Can Blockchain Security Safeguard IoT? Not So Fast, Say Some Cyber Experts

Can Blockchain Security Safeguard IoT? Maybe, Maybe Not

Several trade press articles suggest blockchain security can protect IoT deployments from cyberthreats. Not all cybersecurity professionals, however, are convinced.

Written by Brian Buntz
17th September 2018

According to a well-known cyber slogan, complexity is the enemy of security. So why is it that a good number of blockchain enthusiasts hail distributed ledger technology as a sort of panacea for IoT security? One of the prime reasons IoT security is challenging is its complexity and ever-growing scale. Meanwhile, blockchain, thanks to its distributed architecture, is inherently more involved than a traditional database. “Blockchain is still a new technology. It’s experimental. At this stage, if you are using it for IoT security, you are adding more complexity and probably making your deployment less secure,” said Cesar Cerrudo, chief technology officer of IOActive Labs.

While opinions vary regarding the potential of blockchain security, RSA’s Chief Technology Officer Zulfikar Ramzan also has a skeptical take: “People’s optimism around blockchain is often inversely proportional to their understanding of how it actually works,” he said. “People who understand the details, see the limitations.” Ramzan also added that it is difficult to evaluate a new technology early in the adoption cycle, observing that the those who helped develop public key infrastructure in the 1970s could have scarcely imagined its role in helping create e-commerce decades later.

Frank Hißen, the owner of an independent IT security software development and consulting business in Germany, has a similar opinion. Blockchain is “a good technology,” but it’s not a “holy grail,” Hißen said. “Moreover, its implementation has drawbacks,” which limits its potential applications for cybersecurity.

[IoT Blockchain Summit is the event that’s exploring the intersection of blockchain and IoT across industry and enterprise. Get your ticket now.]

According to Peter Tran, vice president and head of global cyber defense for Worldpay, those evaluating blockchain for IoT deployments should avoid binary conclusions when it comes to evaluating its benefits. “It’s not a matter of whether it’s a perfect fit for cybersecurity, but whether it is more of a complementary asset,” Tran said. “The ability for blockchain to orchestrate across billions of data transactions/inputs with checks and balances shouldn’t be dismissed so easily for IoT infrastructures.”

To date, some of the most mature blockchain applications are also the closest to its original purpose: removing intermediaries when transacting digital assets. A significant effort, however, is underway to extend blockchain to the physical world through asset tokenization, but at present, mature blockchain use cases involving the physical realm are far and few between.

Because blockchain uses public key cryptography — also known as asymmetric cryptography — key management becomes an important theme. Because each endpoint requires a private key, it requires a secure strategy for keeping those keys safe from prying eyes. In this way, blockchain security applied to the Internet of Things could look similar to IoT deployments using public key cryptography. “You’ll have to put a key on each device and will have to manage them in some way in order to be able to use blockchain in IoT,” Cerrudo said. One of the most secure strategies for managing private keys is the use of hardware security modules for each endpoint. This strategy can be expensive and would require ongoing key management, as it does for IoT projects using PKI encryption.

One of blockchain’s chief selling points is the immutability of its data (although Accenture has patented an editable version of the technology). This characteristic will likely sway some companies with IoT deployments to consider using blockchain to store a trail of transactional data. “For some companies, that could be a good solution,” Cerrudo said, “but then for others, they could store that data on a database.” It is relatively simple to find database experts who can meet a given organization’s needs, but “few people know how to set up a blockchain deployment.”

The difficulties of deploying blockchain for an IoT application are compounded in an existing environment that wasn’t initially designed for the technology. “You would modify firmware and applications on top of key management,” Cerrudo said. “I see a very difficult challenge in trying to integrate blockchain with older technology.”

While the full potential of blockchain may not be apparent in this early stage of adoption, organizations grappling with the intricacies of an IoT deployment should be aware of the potential added difficulty and cost of adding blockchain into the mix. It’s understandable that organizations would want to provide “a secure solution to solve a new [cybersecurity] problem,” Cerrudo said. But there are few experts in both blockchain and cybersecurity to help deploy the technologies in tandem — especially when it involves retrofitting. “If you’re going to develop something from scratch, then you might consider blockchain for some specific solutions,” Cerrudo said. “But if you have already invested in technology and have decided: “OK, let’s put blockchain on it, I don’t think it will be easy and you’ll probably be wasting your time.”