanonymous
Vote
26
Untimely
Upload - PIN/Voting Token
10
pairs
Recovery - after failed
18
hardware
Substitution
Software
29
Unsafe
Transportation
28
Unsuccessful
Upload - PIN/Voting Token
11
pairs

Commercial-in-Confidence

Software Improvements Pty Ltd © 2019

HAZOPS Analysis

Page 25
5.  Summary and Conclusions
The 30 hazard items identified are categorised in terms of consequences (defined in Table 2), and
listed in Appendix 3. For 18 of the 30 hazards multiple consequence categories are assigned,
reflecting the variability in the extent of the incident that could occur. To ensure consideration of worst
case safeguards, each of these hazards has been assigned to the severest consequence category
identified for the hazard, as follows:
Category
Number of Items
Catastrophic
12
Critical
1
Moderate
6
Minor
11

The twelve items that could result in catastrophic outcomes if they occurred reflect the importance of:
•  the appropriateness and security of passwords (Items 13 and 30),
•  ensuring votes and their preferences are always secure (Items 21 to 25),
•  ensuring the accuracy of the election information input to eVACS® (Item 15)
•  demonstrating and ensuring the reliability and accuracy of the new counting program (Item 4)
•  the security of the voting system (hardware and network) at polling places (Items 17 and 19),
and
•  the security of the eVACS® audited software, to ensure substitution is not possible (Item 29).
Item 15, is the deviation described by the guideword ‘incorrect’ and the attribute ‘information’, where
information refers to all the data uploaded to eVACS® in either Phase 1 or Phase 2. In this case the
consequences have been categorised across the ful  range from Minor to Catastrophic, where Minor
applies to the situation where an error in the information is detected before voting commences and
can be corrected, although there could be a delay to the start of electronic voting depending on the
extent of the error(s). If the error is in bal ot information used by electronic voting and paper bal ots,
recovery is more complicated, but if none or only a few votes are impacted the categorisation could
stil  be Minor or more likely Moderate.  However, depending on the extent of the error(s),and when
they are discovered, the election results could be brought into question and a re-run of the election
ordered (Catastrophic).
Items 17 and 19 are deviations described by the guideword ‘insecure’ and the attributes ‘hardware’
(Item 17) and ‘network communication’ (Item 19).  Security of the voting server and the network at
polling places is critical to ensuring that electronic voting at polling places can be relied upon to record
accurately al , and only al , the votes of voters who are issued with and use an e-voting card to vote.
Apart from Item 15 (information accuracy) and Item 4 (reliable counting program) the catastrophic
items all depend on security-related safeguards failing to prevent the hazard from becoming an
incident.
The one deviation assigned to Critical refers to voting with an invalid PIN/Voting Token pair (Item 9).
To avoid such an outcome, the processes for uploading PIN/Voting Token pairs to the telephone
voting server must be secure at al  times, and the management of Voting Tokens within the EMS must
also be secure at al  times.
Commercial-in-Confidence

  Software Improvements Pty Ltd © 2019

HAZOPS Analysis

Page 26
The 17 Items given as Minor or Moderate are categorised Minor (11 of the 17) if only one or very few
votes are impacted.
The six deviations categorised as Moderate are far less uniform:
•  two relate to privacy (1 and 26),
•  one relates to software failure (6),
•  one could either be software failure or voter intent (20), and
•  two relate to security of votes and safety of the carrier when votes are being transported from
polling places to central scrutiny (27 and 28).
Of the potential hazards surrounding privacy (Items 1 to 3 previously identified in [6] and Item 26), the
hazards identified in Items 2 and 3 are adequately mitigated by ensuring that no timestamp data is
related to the vote.  Item 1 refers to the casting of a vote with an identifiable set of unique preferences.
No safeguards can be put in place to avoid this deviation; however, the difficulty inherent in trying to
identify a unique set of preferences is il ustrated by the fact that eight per cent of al  voters submit a
vote with a preference for al  candidates on the bal ot.  Item 26 is dependent on a link being
established between a voter and their vote external to eVACS®. For example, the issuing officer at a
polling place knows the voter’s name and has the opportunity to learn the ‘details printed on the e-
voting card issued to the voter (although accurately noting them would not be a simple task). Only
while the voter is voting is the e-voting card linked in any way to the voter’s intentions. The issuing
officer, or a col eague working with them, would have to gain access to not just the voting server but to
the temporary stores (for key presses/keystrokes and preferences) that are linked to the barcode only
while voting is in progress.  Should this ever be feasible, the frequency of being able to connect voter
name with barcode and then access the server without detection is such that the voters likely to be
impacted is at most a few.
With the exception of Item 1, al  deviations have existing safeguards identified, or in the case of new
functionality, such as telephone voting, safeguards are proposed that reflect or extend existing
safeguards for similar deviations.
The importance of having code reviews, thorough testing and auditing, and having checking
processes in place is reinforced by the HAZOPS report.

Commercial-in-Confidence

  Software Improvements Pty Ltd © 2019

HAZOPS Analysis

Page 27
Appendix 1 – Application within eVACS® of the six
election principles

Principle
How principle is met
Doorkeeper Master
Electors are checked against the electoral rol  by officials and
either:
•  Issued with an e-voting card for the electorate in which they
are enrol ed, or
•  Issued with a voting token for the electorate in which they
are enrol ed
The e-voting card or voting token provided contains the electorate
identifier to ensure only the required ballot is issued.
Secrecy
At polling places voting occurs in separate voting booths where the
voting screen is placed face-up on the shelf in the voting booth so
that only the voter can see the screen.
For blind or vision impaired (BVI) voters, where the voting screen is
orientated in an upright position, the voting booth is orientated in a
manner to ensure that traffic cannot walk directly behind an elector
casting their vote. Representatives of the BVI community are invited
to review the placement of these booths to ensure continued
secrecy.
For telephone voting, secrecy is maintained by the voter only using
key presses to record their vote details. There is no voice
communication required in response to the audio
instructions/announcements.
E-voting cards and voting tokens are randomly assigned to voters
so that there is no link to voter identification.
Verification, tal y and audit
For electronic votes (telephone or at polling places) access is
controlled via authentication of an e-voting card or voting token (the
latter used with a PIN) and once a vote is committed the card or
token cannot be authorised for use again.
The authentication of scanned paper bal ots is managed external to
eVACS®.
Tallying votes within eVACS® involves no manual intervention and
is based on software procedures independently audited to show
that the counting process does not add, delete or amend votes.
A new report records al  vote preferences through the count so that
any individual vote can be tracked through the count process.
Commercial-in-Confidence

  Software Improvements Pty Ltd © 2019

HAZOPS Analysis

Page 28
Equality
i)  Al  electors in a particular electorate receive the same
ballot paper contents, albeit the candidates within parties
are rotated according to Robson Rotation
ii)  Multi-lingual access is provided via text for those voting
electronical y at pol ing places
iii)  Disability access to eVACS® is provided by a separate
booth suitable for wheelchair access, and voting
instructions in English are provided via audio at i) polling
places and ii) via telephone voting
iv)  In the ACT an elector can vote from any pol ing place
Security
Multi-level security is in place addressing:
1)  Software security
2)  Vote protection
3)  Hardware protection
4)  Environment controls, and
5)  Access controls
Transparency
Provided via:
i)  Independent audit of both software and documentation
describing the system
ii)  Publication of source code
iii)  Scrutiny of scanning of ballot papers (or data entry if used)

Commercial-in-Confidence

  Software Improvements Pty Ltd © 2019

link to page 29

HAZOPS Analysis

Page 29
Appendix 2 – Extract from IEC 615083
A.2.1  Categories of likelihood of occurrence
Category
Definition
Range (failures per year)
Frequent
Many times in system lifetime
> 10−3
Probable
Several times in system lifetime
10−3 to 10−4
Occasional
Once in system lifetime
10−4 to 10−5
Remote
Unlikely in system lifetime
10−5 to 10−6
Improbable
Very unlikely to occur
10−6 to 10−7
Incredible  Cannot believe that it could occur
< 10−7
A.2.2  Consequence categories
In the Elections Domain, the consequence category definitions are based on ‘Votes corrupted, lost or
publicly identified’.
Electronic Safety Domain
Elections Domain
Category
Definition
Category
Definition
Election results so impacted that the Court of
Catastrophic  Multiple loss of
life
Catastrophic
Disputed Elections requires the election to be re-
held and/or irreparable reputational damage.
Significant election concerns however the Court of
Critical
Loss of a
single life
Critical
Disputed Elections does not rule for an election re-
run and/or major reputational damage.
Major injuries
Moderate
Vote preferences of a smal  number of people are
Marginal
to one or more
impacted. Moderate reputational damage. Election
persons
result not contested in the courts.
Minor
Issues with votes of one or a few people are raised
Negligible
Minor injuries
at worst
but they have no possible impact on election
results. Minor to no reputational damage.

3 Source: https://en.wikipedia.org/wiki/IEC_61508
Commercial-in-Confidence

  Software Improvements Pty Ltd © 2019

HAZOPS Analysis

Page 30
A.2.3  Risk matrix
The likelihood and consequence categories are typically combined into a risk class matrix

Consequence
Likelihood  Catastrophic
Critical
Marginal
Negligible
Frequent
I
I
I
II
Probable
I
I
II
III
Occasional
I
II
III
III
Remote
II
III
III
IV
Improbable
III
III
IV
IV
Incredible
IV
IV
IV
IV

Where:
Class I
Unacceptable in any circumstance
Class II
Undesirable: tolerable only if risk reduction is impracticable or if the costs are grossly
disproportionate to the improvement gained
Class III
Tolerable if the cost of risk reduction would exceed the improvement
Class IV
Acceptable as it stands, though it may need to be monitored

Commercial-in-Confidence

  Software Improvements Pty Ltd © 2019

HAZOPS Analysis

Page 31
Appendix 3 – HAZOPS
The fol owing table is the report of HAZOPS into the eVACS® election system.  Each of the listed
Items reflects a deviation identified in terms of a guideword and attribute.
There are two deviations which have multiple listings: Less/Votes, More/Votes and Modified/Votes, for
each of electronic votes at polling places and telephone votes. The explanation provided under
meaning for each Item indicates which type of vote is being addressed at the particular Item. Although
scanned votes are uploaded to eVACS® for counting, hazards associated with the scanning process
are considered to be outside the purview of this report.
Items 1 to 3, identified in the earlier HazOP Study [6], have been reviewed and additional information
included.  These three items relate to specific ways in which the anonymity of voter’s vote could be
broken.  A more generic view of the possibility of a vote no longer being anonymous is provided at
Item 27.
The key people who undertook the HAZOPS are: Dr Clive Boughton, Dr Carol Boughton and Rohan
Spence.

Commercial-in-Confidence

  Software Improvements Pty Ltd © 2019

                                          HAZOP Study eVACS® Election System

Page 32
HAZARD/THREAT (DEVIATION)
CAUSE
CONSEQUENCE
EXISTING SAFEGUARDS
RECOMMENDATIONS
ITEM #
OF HAZARD/THREAT
IF HAZARD/THREAT CAUSES HARM
AGAINST HAZARD/THREAT CAUSING HARM
TO INCREASE SAFEGUARDS
GUIDE WORD
ATTRIBUTE
1
Extra/Unnecessary  Relationship
An elector may, of his/her
1. An elector and his/her vote may no longer  There are no appropriate means to prevent an
COMMENT:
own volition or by coercion,  be secret / private. If done for self-reasons,
elector from entering potentially unique
enter a vote that possesses  there is no damaging consequence.
combinations of preferences.
To ensure uniqueness the voter must attempt

Meaning:  Relationship (R2) (see
a unique combination of
to identify a sequence of preferences that no
diagram Figure 3) may exist
preferences able to be
2. An elector may be at risk of coercion. If
Within the Polling Place Server, votes are assigned  other voter is likely to use.  Identifying
between an elector and a vote when  identified when examining  coerced, then the consequences may be
a random number, and votes are then stored in
candidates who are likely to receive a very
an elector creates a unique
the published data.
damaging for the individual.
order of the random numbers.  As votes are added
small number of preferences wil  increase the
Preference_List.
to the database the order of storing bears no
probability of creating a unique preference list.

3. The security of the election system may be  relationship to the order in which votes were

of concern to some voters if a belief develops  committed.  It is therefore not possible for a uniquely  Selecting a candidate for the first preference
that individuals’ votes can be identified.
preferenced vote to be used to triangulate with
that is likely to receive hundreds or thousands
another vote in order to find out how a specific
of first preference votes reduces the probability

elector voted.
that the vote wil  be unique.
[Such consequences are classified as

The question then arises, why would a
MINOR or MODERATE because if they were
candidate, a candidate’s agent or someone
to occur they would likely affect single or a
with a vested interest in a candidate who is
very limited number of electors]
unlikely to receive a high number of votes,
coerce an elector into voting a certain way and
require proof through a unique set of
preferences. This is unlikely to have an effect
on the end result in smal  numbers, and in large
numbers becomes increasingly difficult to
ensure a unique set of preferences each time.
By producing a unique set of preferences the
voter casting that vote is highly likely to be
‘burning’ their own vote for the sake of
attempting to identify someone else’s.
ADDITIONAL SAFEGUARDS:
No additional safeguards required.
2
Extra/Unnecessary  Relationship
When only a small number  1. An elector and his/her vote may no longer  1. By law, no surveil ance equipment is permitted
COMMENT:
of electors are in a pol ing
be secret / private.
within a pol ing place during an ACT Legislative
place at the same time
Assembly Election.
This hazard is considered as adequately

Meaning:  Relationship (R3) (see
(general y this would have
2. An elector may be at risk of coercion.  If
mitigated, as PIndex numbers are not assigned
diagram Figure 3) should never
to be at the very start or
coerced, then the consequences may be
2. No cameras (of any kind) are allowed to be used  in sequence order of votes committed.
exist between an elector and a vote  very end of voting in order  damaging for the individual.
within a pol ing place, unless approved by the
- but linking an elector to their vote
to provide an accurate
3. The security of the election system may be  Electoral Commissioner, and then with strict

may be possible.
Batch_ID + PIndex marker),  of concern to some voters if a belief develops  requirements not to photograph/film voting screens
the order in which those
that individuals’ votes can be identified.
while voting is in progress.

electors vote may (through
observation) be able to be
4. The reputation of the EACT and relevant
3. Voters are directed to polling place exits if they

aligned with the order in
suppliers of electronic voting solutions will be  are observed to be loitering.
which their votes are saved  at stake.
ADDITIONAL SAFEGUARDS:
and published, thereby
4. No information concerning timing is recorded with
linking an elector to their
[Such consequences are classified as
a vote and votes are randomly ordered.
No additional safeguards required.
vote.
MINOR because if they were to occur they
would likely affect single or a very limited

number of electors]

Commercial-in-Confidence

Software Improvements Pty Ltd © 2019

               HAZOP Study eVACS® Election System
Page 33
HAZARD/THREAT (DEVIATION)
CAUSE
CONSEQUENCE
EXISTING SAFEGUARDS
RECOMMENDATIONS
ITEM #
OF HAZARD/THREAT
IF HAZARD/THREAT CAUSES HARM
AGAINST HAZARD/THREAT CAUSING HARM
TO INCREASE SAFEGUARDS
GUIDE WORD
ATTRIBUTE
3
Extra/Unnecessary  Relationship
When only a small number  1. An elector and his/her vote may no longer  1.  By law, no surveil ance equipment is permitted
COMMENT:
of electors (in total) vote at
be secret / private.
within a pol ing place during an ACT Legislative
a pol ing place, The order in
Assembly Election.
This hazard is considered as adequately

Meaning:  Relationship (R4) (see
which those electors vote
2. An elector may be at risk of coercion. If
mitigated, as PIndex numbers are not assigned
diagram Figure 3) should never
may (through observation)
coerced, then the consequences may be
2. No cameras (of any kind) are allowed to be used  in sequence order of votes committed and
exist between an elector and a vote  be able to be aligned with
damaging for the individual.
within a pol ing place, unless approved by the
preference data is published in no logical order
– but linking an elector to their vote
the order in which their
Electoral Commissioner, and then with strict
may be possible.
votes are saved and
3. The security of the election system may be  requirements not to photograph/film voting screens
published, thereby linking
of concern to some voters if a belief develops  while voting is in progress.
an elector to their vote.
that individuals’ votes can be identified.

3. Voters are directed to polling place exits if they
4. The reputation of EACT and relevant
are observed to be loitering.
ADDITIONAL SAFEGUARDS:
suppliers of electronic voting solutions wil  be
at stake.
4. No information concerning timing is recorded with  No additional safeguards required.
a vote and votes are randomly ordered.

5.  When there are small numbers of votes (less

than 20) collected for a particular electorate and
polling place these votes are amalgamated with
[Such consequences are classified as
other votes from similar scenarios and counted and
MINOR because if they were to occur they
published so as to remove the risk of an elector’s
would likely affect single or a very limited
vote being revealed.
number of electors]
6.  Rol  mark-off timestamp data is not made public.

Commercial-in-Confidence

  Software Improvements Pty Ltd ©
2019

               HAZOP Study eVACS® Election System
Page 34
HAZARD/THREAT (DEVIATION)
ITEM #
CAUSE OF
CONSEQUENCE IF HAZARD/THREAT
EXISTING SAFEGUARDS AGAINST
RECOMMENDATIONS TO INCREASE
HAZARD/THREAT
CAUSES HARM
HAZARD/THREAT CAUSING HARM
SAFEGUARDS
GUIDE WORD
ATTRIBUTE
4
Inaccurate
Counting
The Hare-Clark counting
1. An incorrect election outcome could result,  Extensive testing is undertaken of the eVACS
COMMENT:
algorithm previously used
with the wrong candidates being elected.
system before use in any election comparing the
in eVACS® is replaced with
results of known counts with the same data in
Ful  scale tests using al  votes from previous

Meaning: the stored procedures
a counting method based
2. The ACT Government might be able to be  eVACS.
elections should be undertaken.
reflecting the Hare-Clark counting
on stored procedures (held
sued.
requirements as implemented are
within the votes database)
Counting is undertaken independently by both the
Such testing needs to be undertaken wel  in
found to have an error when used in  that were developed for use  3. The election result may be disputed in the  vendor and EACT using test samples of votes
advance of when the system is to be audited
an election
in Hare-Clark elections
Court of Disputed Elections.
reflecting normal and unusual col ections of vote
for use in the 2020 election.
undertaken via
preferences.

netVoteplus.  The  stored
4. The reputation of EACT and relevant
Stored procedures are wrapped in SPARK Ada
procedures are yet to be
suppliers of electronic voting solutions wil
code to maximise integrity.
used on a large-scale
be at stake.
election.
ADDITIONAL SAFEGUARDS:
[Such consequences are classified as
CRITICAL to CATASTROPHOC depending
1.  Have existing Hare-Clark algorithm
on the outcome of Court deliberations]
written in C as a backup.
2.  Have the Hare-Clark algorithm written
in Ada, since it wouldn’t suffer from the
same memory management issues as
‘C’ and enables more reliable
programming constructs for checking
correctness – unlike ‘C’ or the stored
procedures.
3.  Al  teste be run with both versions (‘C’
and stored procedures) of the counting
program

5
Incorrect
e-voting card
The e-voting card issued to  1.  A vote is recorded for a different
Electorate based materials have electorate name
COMMENT:
the voter contains
electorate.
printed on them and are al  colour coded to mitigate
information to determine
the risk of an incorrect ballot paper or barcode being  This hazard is considered as adequately

Meaning: elector votes in an
which ballot is to be
2.  The number of people marked as voted
issued to an elector.
mitigated.
electorate that is not the electorate
displayed to the voter. If an
wil  differ from the number of votes
in which they are enrol ed
e-voting card is issued for
recorded for the enrol ed electorate as wel   LAPPERDS screens are also colour coded and
ADDITIONAL SAFEGUARDS:
the wrong electorate, and
as the electorate for which the vote is
LAPPERDS alerts the issuing officer when an

the voter is unaware of their
recorded.
elector is voting from outside of their ‘home’
No additional safeguards are required.
correct electorate and its
electorate.
candidates, then the voter
[Such consequences are classified as
could vote with the wrong
MINOR]
Issuing officers are instructed to say “Here is your
ballot.
[electorate name] ballot paper/barcode” when

handing it to the elector.

Commercial-in-Confidence

  Software Improvements Pty Ltd ©
2019

               HAZOP Study eVACS® Election System
Page 35
HAZARD/THREAT (DEVIATION)
ITEM #
CAUSE OF
CONSEQUENCE IF HAZARD/THREAT
EXISTING SAFEGUARDS AGAINST
RECOMMENDATIONS TO INCREASE
HAZARD/THREAT
CAUSES HARM
HAZARD/THREAT CAUSING HARM
SAFEGUARDS
GUIDE WORD
ATTRIBUTE
6
Invalid
e-voting card
Unauthorised e-voting card  1.  If accepted by the system an extra or
The e-voting card has a barcode with a checksum,
COMMENT:
is produced that eVACS
fraudulent vote would be recorded.
which contains information on the date and name of
cannot detect as invalid.
the election for which it is valid, together with the
Whether or not a barcode has been used/not

Meaning:  voter is able to vote with

electorate and pol ing place identifiers.
used is separate to valid/invalid.
an e-voting card that is one of:

The validity of the checksum is determined first to
This hazard is considered as adequately
•  not from the polling place where
establish if the e-voting card is from the pol ing place  mitigated.
voting
[Such consequences are classified as
where being checked and for the current election.
•  for a different election
MINOR or MODERATE depending on
ADDITIONAL SAFEGUARDS:
•  not in the appropriate format
number of additional votes recorded]
The introduction of QR codes reduces the possibility
of unauthorised cards being produced.
No additional safeguards are required.

7
Incorrect
Voting token
The voting token issued to
1. A vote is recorded for a different
The process for issuing voting tokens to registered
COMMENT:
the voter contains
electorate.
telephone voters is yet to be detailed but is likely to
information to determine
be automated within the Election Management
A manual process for random assignment of a

Meaning:  ‘registered telephone
which ballot and audio is to  2. The number of people marked as voted
System (EMS).
Voting Token to a particular PIN would provide
voter’ is issued with a voting token
be played to the voter. If a
wil  differ from the number of votes
the assignor with access to the PIN/Voting
not for the electorate in which the
voting token is issued for
recorded for the enrol ed electorate as wel   The voting tokens wil  be generated by the Election  token pair to be used for telephone voting.
elector is registered to vote
the wrong electorate, and
as the electorate for which the vote is
Server and passed electronically to the EMS which  This would enable the assignor the opportunity
the voter is unaware of their
recorded.
will randomly assign a voting token to the PIN for
to vote in place of the registered voter.

correct electorate, then the
each registered voter based on the electorate in
voter could vote in the
[Such consequences are classified as
which the voter is enrolled.  An email with the voting  ADDITIONAL SAFEGUARDS:
incorrect electorate.
MINOR.]
token is then to be sent to the registered telephone
voter.
Enforce automating the provision of electorate

based voting tokens to electors through the

EMS.

8
Incorrect
PIN/voting
Telephone voter receives a  1. Voter wil  be unable to vote by telephone.
Checking of the PIN/Voting Token pair is a two
COMMENT:
token pair
voting token not linked to
stage process. First the PIN is checked against the
their registered PIN

registered PINs held in the telephone voting server.   This scenario does not directly disenfranchise
If after three attempts a matching PIN cannot be
an elector – other methods of voting are

Meaning:  voter is not able to vote

found, the caller is advised to go to a pol ing place.
available to the elector.
with a PIN/Voting Token pair issued
by the EACT
[Such consequences are classified as
If a PIN match is found, then the Voting Token is
This hazard is considered as adequately
MINOR]
entered and checked as having been assigned to
mitigated.

that particular PIN.  After three failed attempts to
match the PIN and Voting Token, the caller is
ADDITIONAL SAFEGUARDS:
advised to go to a polling place.
No additional safeguards are required.

Commercial-in-Confidence

  Software Improvements Pty Ltd ©
2019

               HAZOP Study eVACS® Election System
Page 36
HAZARD/THREAT (DEVIATION)
ITEM #
CAUSE OF
CONSEQUENCE IF HAZARD/THREAT
EXISTING SAFEGUARDS AGAINST
RECOMMENDATIONS TO INCREASE
HAZARD/THREAT
CAUSES HARM
HAZARD/THREAT CAUSING HARM
SAFEGUARDS
GUIDE WORD
ATTRIBUTE
9
Invalid
PIN/voting
Invalid PIN/Voting Token
1.If accepted by the system an unjustifiable  To ensure data cannot be added during
COMMENT:
token pair
pair is not detected by
vote would be recorded.
transmission of the PIN/Voting Token pairs to the
eVACS, because
Telephone Voting server, the data is encrypted and  PIN and Voting Token to be of different lengths,
‘unauthorised’ information

then exported to clean, and preferably write once,
say 5 and 7 respectively.  For each digit there

Meaning:  voter is able  to vote with  has been uploaded to the
media.
are 10 possibilities (0, 1, 2, 3, 4, 5, 6, 7, 8, 9),
a PIN/Voting Token pair not issued
Telephone Voting server.

so if there were 1000 (103) PIN/Voting Token
by EACT i.e. unauthorised pair
To upload PIN/token data both a password and
pairs registered, the likelihood of guessing a
There are two possibilities:  [Such consequences are classified as
Master Admin barcode (QR code) are required.
registered combination is (103) / (105+7) = 10-9

i) an unauthorised USB-FD  MODERATE or CRITICAL depending on
with additional PIN/Voting
number of additional votes recorded]
To ensure unauthorised data cannot be exported for  It is most unlikely a particular PIN/Voting pair
Token data was
transfer to the Telephone Voting server the
could be guessed.
substituted, or ii) the data
PIN/Voting Token pairs must be stored in the EMS
in the EMS system was
such that any unauthorised additions can be
However, the probability of creating a non-
tampered with.
detected.
EACT issued PIN/Voting Token pair is (1 - 10-9)
which is almost one. Hence, if non-EACT pairs
Note: For a voter to vote by
EACT has processes in place to ensure that
can be produced there is a large number of
telephone the entered
electors can only vote once (additional votes must
invalid pairs that could be uploaded, which
PIN/Voting Token pair must
be declaration votes which can be rejected before
equates to a CRITICAL outcome if the hazard
be found to exist in the
being counted). If a fraudulent PIN/Token
eventuates.
telephone voting server
arrangement is established against an elector’s
database.
name and used to vote – additional votes under that  ADDITIONAL SAFEGUARDS:
elector’s name are not possible. En masse activity

such as this wil  likely be detected.
No additional safeguards are required.
To address possibility of PIN/Voting Token pairs not
being linked to voters, the number registered for
telephone voting be checked against the
corresponding number of PIN/Voting Token pairs
exported.

10
Untimely
PIN/Voting
PIN/Voting Token pairs are  1. Voters become frustrated and complain to  Ensure accurate and consistent information
COMMENT:
Token
not uploaded to the
the media.
regarding when uploads wil  occur is provided to
telephone voting server in
registered voters:
If unplanned delays occur, a second email
the time frame advised to

should be sent to registered voters advising of

Meaning:  voter is unable to vote by  those registering.
1)  When registering
the delay.
telephone in expected timeframe
[Such consequences are classified as
2)  When they receive their voting token in an
MINOR in terms of impact on votes, but could
email
A defined schedule should be set. However, if

become very disruptive to other EACT
3)  Via the EACT website
registrations are few, a decision to immediately
election activities]
transfer the pair could be made.

ADDITIONAL SAFEGUARDS:

No additional safeguards are required.

Commercial-in-Confidence

  Software Improvements Pty Ltd ©
2019

               HAZOP Study eVACS® Election System
Page 37
HAZARD/THREAT (DEVIATION)
ITEM #
CAUSE OF
CONSEQUENCE IF HAZARD/THREAT
EXISTING SAFEGUARDS AGAINST
RECOMMENDATIONS TO INCREASE
HAZARD/THREAT
CAUSES HARM
HAZARD/THREAT CAUSING HARM
SAFEGUARDS
GUIDE WORD
ATTRIBUTE
11
Unsuccessful
PIN/Voting
PIN/Voting Token pair is
1. Voters become frustrated and complain to  Information on telephone registration process to
COMMENT:
Token
not uploaded to telephone
the media.
have description of what voters should do when the
voting server
expected process fails e.g. email with Voting Token  ADDITIONAL SAFEGUARDS:

not received.

Meaning:  registered telephone
Email with Voting Token
No additional safeguards are required.
voter is unsuccessful in voting by
not received
[Such consequences are classified as
Extensive testing is undertaken of the eVACS
telephone
MINOR in terms of impact on votes, but could  system before use in any election.

become very disruptive to other EACT
election activities]
This scenario does not directly disenfranchise an
elector – other methods of voting are  available to
the elector.

12
Invalid
PIN
Voter consistently mis-
1. Voter becomes frustrated and complains
PIN is checked against the registered PINs held in
COMMENT:
enters their registered PIN
to the media.
the telephone voting server, and if after three
attempts a matching PIN is not entered, the caller is  Registered telephone voter has the opportunity

Meaning:  voter is unable to vote by

advised to either hang up and call again once the
to further check/find their PIN and ring in again.
telephone despite entering a PIN
correct PIN is identified or go to a polling place and
[Such consequences are classified as
vote in person.
ADDITIONAL SAFEGUARDS:
MINOR since no vote is impacted]

No additional safeguards are required.

13
Incorrect
Password
eVACS has failed to apply
1.  Enables access to eVACS® features not  Extensive testing is undertaken of the eVACS
COMMENT:
the rules governing the use
accessible to an unauthorised person
system before use in any election.
of passwords or has
ACT Government and ASD requirements for

Meaning:  system accepts an
incorrectly matched an
incorrect password
2.  An incorrect election outcome could
Passwords policy complies with ASD requirements
passwords include length and combination of
entered password with an
result.
alpha numeric characters and symbols to
approved/stored password
Polling place servers are housed in a locked
maximise security of passwords.
3.  The election result may be disputed in
cabinet; Election server and telephone voting server
the Court of Disputed Elections.
are located in access controlled premises.
ADDITIONAL SAFEGUARDS:
4.  The reputation of EACT and relevant
Access to the election server requires both a
Where eVACS® passwords are not being used
suppliers of electronic voting solutions
password and a Master Admin barcode. (QR code)  in a secure environment, e.g. at pol ing places,
wil  be at stake.
entering password could also require use of

Master Admin barcode.
[Such consequences are classified as
CRITICAL or CATASTROPHIC depending on
Independent security testing
number of votes impacted]

Commercial-in-Confidence

  Software Improvements Pty Ltd ©
2019

               HAZOP Study eVACS® Election System
Page 38
HAZARD/THREAT (DEVIATION)
ITEM #
CAUSE OF
CONSEQUENCE IF HAZARD/THREAT
EXISTING SAFEGUARDS AGAINST
RECOMMENDATIONS TO INCREASE
HAZARD/THREAT
CAUSES HARM
HAZARD/THREAT CAUSING HARM
SAFEGUARDS
GUIDE WORD
ATTRIBUTE
14
Inaccessible
Passwords
Poor management of
1. Inability to enter the access password to
Passwords are stored in the EACT safe to protect
COMMENT:
passwords
the election server inhibits undertaking any  against being misplaced. Access to the safe is
of the functions on the election server,
restricted to the Electoral Commissioner and Deputy  The importance of ensuring safe and secure

Meaning:  passwords are

disrupting the election. The disruption
Electoral Commissioner.  Access to the election
storage of the passwords external to eVACS®
inaccessible when required.
caused is dependent on the status of the
server requires both a password and a Master
is essential to avoid unnecessary stress, risk

election and the frequency that backups of  Admin barcode.
and time delays.

the election server have been made.

If correct password cannot be entered on election
ADDITIONAL SAFEGUARDS:
2. If pol ing place password (e.g. end of
server , the election could be setup again and data
election password) is not known and
restored from the most recent backup.
In order to avoid having to setup a completely
voting has not commenced, the password
new election, it would be advisable to leave
cannot be recovered and the setup
The password for end of election access is not
setting up the passwords associated with
process needs to be undertaken again, but  provided to pol ing place officials until after the close  voting servers until just before selection of the
any backup containing these passwords
of polling.
function to create the voting server instal ation.
cannot be used.

Regular backup is recommended in the
3. If pol ing place password cannot be
Election Server User Manual, with particular
entered at close of polling, then the first
emphasis on backing up after ‘generate
preference count cannot be undertaken.
barcodes’ (now also voting tokens) and loading
However, this does not impact on the
Phase 2 data.
votes data in the database.

[Such consequences are classified as
MINOR since they do not impact on election
results ]
15
Incorrect
Information
Incorrect information is
1. If insufficient barcodes and/or voting tokens are  EACT currently maintains strict checks of all
COMMENT:
loaded as part of setup
generated, fewer electronic votes are taken
information before including as Phase 1 or Phase 2
Phase 1 and/or setup
than anticipated.
input.
Election information refers to all information

Meaning:  Election event
Phase 2
uploaded to eVACS®, including number of
commenced with inaccurate data
2. If error in a single electorate ballot is not
Polling place and ballot information is extracted from  barcodes and voting tokens to be generated.
installed.
Incorrect information could
detected until voting commences, then voters
another system for which the EACT has processes
include:
for that electorate would all have to vote with
paper ballots
to check information entered.
ADDITIONAL SAFEGUARDS:

a)  Ballot data
3. If the ballot for more than one electorate has an  Ballots for each electorate are previewed on the
No additional safeguards are required.
b)  name/date of
error, then electronic voting may not be able to  election server before the voting server installation
election
proceed
is created.
c)  Insufficient
barcodes and/or
4. Depending on the extent and timing of
The same barcodes cannot be regenerated;
voting tokens
detection of the error(s) the election result may  selecting ‘generate barcodes’ when barcodes
generated
be disputed in the courts.
already exist, creates a new set of barcodes that
replaces the existing set in the database.

5. Voters may not be able to vote in accordance
with their preferences until issue was
discovered (at which point electronic voting for
Phase 1 and Phase 2 can be rerun; information
that electorate would be stopped).
uploaded previously is automatical y deleted.
[Such consequences are classified as MINOR if

detected before voting commences, CRITICAL if
eVACS® cannot be used at all or potentially
CATASTROPHIC if the Court of Disputed
Elections requires the election to be re-run]
Commercial-in-Confidence

  Software Improvements Pty Ltd ©
2019

               HAZOP Study eVACS® Election System
Page 39
HAZARD/THREAT (DEVIATION)
ITEM #
CAUSE OF
CONSEQUENCE IF HAZARD/THREAT
EXISTING SAFEGUARDS AGAINST
RECOMMENDATIONS TO INCREASE
HAZARD/THREAT
CAUSES HARM
HAZARD/THREAT CAUSING HARM
SAFEGUARDS
GUIDE WORD
ATTRIBUTE
16
Incorrect
Location
Master Admin QR code for  1. Barcodes wil  not be for the polling place of  Ballot papers are always available at al  pol ing
COMMENT:
a particular pol ing place is
the server and al  barcodes wil  be
locations so that voting is not interrupted.
delivered to the wrong
identified as invalid (assumes barcodes
ADDITIONAL SAFEGUARDS:

Meaning:  Voting server at a pol ing  polling place
were delivered to correct polling place)
place is setup for the wrong polling
Master Admin barcodes to have the name of
place

2. At least one other pol ing place that has
the wrong Master Admin barcode.
the polling place printed on the card with name
and date of election.
3. Should be detected no later than the start
of pre-polling. Electronic voting will not be
Official in charge of pol ing place to have
available until the correct Master Admin
instruction to check paperwork, e-voting cards
QR code is delivered and the location of
and Master Admin card are all for the same
the server(s) correctly setup.
polling place
[Such consequences are classified as
MINOR as no votes wil  be impacted]

17
Insecure
Hardware
Inadequate protection of
1.  Hardware is damaged so that voting is
Voting clients are basical y dumb terminals and do
COMMENT:
hardware
not possible
not store any vote information.  Al  unused ports are
a.  If voting client damaged or accessed,  to be disconnected via the operating system and

Meaning:  location of system
Boot sequence on voting
wil  cause disruption while being
physically
hardware is such that hardware is
server or voting client is not
replaced or taken out of service
ADDITIONAL SAFEGUARDS:
exposed to interference
changed (via BIOS) to Boot
The only visible part of the voting client is the screen
from hard drive after
b.  If voting server damaged or
for voting.
Physical locking of unused ports on voting

software loaded from
accessed, could result in loss or
clients and voting servers
network
addition of votes recorded since last
backup
Voting server is located in locked cabinet out of
sight of people entering pol ing place.  Network
c.  If election server damaged or
connecting client to server is also placed out of
accessed could result in votes
sight.
database being compromised.
Dual storage of votes increases possibility that votes
2.  Uncertified malicious software is
may be recoverable. (Strict processes and
installed, which could impact on integrity  procedures in place if corrupted or damaged hard
of the system and potentially vote
drive needs to be accessed to recover votes)
preferences
Daily cumulative backup of votes at the close of

polling are taken off site.

If election server compromised then server can be
setup again and all votes, from voting servers and
[Such consequences are classified as
scanning, reloaded.
MINOR if related to voting client or
MODERATE if eVACS® unavailable for a
Votes from voting servers are available from existing
period of time or CRITICAL to
backups or can be exported again.
CATASTROPHIC if impact on Server results
in Disputed election to be re-run]
After hours security processes are employed.
Access to BIOS is password control ed

Commercial-in-Confidence

  Software Improvements Pty Ltd ©
2019

               HAZOP Study eVACS® Election System
Page 40
HAZARD/THREAT (DEVIATION)
ITEM #
CAUSE OF
CONSEQUENCE IF HAZARD/THREAT
EXISTING SAFEGUARDS AGAINST
RECOMMENDATIONS TO INCREASE
HAZARD/THREAT
CAUSES HARM
HAZARD/THREAT CAUSING HARM
SAFEGUARDS
GUIDE WORD
ATTRIBUTE
18
Untimely
Recovery
Inadequate recovery
1. Reputational damage to EACT if voters
A replacement voting client can be easily swapped
COMMENT:
arrangements
complain to media.
with a failed voting client in a known time frame
without disruption to voting.
Need to keep voters advised of circumstances

Meaning:  electronic voting (at
[Such consequences are classified as
and offer voting with paper ballot.
polling places or telephone voting) is
MINOR as no votes wil  be impacted]
A spare pol ing place server is always configured.
stopped for an unacceptable time
ADDITIONAL SAFEGUARDS:
period after experiencing failure

Telephone voting audio to switch to message akin to
‘voting is currently unavailable, please try again
No additional safeguards are required.
later’
Ballot papers are always available for voting to
continue within the pol ing place.
Note: Recovery of a voting server is dependent
upon the specific failure.

19
Insecure
Network
Surreptitious access to
1. Votes might be added, lost or modified,
Use of HTTPS for communications across the
COMMENT:
communication  network
and/or recorded elsewhere – resulting in a  network ensures such communications cannot be
disputed election and possible requirement  interfered with.

to re-run election.

Meaning:  network connecting
Layout of network is located to ensure it is not
ADDITIONAL SAFEGUARDS:
voting clients to voting server at a
2. Order of candidates could be modified
visible and any access can be observed by officials.
polling place becomes/is insecure
No additional safeguards are required.
3. Voting client functions could be
Establishment of a LAN, and therefore no

manipulated
connection to the internet, effectively limits
opportunity and surface of possible cyber-attack.
4. Attempt to disrupt election and reputation
of EACT and electronic voting vendor[
[Such consequences are classified as
MODERATE if affecting only one voting client
but could escalate to CRITICAL or
CATASTROPHIC depending on the extent of
interference and if revealed.  Any impact on
votes may not be determinable]

Commercial-in-Confidence

  Software Improvements Pty Ltd ©
2019

               HAZOP Study eVACS® Election System
Page 41
HAZARD/THREAT (DEVIATION)
ITEM #
CAUSE OF
CONSEQUENCE IF HAZARD/THREAT
EXISTING SAFEGUARDS AGAINST
RECOMMENDATIONS TO INCREASE
HAZARD/THREAT
CAUSES HARM
HAZARD/THREAT CAUSING HARM
SAFEGUARDS
GUIDE WORD
ATTRIBUTE
20
Less
Votes
Votes have not been
1.  Some intended votes wil  be lost.
eVACS® includes a final screen that assists in
COMMENT:
recorded by the voting
identifying possible unintentional vote completion
server due to:
2.  Inaccuracy in number of recorded votes.  issues.
eVACS provides a report on the number of

Meaning:  the number of electronic
occasions a voter did not swipe their e-voting
votes at a polling place is less than  1. Voter has deliberately

LAPPERDS automates a daily reconciliation
card a second time
the number of e-voting cards issued
not completed their vote.
process of barcodes issued against votes in the

server – highlighting if the server is not recording
ADDITIONAL SAFEGUARDS:

2. Voter has unintentionally
votes in large numbers (system error).
not scanned their e-
[Such consequences are classified as
No additional safeguards are required.
voting card a second
MINOR if it is user error or MODERATE
Code reviews, thorough testing and independent
time to commit their vote.  depending on number of votes not recorded
audit are used to ensure the voting software does
through system error (as it would be picked
commit votes and does not add, delete or modify
Voting server has failed to
up at the end of each day)]
votes.
record a committed vote

21
More
Votes
Votes have been recorded
1. Indicates that the voting system has been  EACT processes check total e-voting cards and
COMMENT:
by the voting server either
maliciously compromised.
number issued on a daily basis against number of
through cyber-attack or
votes in bal ot box, so that any discrepancy can be
With the security protections in place, the most

Meaning:  the number of electronic  insider actions
2. Potential disputed election and a potential  identified as soon as possible.
likely way in which this could happen is by a
votes at a polling place is more than
re-run.
the number of e-voting cards issued
Physical and software protections to limit
polling place official.
3. Major reputational damage.
opportunity for maliciously altering the voting

servers.
ADDITIONAL SAFEGUARDS:
[Such consequences are classified as
Establishment of a LAN, and therefore no
At the end of the election, compare the number
CRITICAL or CATASTROPHIC depending on  connection to the internet, effectively limits
of e-voting cards issued at a pol ing place with
number of additional votes recorded]
opportunity and surface of possible cyber-attack.
the number of votes taken plus the number of
votes initiated but not completed at that pol ing
Use of https for communications between voting
place. This could be done on an electorate
server and voting client limits ability to interfere with  basis as wel  as al  votes.
transmissions.
Voting terminals monitored at al  times during polling
by e-voting officers to limit opportunity for an insider
to add multiple votes.  Polling procedures ensure
that either the OIC or 2IC must be present within the
polling place at al  times (i.e. no official is in the
polling place alone at any time).

Commercial-in-Confidence

  Software Improvements Pty Ltd ©
2019

               HAZOP Study eVACS® Election System
Page 42
HAZARD/THREAT (DEVIATION)
ITEM #
CAUSE OF
CONSEQUENCE IF HAZARD/THREAT
EXISTING SAFEGUARDS AGAINST
RECOMMENDATIONS TO INCREASE
HAZARD/THREAT
CAUSES HARM
HAZARD/THREAT CAUSING HARM
SAFEGUARDS
GUIDE WORD
ATTRIBUTE
22
Modified
Votes
Preferences potential y
1.  eVACS has been compromised.
Checking of vote preferences being recorded
COMMENT:
modified by unauthorised
against screen presses or key strokes to ensure
access to:
2.  Potential disputed election and a
vote is being recorded according to voter selections.

Meaning:  electronic vote
potential re-run.
If mismatch, error is raised and voting client has to
preferences at a pol ing place are
1)  polling place network,
be restarted. No vote is recorded and e-voting card  ADDITIONAL SAFEGUARDS:
not the same as those chosen by
either directly or
3.  If occurs after vote(s) have been stored,
is not marked as used.
the voter.
indirectly
then malicious interference is likely the
No additional safeguards are required.
2)  voting server database
cause.
Code reviews, thorough testing, independent audit,

3)  votes while being
and open source policy are used to ensure the
transported
4.  Major reputational damage.
voting software does commit votes and does not
4)  election server
add, delete or modify votes, and accurately decrypts
database

for counting the encrypted votes.
5)  system, enabling
modification of the
[Such consequences are classified as
Physical and software protections to limit
software
MODERATE during voting, otherwise
opportunity for maliciously altering the voting
CRITICAL or CATASTROPHIC depending on  servers.
the extent of interference and if revealed.
Any impact on votes may not be
Establishment of a LAN, and therefore no
determinable]
connection to the internet, effectively limits
opportunity and surface of possible cyber-attack.
Use of https for communications between voting
server and voting client limits ability to interfere with
transmissions.
Access controls are in place for servers and when
votes are being transported

23
Less
Votes
Telephone voting server
1.  Incorrect or inaccurate recording of votes  PIN/Voting Token pair is not marked as used until
COMMENT:
has been compromised
PIN is re-entered at end of voting session.
2.  Potential disputed election and a
ADDITIONAL SAFEGUARDS:

Meaning:  the number of telephone
potential re-run.
Code reviews, thorough testing, independent audit
votes is less than the number of
and open source code policy are used to ensure the  No additional safeguards are required.
PIN/Voting tokens marked as used
3.  Major reputational damage.
voting software does commit votes and does not
add, delete or modify votes.

[Such consequences are classified as
MINOR if difference is small, but CRITICAL
or CATASTROPHIC depending on number
of additional votes not recorded]

Commercial-in-Confidence

  Software Improvements Pty Ltd ©
2019

               HAZOP Study eVACS® Election System
Page 43
HAZARD/THREAT (DEVIATION)
ITEM #
CAUSE OF
CONSEQUENCE IF HAZARD/THREAT
EXISTING SAFEGUARDS AGAINST
RECOMMENDATIONS TO INCREASE
HAZARD/THREAT
CAUSES HARM
HAZARD/THREAT CAUSING HARM
SAFEGUARDS
GUIDE WORD
ATTRIBUTE
24
More
Votes
Telephone voting server
1.  Potential incorrect or inaccurate
Physical and software protections to limit
COMMENT:
has been compromised.
recording of votes
opportunity for maliciously altering the telephone
voting server.

Meaning:  the number of telephone  Unauthorised PIN/Voting
2.  Potential disputed election and a
votes is more than the number of
Token pairs have been
potential re-run.
Software protections to limit opportunity to
ADDITIONAL SAFEGUARDS:
PIN/Voting tokens registered/issued  uploaded to the telephone
maliciously alter the functions within EMS
voting server
3.  Major reputational damage.
generating the emails and PIN/Voting Token files for  To address possibility of PIN/Voting Token

upload to the telephone voting server.
pairs not being linked to voters, the number
[Such consequences are classified as
registered for telephone voting be checked
MINOR if difference is small, but CRITICAL  Protection of PIN/Voting Token pairs when being
against the corresponding number of
or CATASTROPHIC depending on number
transported to telephone voting server.
PIN/Voting Token pairs exported.
of additional votes recorded]

25
Modified
Votes
Telephone voting server
1.  Potential disputed election and a
Checking of vote preferences against run through of  COMMENT:
has been compromised.
potential re-run.
key presses to ensure vote is being recorded
according to voter selections.

Meaning:  the preferences of
The system has code within  2.  Major reputational damage.
telephone votes are modified
the software that is not
Code reviews, thorough testing, independent audit
ADDITIONAL SAFEGUARDS:
recording votes correctly
[Such consequences are classified as
and open source code policy are used to ensure the

(maliciously or
CRITICAL or CATASTROPHIC depending on  voting software commits votes as intended.
No additional safeguards are required.
inadvertently).
number of votes impacted]
Physical and software protections to limit
opportunity for maliciously altering the voting
servers.

26
Nonanonymous
Votes
A means to link a voter with  1. People have been tracked when voting
For electronic and telephone voting there is no
COMMENT:
their vote is put into place,
and their vote preferences identified
information within eVACS that links a voter to their
either accidently or
vote.

Meaning:  information about voters  intentional y
2. Although this does not directly impact on
and their votes becomes publicly
the election results, such an event would
For electronic voting, the e-voting card required to
ADDITIONAL SAFEGUARDS:
available
damage the reputation of EACT and the
vote at a polling place and the voting token for
vendor of eVACS®.
telephone voting are issued to an elector on a
No additional safeguards are required.

random basis.
3. Individuals might also claim that the
published vote information is not how they  See also Items 2 and 3
voted, either because they don’t remember
accurately, or they simply wish to discredit
the use of the system.
[Such consequences are classified as
MODERATE]
Commercial-in-Confidence

  Software Improvements Pty Ltd ©
2019

               HAZOP Study eVACS® Election System
Page 44
HAZARD/THREAT (DEVIATION)
ITEM #
CAUSE OF
CONSEQUENCE IF HAZARD/THREAT
EXISTING SAFEGUARDS AGAINST
RECOMMENDATIONS TO INCREASE
HAZARD/THREAT
CAUSES HARM
HAZARD/THREAT CAUSING HARM
SAFEGUARDS
GUIDE WORD
ATTRIBUTE
27
Insecure
Transportation
Media used for
1. If accepted by the system incorrect votes
Votes being transported are a cumulative backup
COMMENT:
transportation of votes from
would be recorded.
and can easily be downloaded again from the voting
polling place servers and
server, with different checksums and their QR

Meaning:  votes are lost or modified  the telephone voting server  2. Possible reputational damage if storage
codes.
during transportation
to Election HQ is insecure.
medium was lost
ADDITIONAL SAFEGUARDS:
The votes on the media can only be decrypted by
Information on media is

the election server, therefore the details of the votes  No additional safeguards are required.
insecure.
cannot be deciphered or published.
[Such consequences are classified as
MINOR or MODERATE depending on
There is no information on the media to indicate the
number of votes impacted]
voters who cast the votes.
If media is handed in with the QR codes for the
checksums, the election server is able to determine
if the files have been modified.
If the media is handed in without the QR codes for
the checksums, the data could not be uploaded into
the election server (the checksum entry is
mandated) and a replacement backup would be
sought.

28
Unsafe
Transportation
People intent on disrupting  1. Media with the daily cumulative votes are
Votes being transported are a cumulative backup
COMMENT:
the election could accost
stolen, misplaced or destroyed leading to
and can easily be downloaded again from the voting
those transporting the votes
possible reputational damage of EACT
server, with different checksums and their QR

Meaning:  people involved in
codes.
transporting votes (downloaded
Driving or walking in the

ADDITIONAL SAFEGUARDS:
from polling place servers and the
public environment
The votes on the media can only be decrypted by
telephone voting server) to Election
[Such consequences are classified as
the election server, therefore the details of the votes  No additional safeguards are required.
HQ are exposed to risks on the road
MINOR or MODERATE depending on harm
cannot be deciphered or published.
and/or risks as a pedestrian
to the individual]
There is no information on the media to indicate the
voters who cast the votes.
If media is handed in with the QR codes for the
checksums, the election server is able to determine
if the files have been modified or already uploaded.
If the media is handed in without the QR codes for
the checksums, the data could not be uploaded into
the election server (the checksum entry is
mandated) and a replacement backup would be
sought.

Commercial-in-Confidence

  Software Improvements Pty Ltd ©
2019

               HAZOP Study eVACS® Election System
Page 45
HAZARD/THREAT (DEVIATION)
ITEM #
CAUSE OF
CONSEQUENCE IF HAZARD/THREAT
EXISTING SAFEGUARDS AGAINST
RECOMMENDATIONS TO INCREASE
HAZARD/THREAT
CAUSES HARM
HAZARD/THREAT CAUSING HARM
SAFEGUARDS
GUIDE WORD
ATTRIBUTE
29
Substitution
Software
Unauthorised access to
1.  eVACS does not operate as it should
Once the eVACS software has been audited the
COMMENT:
eVACS software is attained
vendor does not have access to the software and
2.  Election results may not reflect the
therefore cannot change any of the software

Meaning: Some or all of the eVACS  Unaudited previous version
voters’ preferences
comprising eVACS.
software used in an election has
of software is instal ed
ADDITIONAL SAFEGUARDS:
been replaced with unaudited
intentional y or
3.  Reputational damage to EACT and
Returned code from independent auditor is
software
inadvertently for official
electronic voting vendors
physically certified
No additional safeguards are required
election event creation
4.  Potential withdrawal of Legislative
The returned audited software is kept in the EACT
Assembly support for electronic voting
safe.  Access to the safe is restricted to the Electoral
Commissioner and Deputy Electoral Commissioner.
5.  Potential disputed election and a
potential re-run.
The Deputy Electoral commissioner is the officer
responsible for creating official election event
[Such consequences are classified as
CATASTROPHIC]

30
Accessible
Passwords
Passwords are
1.  Unauthorised access to eVACS is
Election server passwords are stored in the EACT
COMMENT:
inadequately protected
obtained
safe. Access to the safe is restricted to the Electoral
Commissioner and Deputy Electoral Commissioner.

Meaning: unauthorised use of
2.  Could enable election server functions to
passwords
be accessed and even election setup
End of election passwords are only provided to
ADDITIONAL SAFEGUARDS:
changed with incorrect information
polling place OICs after the close of pol s and are
kept secure prior to this date (as above)
No additional safeguards are required
3.  Reputational damage to EACT and
electronic voting vendors
Access to pol ing place server passwords does not
provide access that can al ow altering or viewing of
4.  Potential withdrawal of Legislative
votes
Assembly support for electronic voting
5.  Potential disputed election and a
potential re-run.
6.  Access to first preference count results
at pol ing places could be prematurely
provided to individuals, parties or the
public.
[Such consequences are classified as
MINOR for early release of preference count
to CATASTROPHIC if all setup election
information is modified]

–   E N D   O F   D O C U M E N T   –
Commercial-in-Confidence

  Software Improvements Pty Ltd ©
2019

Document Outline