Navigant Research Blog

High Stakes Blockchain Applications Are a New Frontier for Cybersecurity

— November 30, 2017

Blockchain-Based Systems Are Only as Strong as Their Weakest Link

On November 16, the US Patent and Trademark Office released a patent filed by Nasdaq that describes a blockchain-based architecture that could be used to track the ownership and transaction of stock market assets.

Nasdaq is part of a wave of big name organizations globally—including banks, utilities, and the Pentagon—that have announced plans to experiment with blockchain to determine whether it can help their organizations run more smoothly, efficiently, and securely.

As the hype train charges onward and expectations skyrocket, there is a real risk that in the rush to generate solutions to increasingly complex high stakes problems, adopters will forget that simply adding blockchain doesn’t make a system bulletproof. Before integrating blockchain into keystone systems like stock exchanges or electricity grid operations, it’s important to understand where blockchain brings security to a system, where it doesn’t, and how it interacts with other pieces of the puzzle.

Blockchains Are Built on Security and Cryptography Principles

Blockchain architectures are considered a robust and highly secure means of storing information for several reasons:

  • The blockchain is stored across a decentralized and distributed network of many computers, creating a redundant record with no single point of failure.
  • Network nodes use a resource-intensive cryptographic process to reach majority consensus on the chronology and validity of transactions between nodes.
  • The full record of information stored on the blockchain is auditable by any node in the network.

In combination, these properties make the blockchain ledger itself resilient to attacks. Indeed, despite soaring valuation that provides a $140 billion incentive for hackers, the underlying architecture of Bitcoin has never been broken.

Determined Hackers Will Work Around Unbreakable Cryptography

Rather than attacking the blockchain itself, hackers have repeatedly exploited weakness in the hardware and software components of the system—the personal computers and devices that make up the nodes of the network and the software applications that enable autonomous transfers and digital contracts. It’s the cryptographic analog of identity theft: a thief doesn’t need to smash their way into a bank vault if they can clone your credit card.

White hat hackers used exactly this principle to gain irreversible control of users’ Bitcoin wallets by exploiting a hole in cellular text messaging protocols. A hacker famously exploited errors in an Ethereum smart contract to steal $31 million  from early backers of a startup. The blockchain preserves an immutable open record of the thefts for all to see, but it also makes them irreversible.

Planning Ahead

The electricity system is a frequent target of cyber attacks backed by powerful antagonists. To date, no blockchain architecture has yet been subjected to a stress test of the magnitude we might expect if it were supporting, say, the automated demand response capabilities of a microgrid in an urban financial district. Potential applications in these systems are among the most transformative opportunities for blockchain, but will also be among the most prone to cyber attack and the hardest to field test at scale.

Until a set of comprehensive security standards for blockchain-based systems is developed, Nasdaq and any organizations seeking to adopt blockchain-based solutions must recognize that blockchain does not inherently provide end-to-end security. For blockchain to be part of the solution requires thoughtful implementation and proactive design that maximizes security at the ends of the chain. Every link of the system must be evaluated for security and potential vulnerabilities, and adopters should be especially cautious about entrusting critical systems to the technology.

 

Congress Steps into the IoT Security Fray

— December 15, 2016

Cyber SecurityCongress stepped into the fray surrounding Internet of Things (IoT) device security (or the lack thereof) recently when it held a hearing on how to combat distributed denial-of-service (DoS) attacks, which exploit connected devices as a means of thwarting web activity. The most glaring example of such an attack came on October 21. An IoT botnet called Mirai was directed at web services provider Dyn, which then spread from there to paralyze numerous well-known Internet sites like Amazon, Netflix, and Reddit.

Members of the House Energy and Commerce Committee heard testimony from experts like Bruce Schneier, a renowned cybersecurity expert, who said during the hearing he thinks a new federal agency may be necessary to regulate IoT, despite what may be the incoming administration’s reluctance toward more government oversight. “I don’t see the choice as being between government involvement and no government involvement, but between smart government involvement and stupid government involvement. I would rather think about it now,” Schneier said.

Slow Down, Offer Support

Another participant in the process, Craig Spiezle, executive director and president of the Online Trust Alliance (OTA), attended the hearing and submitted a written statement to the committee. Spiezle sees two main issues that need resolving. First, IoT manufacturers should embrace basic cybersecurity principles when designing new products and avoid the tendency to move too quickly to launch products out of expediency while sacrificing security. Second, IoT vendors need to provide adequate ongoing support for their products throughout their lifecycles and not security updates out of the equation. His organization is also recommending that retailers pull IoT products off shelves if those products do not meet certain minimum security standards.

Nothing was resolved during the hearing, though new legislation or rules are likely to be promulgated at some point, given the potential harm from these kind of attacks. Meantime, there are other governmental and industry efforts to thwart attacks that exploit IoT technologies. For instance, the National Institute of Standards and Technology (NIST) has created a framework that outlines IoT security standards. Also, the Z-Wave Alliance recently announced new security requirements for all of its certified IoT devices. Lastly, computer scientists are working on a style of software programming called formal verification that is ostensibly hack-proof and could one day be used as a method for enhancing the security of IoT devices and systems.

There are real efforts underway to fight back against IoT attacks. Nonetheless, the vulnerabilities of a connected society are not going away soon, and efforts to stay ahead of nefarious actors has to be ongoing. What seems clear is that business as usual in this regard is no longer acceptable, as Spiezle and others argue, and fundamental changes are required in how IoT products are developed, sold, and supported. I could not agree more.

 

Blog Articles

Most Recent

By Date

Tags

Clean Transportation, Digital Utility Strategies, Electric Vehicles, Energy Technologies, Policy & Regulation, Renewable Energy, Smart Energy Practice, Smart Energy Program, Transportation Efficiencies, Utility Transformations

By Author


{"userID":"","pageName":"Security Standards","path":"\/tag\/security-standards","date":"12\/17\/2017"}