What are the best ways to make enterprise blockchain platforms more secure? Test them, analyze them, and get the bugs out before exposing them to the world.
The original version of this post was published in Forbes.
All aboard the blockchain train. Just proceed with caution—it’s not yet as safe and secure as it needs to be.
No, we’re not talking cryptocurrency here. This isn’t about Bitcoin, Ethereum or any of the other 1,500 or so versions of digital currency. This is about enterprise blockchain—using the distributed ledger technology for just about anything involving transactions, storing records and tracking the flow of goods and information. Which are, of course, among the major things any business does.
And which is probably why most enterprises are indeed getting aboard the train. According to Deloitte’s 2018 global blockchain survey, 95% of companies across multiple industries planned to invest in blockchain during 2019—39% said $5 million or more and another 26% said at least $1 million. IDC estimates that investment in enterprise blockchain platforms in 2019 will be nearly $3 billion.
The government is taking notice as well. The federal Department of Energy (DoE) is putting a $200,000 grant into a trial of the technology to see if it can help protect the national power grid.
Overall, that’s good, according to Stark Riedesel, associate principal at Synopsys. While cryptocurrencies have been demonstrably shown to be a risky playground, Riedesel said when it comes to enterprise uses, “the risk is to the 5% of companies not investigating blockchain in their industries.”
“Not to say blockchain is a silver bullet—it’s not,” he said, “but understanding its strengths and weaknesses prevents you from being blindsided by the ‘disruptors.’ At a minimum, companies should be identifying areas that blockchain may have an impact on their bottom line and keeping an ear to the ground for potential new applications.”
The attraction to blockchain technology makes sense, given its superior ability to protect data. Its distributed nature makes it difficult to impossible for attackers to corrupt the data. As has been said numerous times by its advocates, an attacker would have to attack every “node” or system that processes the data, and there would likely be thousands of them.
Unfortunately, that doesn’t mean blockchain platforms can’t be hacked, which has been apparent for a long time in the world of cryptocurrency. The now-defunct Japan-based Mt. Gox, then the biggest bitcoin exchange in the world, went under in 2014 after an attack drained it of about $400 million.
And while that remains the biggest theft, they keep happening. Just this past May, hackers were able to steal about $40 million from the popular exchange Binance.
That doesn’t mean basic blockchain technology is insecure—its fundamentals are sound, and its cryptography is rigorous. But much of the technology surrounding it involves software code. And code can be hacked.
Travis Biehn, technical strategist at Synopsys, notes that “when proponents say ‘blockchain is ultra-secure’ they mean the protocols, the platform, the algorithms—those are all secure.”
“Whether an organization’s peripheral infrastructure is secure is another question altogether,” he said.
Beyond that, the “private, permissioned” blockchains used by enterprises are a somewhat different animal from the public blockchains used by cryptocurrency exchanges. You might think that “private” means more secure than “public.” But you would be wrong, at least so far.
Riedesel said that while enterprise blockchains deliver much better performance than the crypto exchanges—some of which take minutes to clear transactions while the major enterprise platforms handle hundreds per second—enterprise blockchains were not designed to be as secure as the public ones.
“Public networks are operated entirely by antagonists, so they were built to withstand attacks by design—there is no single point of authority and everyone can see and do anything,” he said. “Private networks can make assumptions about their participants—how many, who they are and what they are allowed to do.”
But that doesn’t make enterprise blockchains digital islands. They are used to link together companies that have different incentives, such as a vendor who wants to charge more, while a customer wants to pay less. Different companies also have different security budgets. “Banks have lots of money for security, but their partners may be on much smaller budgets with higher risk tolerance,” Riedesel said.
And so far, there are plenty of holes in blockchain peripherals. The Synopsys Cybersecurity Research Center (CyRC) demonstrated as much when it anonymously coordinated the Chain Heist blockchain capture-the-flag (CTF) challenge in August at the 2019 DEF CON conference.
In a blog post about the event, Riedesel noted that the contest, which offered about $2,500 in awards, presented 23 challenges based on real-world vulnerabilities in both public and enterprise blockchain applications. The participants “claimed 22 of the 23 Chain Heist bounties,” he wrote.
A year earlier, at the 2018 DEF CON, Riedesel and Synopsys colleague Parsia Hakimian, a senior security consultant, demonstrated an open source tool they had helped create called Tineola, designed to attack Hyperledger Fabric, the most popular enterprise blockchain platform.
“Tineola” is the scientific name of a species of moth that eats clothes, as in fabric—get it? “It’s happily munching away on your blockchain fabric,” Biehn said.
In their demo, they showed how vulnerabilities in an insurance application could be used to commit insurance fraud.
“It’s important to note that part of this [responsibility for security] is on the developers using the platform—using it correctly,” Biehn said, “and the other part is on the platform authors to make it defensively designed and easy to write secure code.”
So the advice to organizations is to proceed, but proceed with caution. “Going to production with the PoCs [proof of concepts] we’ve seen today may be too risky,” Riedesel said. “Security teams haven’t been properly trained on these new tech platforms, and blockchain vendors are overpromising the security benefits.”
Biehn agrees. “A cautious approach here is good,” he said. “Security teams and operations teams need time to gain experience operating the components that make up a blockchain-driven enterprise system.”
And—good news—that is what appears to be happening with a majority of them. “We’ve spoken to a lot of these companies, and there’s a high rate of experimentation—many systems are run in parallel with the systems they’re replacing, or they don’t really run in a decentralized environment,” Biehn said.
That is reflected in a Gartner report from March 2018, which found 396 blockchain engagements in 2018—more than three times the 115 in 2017. But most were a long way from up and running. Just 14 were in production with limited functionality, and 17 were in the implementation phase.
All of which leads to the obvious question: What are the best ways to make enterprise blockchain platforms more secure?
And much of the answer comes down to what needs to be done with anything that involves software: Test it, analyze it and get the bugs out of it before exposing it to a world full of attackers hoping to exploit it.
Biehn has a short but labor-intensive list:
“We know that developers who know how to write safe code, and have a reason to write safe code, write safe code,” he said. “In this type of environment, it’s probably a good idea to bring your development A team, versus the cheapest vendor you could find.”
Riedesel adds that it will also take cooperation. “The security community and the companies implementing blockchain-enabled apps need to work together to create new security models to capture the actual security properties of these systems and ensure that the data is being protected as it needs to be,” he said.
“It’s really exciting because there’s an opportunity for us as security experts to be on the ground floor of a new technology and help shape the industry. I just hope they listen.”
Taylor Armerding is an award-winning journalist who left the declining field of mainstream newspapers in 2011 to write in the explosively expanding field of information security. He has previously written for CSO Online and the Sophos blog Naked Security. When he’s not writing he hikes, bikes, golfs, and plays bluegrass music.