Blockchain is a rapidly-evolving technology with a great deal of interest and investment. Decentralized Finance (DeFi), in particular, has a great deal of money invested in it as well as a growing number of high-profile and expensive hacks. Beyond DeFi, many companies, both large and small, are investing heavily in blockchain technology.
As blockchain increasingly underpins major systems, securing this technology becomes increasingly vital. Financial systems built on the blockchain can suffer significant losses due to blockchain hacks. The use of blockchain for supply chain tracking and audit logging relies on the blockchain being immutable.
However, the widespread adoption of blockchain technology is relatively recent, and security has not always kept up with the technology. In many cases, traditional IT security best practices do not work for the blockchain, leaving the potential for security gaps and additional breaches.
This article is the first in a four-part series exploring how blockchain security differs from IT security or “traditional” cybersecurity. In this article, we explore the differences for node operators, followed by smart contract developers and the blockchain’s users.
The Transition from IT to Blockchain Security
Blockchains such as Bitcoin, Ethereum, and others are built on top of traditional IT systems. A blockchain node is a computer that processes transactions, builds and validates blocks, and stores a copy of the blockchain in memory. The blockchain’s peer-to-peer network operates on top of a corporate network or the public Internet.
Since blockchain technology runs on top of traditional IT systems, many traditional IT security risks and best practices apply. Some of the overlaps between IT and blockchain security include the following:
- Node Security: The blockchain runs on nodes, which are traditional computers. Malware, data exfiltration, Denial of Service (DoS) attacks, and other threats to traditional IT computer systems also apply to blockchain nodes.
- Network Security: The blockchain’s peer-to-peer network runs over traditional IT networks. Distributed DoS (DDoS) attacks against blockchain nodes, border gateway protocol (BGP) hijacking, and other network-level threats can impact the performance and security of a blockchain-based system.
- Application Security: Blockchain systems are implemented as software that runs on a distributed network of blockchain nodes. This blockchain software may contain exploitable vulnerabilities or be vulnerable to DoS attacks that restrict access to CPU, memory, or network connections.
- Web Security: Many DeFi projects have their backends hosted as smart contracts on the blockchain but interact with users via traditional websites. Cross-site scripting (XSS), injection, and other web security threats are common attack vectors for these Web2 frontends.
Blockchain’s reliance on traditional IT systems means that many IT security threats and best practices still apply. If the computers, networks, and websites that make blockchain-based projects operate are attacked, this impacts the security of the blockchain as well.
However, the blockchain infrastructure stack does not end at the application level. Blockchain software creates a new ecosystem on top of IT nodes and networks that includes:
- Consensus algorithms
- Smart contract platforms
- Layer 2 protocols
- Cross-chain bridges
Traditional IT security controls and best practices only go so far toward securing blockchain platforms. Blockchain accounts, smart contracts, and applications (DeFi, NFTs, etc.) need security controls and best practices designed for them as well.
Blockchain Security vs. IT Security
Blockchain ecosystems and traditional IT environments are very different. As a result, many of the security challenges and best practices differ significantly between the two. Here are some of the main ways in which blockchain and IT security diverge for node operators.
Historically, IT security has primarily been focused on perimeter security. Based on the assumption that most threats originate from outside of the network, organizations deploy security solutions such as firewalls, intrusion prevention systems (IPS), and other tools at the boundary of the corporate network. By blocking potential threats at the network perimeter, they reduce the probability and costs of a security incident.
While the perimeter is dissolving in corporate IT with the growth of the cloud, it never existed in blockchain technology in the first place. Most blockchains are public blockchains that anyone can join and participate in. Transaction processing and storage are distributed, and anyone can operate a blockchain node. As a result, many of the traditional IT security solutions and controls used to protect the corporate network perimeter do not apply in the blockchain space.
Vulnerability and Patch Management
All software can have bugs, and some of these bugs are exploitable vulnerabilities. The blockchain implements multiple different layers of software (the blockchain software, smart contracts, cross-chain bridges, etc.), creating multiple opportunities for vulnerabilities.
In traditional IT, vulnerability management processes are often centralized and well-defined. After a vulnerability has been reported to a software manufacturer, the company develops and releases a patch for the issue. While some patches may be applied manually, other updates are automatically pushed to the manufacturer’s software.
In the blockchain space, node operators can run any software that does its job and complies with the current version of the blockchain protocol. As a result, blockchain networks can be composed of multiple blockchain software with operators running varying versions of each.
The heterogeneity and decentralization of blockchain networks make vulnerability and patch management more complex than for traditional IT systems. The responsibility lies with node operators to identify if a patch is needed and available, and no central authority has the ability to compel operators to patch their systems. As a result, unless an update includes a hard fork that breaks backward compatibility, nodes may continue to run versions of the blockchain software that place themselves and the health of the blockchain network at risk.
Identity and access management (IAM) is a complex process in traditional IT systems. Some of the main challenges of IAM in traditional IT include the following:
- Verifying User Identities: User authentication is essential to effective access control. Many organizations are turning to multi-factor authentication (MFA) and password authentication to ensure that users are who they claim to be.
- Managing Access: After the identity of an employee, customer, or other user is validated, they are granted limited access based on their role. Implementing effective access management is the goal of the zero-trust security movement.
- Digital Signature Validation: Digital signatures are commonly used to validate the integrity and authenticity of data and to authenticate users. Companies commonly implement public key infrastructure (PKI) to create, distribute, and validate digital certificates to support the use of digital signatures.
In the blockchain space, identity and access management operates very differently from traditional IT. Some of the main differences include the following:
- User Identity Verification: Most public blockchains are designed to provide anonymity to users. Instead, identity management is based on blockchain accounts. If someone has access to the private key associated with a blockchain account, they can generate digital signatures and transactions on its behalf.
- Access Management: Most public blockchains are permissionless, allowing anyone to participate in the blockchain, creating transactions and operating nodes. Access management is primarily performed at the smart contract level with these applications limiting access to privileged functionality. Private blockchains may be either permissionless or permissioned, allowing an organization to implement traditional security controls.
- Digital Signature Management: In traditional IT, validating the authenticity of a public key is one of the largest challenges of digital signature management and PKI. On the blockchain, blockchain addresses are derived from public keys, making it easy to determine if a digital signature is valid for a particular blockchain account.
Traditional IAM solutions may be necessary for managing the nodes that host a private blockchain. However, for most public blockchains, identity is managed at the blockchain account level, and access controls must be implemented in the blockchain software or smart contract code itself.
Data security is a primary concern for traditional IT security. Companies have a responsibility to protect sensitive customer data from unauthorized access and exposure, especially if it is protected by data privacy laws. Additionally, companies have intellectual property and other internal data that must be kept secret to protect competitive advantage.
On most blockchains, all data is public. Transactions added to the distributed ledger are broadcast to all blockchain nodes, making it impossible to delete or redact data after the fact. The contents of the blockchain’s distributed ledger are publicly visible and searchable on multiple block explorers.
Data security on the blockchain boils down to not posting sensitive data on the blockchain. Unless an organization is using a private, permissioned blockchain, anything added to the digital ledger should be considered publicly visible. Data classification and security controls must be performed before data is included in a transaction and posted to the ledger.
Monitoring and Visibility
Security visibility and monitoring are essential to an effective threat management program. Security personnel can’t manage or respond to vulnerabilities and threats that they do not use exist.
In traditional IT environments, security personnel often struggle to maintain effective visibility. They are responsible for monitoring and managing numerous, diverse environments and security solutions that are often not designed to work together. Security information and event management (SIEM) solutions can help with this, but they can be difficult to configure and manage.
Visibility is one of the few areas where blockchain environments may be easier to manage than traditional IT ones. On the blockchain, everything is publicly visible, and transactions stored on the ledger — which constitutes the audit log of all actions performed on the blockchain — are often searchable on block explorers. Blockchain data can also be integrated into SIEM solutions to converge visibility across traditional IT and blockchain environments.
However, blockchain nodes also often send out less telemetry than traditional IT solutions. As a result, the data that is available to a node operator may be insufficient to diagnose an issue or determine if an attack has taken place.
Designing Security for Blockchain Solutions
Blockchain environments differ significantly from traditional IT systems. While they are dependent on the functionality of computers and networks, they built a complex ecosystem on top of them.
Within these blockchain environments, traditional IT security tools and best practices do not always apply. This article focused on how the security of blockchain systems differs from that of traditional IT systems. Keep an eye out for the other two articles in this series, which will explore the security differences for smart contract developers and blockchain users.
For over 30 years, Marin Ivezic has been protecting financial services and critical infrastructure against cyber, financial crime, and regulatory risks. He previously held multiple interim CISO, CRO and technology leadership roles in Global 2000 companies. Since 2013 he has been advising institutions and regulators around the world on safe, secure and compliant adoption of crypto assets and other decentralized technologies.