White Paper

Inclusive Deployment of
Blockchain for Supply Chains
Part 5 – A Framework for
Blockchain Cybersecurity
Prepared in collaboration with Hitachi
December 2019
World Economic Forum
91-93 route de la Capite
CH-1223 Cologny/Geneva
Switzerland
Tel.: +41 (0)22 869 1212
Fax: +41 (0)22 786 2744
Email: [email protected]
www.weforum.org
This white paper has been published by the World Economic Forum as a contribution to a project,
© 2019 World Economic Forum. All rights insight area or interaction. The findings, interpretations and conclusions expressed herein are a re-
reserved. No part of this publication may be sult of a collaborative process facilitated and endorsed by the World Economic Forum, but whose
reproduced or transmitted in any form or by any results do not necessarily represent the views of the World Economic Forum, nor the entirety of its
means, including photocopying and recording, or Members, Partners or other stakeholders.
by any information storage and retrieval system.
Contents

Preface 5

Introduction 6

1. Is cybersecurity necessary for 7

blockchain?

2. Key cybersecurity concepts of 8

relevance in blockchain

3. Key blockchain concepts of relevance 10

for cybersecurity

4. Blockchain secure deployment 12

10-step process

Conclusion 15

Appendix 1: Blockchain security risk 16

management

Appendix 2: Key blockchain security risks 19

Glossary 22

Contributors 23

Endnotes 24

Inclusive Deployment of Blockchain for Supply Chains: Part 5 – A Framework for Blockchain Cybersecurity 3
4 Inclusive Deployment of Blockchain for Supply Chains: Part 5 – A Framework for Blockchain Cybersecurity
Preface

Many organizations and supply chain solutions are exploring blockchain and distributed ledger
technology (DLT) to drive cost efficiency, better product offerings and new market creation. The extent
to which this new technology realizes its potential for organizations greatly depends on how well
supply chain actors steward its deployment and development. Due consideration should be given to
the critical success factors of deployment.

Security is an enabler, not a disabler. It is one of the foundations of digital trust and leads to
sustainability by increasing immunity to cyberattacks. Securing an organization’s blockchain solution is
also critical to ensure that the benefits of blockchain technology remain inclusive.

Adrien Ogée, Continuing the series, this white paper looks at one of the critical success factors of deployment
Lead, Technology – blockchain cybersecurity. The paper explores the considerations, proposed principles and
and Innovation, recommendations for supply chain organizations and governments in managing the growing
World Economic complexity of the security of blockchain solutions in support of global trade. It starts from the premise
Forum (Centre for that an organization has already assessed whether there is a real business need to use blockchain.
Cybersecurity),
Switzerland This is the fifth white paper in a series and part of a broader project focused on the co-creation
of a toolkit to shape the deployment of distributed ledger technology in supply chains towards
interoperability, integrity and inclusivity. This paper aims to articulate, in simple terms, important
blockchain and distributed ledger technology concepts as they relate to cybersecurity considerations.

Nadia Hewett,
Project Lead
Blockchain
and DLT, World
Economic Forum
(Centre for the
Fourth Industrial
Revolution), USA

Inclusive Deployment of Blockchain for Supply Chains: Part 5 – A Framework for Blockchain Cybersecurity 5
Introduction

Digital trust is a prerequisite for blockchain technology to The paper concludes by introducing a 10-step secure
embrace its potential as a foundation of future international deployment guide, along with important security
supply chain systems. recommendations. These recommendations build upon a
blockchain security risk management framework available in
Trust is derived from clear expectations. As such, digital Appendices 1 and 2.
trust stems from predictability – the knowledge that the
technologies we use will work as they should. Blockchain is one type of distributed ledger technology. For
simplicity, the terms are used interchangeably in this paper
Predictability, in turn, is enforced by security. to cover all types of distributed ledgers. Furthermore, while
the paper covers some distinctions between public and
Unfortunately, the hype around blockchain¹ has led to private chains, it focuses on more general considerations.
exaggerated security expectations that have affected trust
in the technology. Many have believed its cryptographic This paper does not examine the multitude of technical
foundation to be the ultimate answer to security. As a result, layers, complexities, hypotheticals and exceptions that exist
they have failed to implement the security controls required within the blockchain space, especially as there can be vast
for trust in a blockchain to emerge. Conversely, security differences between public and private chains, though the
violations and volatility in crypto markets (e.g. hacking authors recognize their existence and importance.
of crypto wallets and volatile coin prices) have adversely
affected the brand of enterprise blockchains. While this paper can be read alone, basic blockchain
concepts and blockchain features attractive for supply chain
The reality is that, while blockchain technology does bring solutions are covered in the first World Economic Forum
about a new security paradigm, it still needs to build upon white paper in this series – for further reference see Inclusive
traditional information security practices. Deployment of Blockchain for Supply Chains: Part 1 –
Introduction, March 2019.2
First, this paper investigates the security debate in blockchain
technology and why both topics are so closely interlinked.

Second, it discusses the role of cybersecurity in supply

chain applications of blockchain technology. It will answer
important questions such as: “How can the main concepts
of cybersecurity promote predictability in the use of
blockchain technologies?”

Third, the paper looks at the blockchain technology stack

to shed light on new components that require a new
security paradigm.

6 Inclusive Deployment of Blockchain for Supply Chains: Part 5 – A Framework for Blockchain Cybersecurity
1. Is cybersecurity necessary for blockchain?

The debate about blockchain security is polarized. At one

Traditional information technology principles apply –
end of the spectrum, blockchain technology is perceived to
the TradeLens example
be inherently insecure and unfit for most use cases requiring
privacy protections. At the other end, it is viewed as a
Following the logic that blockchain builds upon traditional
cryptography-native and hence “unhackable” technology. information technology, TradeLens, the industry platform
developed by Maersk and IBM, obtained the information
The truth lies somewhere in the middle. security certification of ISO/IEC 27000 series,5 a respected
and comprehensive certification maintained by a joint technical
There are grounds for the polarization of the blockchain committee of the International Organization for Standardization
security debate. Indeed, there have been documented (ISO) and the International Electrotechnical Commission (IEC).
security issues with various blockchain use cases, most
notably cryptocurrencies and digital exchanges where
anyone can trade fiat currencies, bitcoin and other In summary, the belief that blockchain technology is inherently
alternative currencies. insecure does not represent the complete picture, as most
of the reported security issues have had more to do with
Breaches have had an adverse impact on blockchain overlooked traditional information security challenges than
technology in general – whether for cryptocurrency or with technological flaws unique to blockchain technologies.
enterprise-related use cases.3
On the opposite side, more than two-thirds of enterprises
However, none of these attacks has targeted the believe that blockchain technology offers inherent security
fundamentals of blockchain technology. Rather, they have guarantees.6 This line of thought is equally problematic, as
focused on its surroundings: software wallets used to hold it can lead to a lack of due diligence. Just looking at the
digital currencies, codes of smart contracts and websites of list of blockchain-specific risks in Appendix 2 reveals the
digital exchanges. importance of due cybersecurity dilligence.

CoinDash, an Israeli cryptocurrency portfolio management Digital-asset exchange Quadriga, for example, was
company, offers a telling example. In order to grow, the managing $137 million in crypto assets, but failed to
company sought to raise capital in 2017 through an initial implement business continuity principles. When the chief
coin offering (ICO) – the unregulated crypto equivalent of an executive officer passed away suddenly, no one could
initial public offering. On the day of the ICO, a hacker edited retrieve these funds.7 What if the illusion of security led to
the company’s website with a subtle change: he replaced poor business continuity practices in the shipment of military
the company’s crypto wallet address, where the funds were weapons or the traceability of precious stones?
supposed to be collected, with that of his own wallet. While
there was no compromise of the blockchain technology itself, This is not to say that a blockchain does not offer any security
a simple website vulnerability was exploited to steal $7 million.4 advantages. It does. But its cryptographic foundation is not a
security panacea. While it has its advantages, security is always
a matter of trade-offs – and blockchain technology must be
Blockchain technology needs good security evaluated as one tool within a broader digitization toolkit.

Blockchain technology, including solutions based on it, is

not infallible. Like any other technology, it has pros and Blockchain supports digital transformation
cons related to security and can be hacked if the proper
measures are not in place. Therefore, it is important that A blockchain brings to the digital era activities that were, or
organizations do not store sensitive information on a still are, paper-based, and hence prone to counterfeiting.
blockchain without adequate security controls. In short, blockchain technology enhances and improves
its impact on information security, and helps information
security frameworks cast a wider net.8 It can help to protect
Security issues affecting blockchain technology are traditional against information tampering such as altered invoices and
for the most part and constitute a small number among false claims of arrival times in records. Supply chain disputes
thousands of cyberattacks around the world each day. Most can cause large penalties for companies. For example, if
news and media reporting on security-related topics with a supply chain actor is responsible for the late delivery of
blockchain technology concerns the value of assets at stake a container and misses the terminal gate-in deadline, it
and the limitation in recourse in the event of loss. pushes the arrival date back by a couple of weeks. That
party can then be held liable for airfreight fees or other
As of now, blockchain technology is considered quite penalties. Using a blockchain as a single source of verifiable
safe. That said, it has not yet stood the test of time. Many and secure information can help with dispute resolution in
algorithms and technologies were deemed secure for such cases where there is a need to know the real check-in
decades until a vulnerability was discovered. time and which party is responsible for the delay.

Inclusive Deployment of Blockchain for Supply Chains: Part 5 – A Framework for Blockchain Cybersecurity 7
2. Key cybersecurity concepts of relevance in blockchain

Figure 1: Trade-offs across various blockchain types

More access control and

confidentiality on data vs. single point
of failure and less anonymity

Pe
rm
te
va

iss
Pri

ion
ed
Pe
rm
blic

iss
Pu

ion
les
s
More availability vs. Increased user privacy vs. data
increased attack surface more accessible and modifiable
by malicious actors

Cybersecurity is defined as the ability to protect or defend Application to blockchain: While this pillar benefits from
the use of cyberspace from cyberattacks.9 There are half a the fault-tolerance native features of blockchain due to
dozen cybersecurity concepts that are particularly relevant its potentially distributed structure, real-time observation,
when deploying blockchain. critical for certain supply chain services, may be difficult to
achieve for certain blockchain configurations.
Concept 1: Confidentiality
What it is: a security goal that aims to ensure only those Concept 4: The CIA triad
who are authorized to access a piece of information can What it is: the combination of confidentiality, integrity and
access it. availability. Achieving all three security goals is challenging.
This is not to say that information security cannot tackle
Application to blockchain: Different implementations of a the three goals, just that non-native goals will need to be
blockchain offer varying degrees of confidentiality, but the retrofitted through security controls. More information about
general rule is that a blockchain might offer only the same these three security objectives and their associated risks are
level of confidentiality as a traditional database.10 Public available in Appendix 2.
blockchains generally offer less confidentiality.
Application to blockchain: In the example used above, to
Concept 2: Integrity increase data integrity and availability of the ETA event,
What it is: a security goal that aims to ensure information is enabling more parties, such as the port, terminal and
trustworthy and accurate. trucker, to access and verify the data will help. However, this
approach may negatively affect data confidentiality as more
Application to blockchain: DLTs are designed to guarantee parties have access to the data (see Figure 1).
integrity but depend on the quality of the data input: garbage
in, garbage out. Take milestone updates provided by an ocean Concept 5: Layered approach, so-called defence in depth
carrier to an importer while cargo is in transit: The accuracy of What it is: Inspired by the 17th-century French military
the estimated time of arrival (ETA) is not guaranteed because it architect Vauban, who developed a system of defences to
is on a blockchain; integrity still depends on the input source, improve the protection of fortified positions, is the idea that
e.g. an IoT device tracking locations. security benefits from a layered approach. This allows for
the detection of unauthorized access long before a system’s
Concept 3: Availability core is compromised. The results are security controls, e.g.
What it is: a security goal that aims to ensure data is measures taken in combination with each other to create a
available whenever needed. tight security net.

8 Inclusive Deployment of Blockchain for Supply Chains: Part 5 – A Framework for Blockchain Cybersecurity
Application to blockchain: In the blockchain context, Concept 8: Security as a process
this translates into controls during multiple phases: from What it is: Security is not a final destination but a process.
development to deployment and phase-out; and multiple It requires constant attention, as attackers continuously
layers from the node to the smart contract and access points. improve their skills, security researchers uncover new
vulnerabilities, end users shift their habits and the
Concept 6: Holistic security, design as a whole technological spectrum grows.
What it is: Security controls need to be looked at from the
perspective of the wider system, e.g. the military fortification Application to blockchain: While most vulnerabilities in such
as a whole, rather than each defensive wall or ditch. a nascent technology are yet to be found, the growth in
popularity of DLTs will also be accompanied by a growing
Application to blockchain: The absence of technological interest from hackers. Constant system monitoring and
convergence and standards makes blockchain system security risk management (see Appendix 1) will be vital to
design difficult, and makes it more likely that developers securing blockchains.
will combine elements at the risk of their security features
offsetting each other. Security governance then becomes Concept 9: Security through transparency
more prominent: Who gets to decide what to do? What it is: For centuries, secrets were protected by
obscuring them, which was called security through
Concept 7: Security-by-design and by default obscurity. The idea was that hiding the logic of a security
system would prevent enemies from cracking it, e.g.
encryption mechanisms to protect information such as
Often, I am in situations where I need to industrial communications or copyright-protected media.
Experts and users understand more about the advantage of
educate the client on security, since they would transparency and open source technologies.
not have brought it up. Interestingly enough,
investors also often ask about our approach Application to blockchain: Modern security advocates the
to security. idea that the more transparent a system – the more open
the internal logic of how information is protected – the
better. The cryptographic algorithms used in DLTs are open-
Hanns-Christian Hanebeck, founder and chief executive officer, Truckl.io source; the mechanisms are widely tested and used by
many industries.

What it is: A natural extension of holistic security, security- Concept 10: Simple security
by-design means that security has been embedded in the What it is: By extension, complexity is the enemy of
foundation of the system and is activated by default – rather security.11 Securing complex systems made of complex
than opted-in by end users. parts, hosted in complex environments, is more difficult.

Application to blockchain: There are numerous implications The Verge cryptocurrency implemented a mixture of mining
for blockchain, from embedding update features or kill algorithms: This extra complexity made it more difficult to effect
switches into smart contracts to ensuring that security security measures and ultimately allowed attackers to play one
is considered at the very beginning of the life cycle of a mechanism against the other to perform a 51% attack.12
solution. For example, at the early stage of the deployment
such as proof-of-concept, some aspects of the incident Application to blockchain: Managing complex blockchain
response to a major risk can be tested. This will require solutions with multiple interacting components will be
implementing such security mechanisms as well as the difficult for chief information security officers – particularly
necessary business operations. as supply chain management is already complicated. As a
result, whatever solution is deployed should seek to simplify
operations rather than add complexity. The integration
with legacy systems is a complexity driver that will require
particular care.

Inclusive Deployment of Blockchain for Supply Chains: Part 5 – A Framework for Blockchain Cybersecurity 9
3. Key blockchain concepts of relevance for cybersecurity

This section analyses the important concepts that Concept 2: Consensus

blockchain introduces from a security perspective. What it is: Consensus mechanisms ultimately allow records
to be added to the ledger. There are multiple consensus
Concept 1: Decentralization mechanisms that try to solve complex trade-offs, mostly
What it is: The transfer of authority away from a central across scalability, collusion resistance, computational cost
source of power. and real-timeliness (see Figure 2).

Cybersecurity implications: Security governance has Cybersecurity implications: Vulnerabilities in these

traditionally been a centralized process, so decision-making mechanisms are significant as they could compromise the
can be executed quickly in critical situations. Decentralized integrity of the ledger – and, consequently, the trust in the
governance is a paradigm shift that organizations system. And their complexity is a real concern. Different
transitioning to blockchain will need to navigate. consensus mechanisms lead to different requirements
and levels of security. Some blockchains use multiple
The direct consequences of decentralization are a mechanisms to reach consensus. Security requirements
decreased control over systems and oversight, as well must also consider these in conjunction with each other, as
as increased difficulty ensuring physical security and weaknesses may be amplified in this context.
shutting down a system if need be. For example, ensuring
the security of the DLT nodes may prove difficult when
organizations may not even know which nodes are part of Weak consensus system design
the distributed infrastructure.
The Verge hack14 did not exploit any vulnerability in
In addition to decreasing the control of an organization, any one of the consensus mechanisms that Verge was
decentralization increases the attack surface of ledgers – using, but rather a vulnerability in the system itself, which
given that, in most blockchain types, all of the nodes hold consisted of multiple consensus mechanisms added
the same version of the ledger. one after the other. Therefore, a lack of proper systems
thinking was at the root of this case.
Decentralized security is therefore not trivial, and this shared
responsibility can sometimes lead to a lack of due diligence:
When it’s everyone’s responsibility, it is no one’s. Figure 2: Examples of consensus mechanisms15

Oracles, sources of data to be trusted

Delegated PoS* Leased
PoS *
Oracles are entities outside of the blockchain feeding Proof-of-stake Proof of elapsed time

data to the system. They require a level of trust that is

Practical Byzantine
contradictory to the trustless and decentralized nature Proof-of-work fault tolerance
of blockchain-based protocols.13 For example, whose
LPoS

responsibility is it to secure a tracking device used on a

DPo

container or a GPS used to feed information to track-

Po
S

ET
Po

and-trace?
S

PBF
PoW T
Consensus
algorithms
t SBFT
igh
We
Po
B

FT
PO

DB
&

G
C

POA

DC
Po

Proof-of-weight Simplified BFT*

Proof-of-capacity | Delegated BFT

Proof-of-burn

Directed acyclic
Proof-of-activity graphs

* PoS: Proof of stake – “BFT: Byzantine fault tolerance

Source: developcoins.com

10 Inclusive Deployment of Blockchain for Supply Chains: Part 5 – A Framework for Blockchain Cybersecurity
Concept 3: Smart contracts
What it is: A smart contract is a computerized protocol
that automatically executes the terms of a contract upon a
blockchain once predefined conditions are met.

Cybersecurity implications: A smart contract is a double-

edged sword – the contents are visible to all members of
the blockchain, meaning that hackers can freely search
for vulnerabilities. At the same time, where relevant entities
agree on a smart contract that is immutable and observable
by the public, exploiting vulnerability in a smart contract
could be considered “fair use” in some cases.

Patching smart contracts is not as straightforward as

patching a traditional piece of software, which is why secure
coding and auditing are a must. However, the combined
shortage of cybersecurity and blockchain talents makes
securing smart contracts a real challenge.16

Concept 4: Endpoints and key management

What it is: Endpoints are the hardware and software
elements used to access blockchains. While these are not
entirely specific to a blockchain, the latter is the technology
that is making their secure use mainstream.

Cybersecurity implications: Because blockchain technology

employs cryptographic algorithms, blockchain users are
generally required to create and manage cryptographic
keys used to authenticate transactions and ensure a record
is associated with a legitimate data-input agent. When a
cryptographic key is compromised, a malicious record,
e.g. status of cargos and expected arrival time, can be
faultily associated with a user. Alternatively, a stolen secret
key could be used to manipulate data used to determine
who is liable for penalties (e.g. who is at fault for the late
delivery of a container to the port, thus missing the gate-
in and incurring late-ship fees). Ultimately, they still all use
cryptographic keys, and so the securitization of these keys
is of paramount importance across blockchains.

Inclusive Deployment of Blockchain for Supply Chains: Part 5 – A Framework for Blockchain Cybersecurity 11
4. Blockchain secure deployment 10-step process

When a sound business assessment has been made that A good starting place is the organization’s strategy, crisis
blockchain technology is an appropriate tool to address management and business continuity policies. This step
a real business need, an organization must pay careful should answer some of the following questions:
attention to critical success factors of deployment, including
security considerations. This section provides a 10-step – What are the major requirements of security from the
secure deployment guide to navigate users towards a CIA’s point of view, and how are they prioritized?
successful security practice. – Is it important to ensure full anonymity of the
organization’s customers?
Step 1: Acquire blockchain expertise – How badly would the reputation of the organization be
affected by an incident such as a system glitch or a
The first and probably most important step before data leak?
considering a blockchain deployment is to acquire
blockchain security talent. Depending on the company’s End goal: a document outlining important goals in simple
resources, and the criticality and objectives of the language. These answers will inform the risk assessment
blockchain use case, this can range from outsourcing outlined in Step 4.
to a trusted third party to hiring or training staff with the
necessary skills to oversee a secure deployment.
Importance of security objectives –
the Port of Valencia example
Ensuring the security of a blockchain solution over time
requires qualified employees. Beyond business criticality, the
The Port of Valencia recently commissioned a blockchain
degree of internalization of this expertise will depend on the
solution to enable different entities working at the port
blockchain type. In the case of a consortium, for instance, it
to share data in a much more efficient way. Before
may be necessary to create a distributed security operations
developing a proof of concept, the leadership team
centre (SOC).
defined the following high-level security objectives,
among others:
Given the recency of the technology’s development, only a
limited number of third-party security services and training
– Data confidentiality is critical.
materials exist. The landscape includes consulting firms
– The availability of the blockchain solution must be
and boutique companies as well as a few certification
better than what we currently have.
programmes, e.g. the Blockchain Security Professional
– We must be able to identify all entities participating in
certification of the Blockchain Training Alliance.17
the business network.
– The blockchain network must be compliant with the
It is worth noting that it may prove easiest to hire
General Data Protection Regulation (GDPR).
cybersecurity experts and train them in blockchain
technology rather than doing the opposite.
Step 3: Choose the blockchain type
End goal: the creation of a security oversight team that
will be in charge of driving the next steps. It is essential Depending on the business objectives and the security goals,
that this team has access to the highest security authority choose which blockchain type would provide the best platform.
in the organization, be it the chief information security
officer (CISO), the chief information officer (CIO) or even It is quite probable that the business rationale and functional
the board. If the blockchain is to be developed for a specifications will inform this decision. While this is not
consortium, it is recommended that the security oversight security-by-design, it is the reality.
team count on security staff from all organizations that are
members of the consortium. End goal: the creation of a document listing the security
and business advantages and trade-offs of the various
Step 2: Define security goals blockchain types considered.

A sound security culture within the organization, with a Step 4: Perform a risk assessment
clear understanding of security goals, is a prerequisite for
the secure deployment of a technology with so many grey This step specifically concerns the blockchain use case to
zones. This evaluates the security posture and security goals be developed. Please refer to Appendices 1 and 2 of this
of the entire organization, not just the blockchain use case. report, Blockchain risk management, and Key blockchain
security risks, to perform the risk assessment. This step
should conclude with a prioritized list of actions to manage
the risks identified.

12 Inclusive Deployment of Blockchain for Supply Chains: Part 5 – A Framework for Blockchain Cybersecurity
 The governance processes will largely depend on the risks
Threat and vulnerability assessment –
to be monitored. The more risks there are to manage, the
Port of Valencia example
more thorough the governance process will need to be.
The more security controls there are to implement and
To better understand the risks of the blockchain solution
monitor, the more staff will be required. The more distributed
it was considering deploying, the Port of Valencia had the
the risks, the more coordination with solution developers,
opportunity to assess the security risks of a blockchain
operators, executive system owners and ecosystem
solution during its proof of concept.
participants will be required.
Examples of the main potential vulnerabilities identified
End goal: revised business continuity and disaster
– The case where an attacker rewrites the ledger by
recovery plans.
compromising a sufficient number of nodes. This will
put the business network at serious risk.
Step 7: Choose a secure vendor
– The administrator’s secret key becomes accessible
to other parties, who can then impersonate the
Choose the right security products and services, then
administrator and even change the smart contracts.
evaluate vendors.
– Node administrators are able to access confidential
data stored in the node.
There are several established enterprise solutions out
– The administrator leaves the company.
there, all offering some level of security service. In addition,
boutique companies and consulting outfits can help.
Examples of the main potential threats
– A competitor in the business network with
End goal: one or more contracts with security vendors.
administration rights to the node could be accessing
confidential data from other companies in the ledger.
Step 8: Develop securely
– Someone with administration rights can access the
data stored in an external database in the node.
Ensure that the developing team follows secure
– Hacktivists could be drawn to the network.
development practices, also known as DevSecOps, and
in particular a secure software development life cycle
In order to avoid using a partial and incomplete risk profile in (S-SDLC) methodology.
a production environment, it is good practice to undertake
this risk assessment as part of a proof of concept. Secure SDLC ensures that security assurance activities
such as penetration-testing, smart code auditing or
End goal: a document listing all of the risks and the different architecture analysis are embedded in the development of
management strategies chosen. the blockchain solution.

Step 5: Define security controls End goal: well-documented source code and planned
security activities.
Security controls may be able to reduce risks before these
residual risks are transferred, avoided or accepted. Please Step 9: Monitor and audit security
refer to the mitigation strategies presented in Appendix 2 for
ideas on defining these controls. As explained in the first section, security is a process. New
vulnerabilities are found, attackers become more creative,
End goal: a document listing the security functional and thus security needs to be monitored actively.
specifications of the blockchain and recommended security
controls for the development team. First, regular penetration-testing of the infrastructure and
applications that interact with the solution is essential.
Step 6: Define security governance Auditing of smart contracts is also required to ensure that
no vulnerabilities exist in the smart contract code, or are
The security oversight team, structured in Step 1, is there introduced by the contract’s use. These penetration-testing
to oversee the deployment of the blockchain solution, but and auditing processes should be ongoing and built into the
not its long-term operation. As a result, it is critical for a blockchain solution’s operation out of the life cycle.
governance structure and for processes to be defined prior to
development kick-off. Once development starts, even a test
version of the use case can be a source of security threats.

Inclusive Deployment of Blockchain for Supply Chains: Part 5 – A Framework for Blockchain Cybersecurity 13
Second, as previously covered, the security of a blockchain to mitigate any damage in a timely fashion. After an
depends not only on the security of the blockchain itself but incident occurs, it is essential to undertake a post-mortem
also on that of the underlying infrastructure that hosts the assessment to improve the overall security posture of the
blockchain platform and solution components. As a result, it solution and limit the risk of the incident reoccurring. Indeed,
is highly recommended that you have a security operations while incidents can be sources of disruption, they are
centre (SOC) to monitor the blockchain solution along with also welcome opportunities to build the resilience of your
the rest of the organization’s assets. blockchain and organization.

There will be an increasing need for consortium blockchains We believe there is no need to have blockchain-specific
to explore distributed SOCs, which are at present at the incident response plans or business continuity plans.
forefront of cybersecurity. Blockchain is a technology like any other, and so it is
wiser to integrate blockchain-specific procedures into the
To verify its effectiveness, an independent audit, either organization’s existing security plans.
internal or external, is periodically conducted so that the
provisions of these vital steps are up to date and best fitted Finally, in the words of the German poet Heinrich Heine:
to the current system and environment. “Experience is a good school, but the fees are high.” It is
of the utmost importance to conduct an incident-response
End goal: active monitoring of the blockchain solution in exercise before such an event occurs.
the SOC.
Training staff to respond to such incidents and testing
Step 10: Respond to incidents distributed decision-making processes is critical to
managing real incidents and keeping blockchains secure.
Whenever security monitoring activities detect an incident,
you need to be able to respond to the incident and attempt End goal: timely mitigation of security incidents.

Figure 3: Secure deployment 10-step process

01

Acquire
blockchain
expertise

03

Choose
02 blockchain type 04

Define security Perform a risk

goals assessment

06

Design security
governance 05

Define security
controls

07

Choose security 08 09
vendor
Develop Monitor and
securely audit security

10

Respond to
incidents

14 Inclusive Deployment of Blockchain for Supply Chains: Part 5 – A Framework for Blockchain Cybersecurity
Conclusion

Blockchain, perhaps more than any other technology, requires cybersecurity to protect the digital trust
on which it relies.

While traditional cybersecurity does apply to blockchain, the technology also introduces unique
features that require unique security measures. On top of that, blockchain is also a divergent
technology: it is a moving target that requires a continuous and agile security process, rooted in field-
tested security concepts.

In summary, this paper discusses these major topics and shares useful concepts:

– A blockchain is neither unhackable nor inherently insecure. There are industrial efforts towards
good security practices to counter risks that appeared in the past (see Section 1).

– There are security concepts and design approaches that are particularly relevant to blockchain, e.g.
defence in depth, holistic security and security as a process (see Section 2).

– There are also unique blockchain features that need to be accounted for in security design, e.g.
decentralization, consensus, smart contracts and endpoints (see Section 3).

– Based on traditional information security management, a 10-step process for secure deployment
guide will navigate users and other stakeholders to a successful practice (see Section 4).

It is important to note that, while introducing security techniques is critical to increase immunity to
cyberattacks, it is not enough.

Blockchain solutions have been, and will be, attacked. Long-term sustainability will necessarily require an
ecosystem approach at the business layer. This is probably the biggest challenge that blockchain poses
to cybersecurity practitioners. Security has always been a centralized affair and breaking the discipline
open, from egosystems to ecosystems, will require a paradigm shift based on an inclusive approach.

If blockchain is the technology that can bring multiple stakeholders to the platforms of the future, it
requires a platform to discuss its own future today.

The World Economic Forum is such a platform, where an inclusive and multistakeholder approach can
emerge, where new forms of co-option can be defined, and where an open dialogue with regulators
and civil society can happen.

Inclusive Deployment of Blockchain for Supply Chains: Part 5 – A Framework for Blockchain Cybersecurity 15
Appendix 1: Blockchain security risk management

Deploying a blockchain solution securely requires a sound risk-management process. The following paragraphs provide
guiding principles on how to approach this task.

What is a risk? A risk is defined as the probability that a threat uses a vulnerability resulting in a given impact.

Figure 4: Risk management process

1 Security
objectives

Threat
2
3
assessment
Vulnerability
assessment

4 Probabilities and
prioritization

Decisions
and actions 5 OBSERVE

Step 1: Security objectives

The first step is to determine the security objectives based on the blockchain use case objectives. Questions that should be
considered at this point might include:

– Should the blockchain offer more availability or confidentiality?

– Should anyone be able to mine on the chain or not?
– Should anonymity be guaranteed?
– To what extent would the blockchain use case depend on risks facing other upstream or downstream actors in the supply chain?

Such security objectives will inform much of the risk assessment and subsequent risk management decisions.

Step 2: Threat assessment

After this initial phase, a threat assessment is advised to determine what the system will need to be protected from, ranging
from human accidents to natural catastrophes and deliberate cyberattacks. A threat is generally broken down into two
components: capability and intent.

Depending on the sensitivity or the type of information stored on the blockchain – for instance, financial information –
threats may in turn include cyber criminals but not hacktivists or nation-state actors. All of these factors pose different
security challenges and require different controls.

During a threat assessment, it is important to consider the entire blockchain use-case environment. For example, a
particular user of the system, such as a city or an NGO, may be a prime target of certain threat actors. In the supply chain
context this is very important, given the potential diversity of users up- and downstream.

16 Inclusive Deployment of Blockchain for Supply Chains: Part 5 – A Framework for Blockchain Cybersecurity
Differentiating between threats through capabilities and intent is a good way to measure the potential for disruption. For
instance, a government agency may have capabilities but no intent to attack a particular blockchain. Hacktivists, by
contrast, may be interested in harming the reputation of a particular organization, but lack the ability to overcome certain
security barriers.

Step 3: Vulnerability assessment

The next step is to assess potential vulnerabilities in the system, processes, organizational framework, etc. Questions that
should be considered at this point might include:

– What weaknesses am I introducing through storing my data in a public blockchain?

– How vulnerable would a custom-made hash algorithm be compared to an established industry standard?
– How difficult would it be to decentralize security governance?
– What are the weak points in my smart-contract auditing process?
– How exposed is my blockchain to physical attacks?

Finding vulnerabilities is difficult, and organizations at large should regularly perform penetration-testing, with total
knowledge of the blockchain construct (white-box penetration-testing), partial (grey box) and without any (black box).

Defining a process early on to secure smart contracts is critical, as blockchain security expertise is scarce and in demand. It
is also important to consider cost factors. An often overlooked vulnerability is not being able to cover the costs associated
with a particular mitigation strategy.

Step 4: Probabilities and prioritization

The next step of the risk assessment is to determine risk probabilities and impact.

Given the security objectives defined in the first step, which threats are likely to exploit significant vulnerabilities to cause
significant impact?

The impact of a single point of failure in a membership service provider being entirely burned down could have a potentially
significant impact on business process operations. As a result, this risk should be considered likely and impactful, and
hence mitigated accordingly.

This prioritization exercise needs to be presented in a simple format to help leadership identify high-probability, high-impact
risks that would indeed need to be mitigated.

Figure 5: Criticality estimates by likelihood and impact

Likelihood

High Medium High Critical

Medium Low Medium High

Low Low Low Medium

Impact
Small Medium Large

Inclusive Deployment of Blockchain for Supply Chains: Part 5 – A Framework for Blockchain Cybersecurity 17
Step 5: Decisions and actions

Once risks have been identified and prioritized, the last step of the risk-management process is to decide what to do
with each of them.

Ideally, the outcome of this process would be the absence of residual risks, but in practice this is hardly ever achieved.
Risks can either be mitigated, avoided, transferred or accepted.

Mitigating or reducing a risk consists of adopting Avoiding a risk consists of reworking the systems
various strategies to tackle either a particular threat – approach in order to eliminate a specific security
through deterrence, for instance – or a particular impact, challenge entirely. It generally involves trade-offs and
through containment strategies. accepting the removal of certain functionalities or users.

Example: To mitigate the single-point-of-failure challenges Example: If guaranteeing on-chain anonymity poses
posed by a membership services provider of a private regulatory risks that would be impossible to mitigate and
chain, one could distribute it over multiple geographies too costly to accept, it may be more logical to drop the
and organizations. feature of on-chain anonymity in favour of security.

_______________________________ _______________________________

Accepting a risk consists of acknowledging the existence Transferring a risk consists of involving a third party,
of that risk and budgeting for it should it materialize. such as an insurance provider or an external provider.
Due to the complexity of blockchain, using external
Example: Should a private chain guarantee a maximum expertise to develop a solution, and another entity to
transaction confirmation time through a service-level review and audit its results, is highly recommended.
agreement, it may be more cost-efficient to budget for the
low probability that this performance objective may not be Example: Given that the costs of a leak of personally
met, rather than invest time and money in developing an identifying information can bankrupt a company, it may
advanced load balancing or DDoS protection mechanism. be worth investing in cyber-risk insurance coverage.

All of these steps enable those deploying a blockchain solution to involve leadership in prioritizing the right security
controls and then budget accordingly. Security is a process, but so is risk management. Revising risks that the
blockchain use case is facing needs to follow a continuous process.

18 Inclusive Deployment of Blockchain for Supply Chains: Part 5 – A Framework for Blockchain Cybersecurity
Appendix 2: Key blockchain security risks

Below is a list of the main blockchain security risks, scored per blockchain type. For each risk, the paper provides a series
of mitigation strategies should an organization not be in a position to accept, avoid or transfer the risk.

These risk evaluations, being either Critical, High, Medium or Low, are comparable evaluations only within each chart,
yet it is the authors’ intention that all of the charts should appear equal with respect to the levels across topics. This
cannot, however, be universally valid as each case is sensitive to many factors such as use cases, system and platform
configurations, design options, implementations, prioritized security goals and relevant management and processes. The
aim therefore is to provide an understanding of the top view of demonstrative security risks so that conversations with
experts can be conducted quickly and easily.

Confidentiality: The risk that information is fraudulently Endpoint and key management: Endpoint security, which
accessed or inferred from the blockchain tends to be higher is closely related to confidentiality, is a common concern
for public blockchains, which are more easily analysed. On over all types of blockchain solutions. A large part of
the other hand, anonymity, a sub-property of confidentiality, endpoint security refers to protecting a user’s cryptographic
may be more difficult to achieve in private or permissioned keys to access the blockchain.
chains for which identity must be proven. For example,
hacking a membership service provider could lead to a Permissioned chains warrant better know-your-customer
breach of confidentiality. It is therefore important to clarify (KYC) protocols and hence offer more opportunities to
what needs to be confidential: the identity of the parties or manage endpoint security.
information about their transactions?
In public chains, because information is available to anyone,
Mitigation strategies: particularly if unencrypted, it is easier for attackers to know
which users and endpoints to target.
– Avoid storing sensitive or private data on a blockchain.
– Consider off-chain storage for sensitive or private data. Mitigation strategies:
– Encrypt information stored on ledgers whenever
possible. – Raise user awareness on security risks associated with
– Use advanced cryptographic techniques, such as zero- storing keys improperly (on an email or webmail, on the
knowledge proofs and homomorphic encryption. cloud, without encryption etc.).
– Consider that anonymity is superior in permissionless – Actively seek validation that users are aware of the risks
blockchains than it is in permissioned ones, while data they run based on the different options they use to
confidentiality is superior in private as opposed to public access the chain and what they forfeit if their endpoint
blockchains. security is weak.
– Consider making security updates mandatory for users
to be allowed to transact on-chain.
Public Private

Permissioned High Medium

Permissionless High Medium Public Private

Permissioned High Medium

Permissionless Critical High

Inclusive Deployment of Blockchain for Supply Chains: Part 5 – A Framework for Blockchain Cybersecurity 19
Integrity: The risk that the ledger is fraudulently tampered Consensus mechanism: Risks associated with consensus
with is relatively low, given that blockchains are, by design, mechanisms are tightly related to the integrity property.
meant to protect integrity. That said, integrity risks can be Attacks against the consensus mechanism generally
more prominent for smaller chains, given that the resources aim at validating fraudulent transactions or rewriting past
employed by the consensus mechanism are lower and can transactions. As mentioned, smaller chains are more
more easily be attacked. Private chains tend to be smaller. prone to fall victim to such attacks – particularly if they are
permissionless. It is also important to consider the fact that
A bigger risk from an integrity standpoint stems from combining multiple consensus mechanisms may introduce
the lack of access control, e.g. permissionless chains. new system-level risks.
There have been successful 51% attacks against small,
permissionless chains such as Verge, Monacoin and others. Mitigation strategies:

Bear in mind that, as with confidentiality and anonymity, the – Think carefully when considering custom consensus
original integrity features of blockchain come at the expense of mechanisms.
some privacy considerations such as the right to be forgotten. – Existing consensus mechanisms have their pros and
cons from a security standpoint –consider them in your
Mitigation strategies: risk assessment.
– If you do create your own blockchain, keep consensus
– Consider using an existing, bigger chain, i.e. the one mechanisms simple: It may be tempting, for instance, to
successfully gathering more mining nodes operated by a use several of them, but this added complexity results in
wider variety of node owners. risks you may not be aware of.
– Avoid storing personally identifiable information on
blockchains.
– Embed security controls on to oracles that push data to Public Private
your blockchain.
Permissioned Low Low
Permissionless Medium Medium
Public Private

Permissioned Low Low

Permissionless Low Medium

Availability: The risk is that participants cannot use the Node security: Nodes bear the same risks as any
blockchain. Chain availability depends on the number of connected processing unit that can fall victim to
nodes available compared to the number of transactions to cyberattacks such as malware or DDoS. A single
be recorded. Large chains, especially public chains, tend compromised node won’t lead to direct damage, but an
to offer better availability. However, this can come at the incident may come from aggregated occurrences. Since
expense of real-timeliness, due to the volume of transactions. a node is exposed, security is fundamental. As there are
more interactions with externals in public or permissionless
On the other hand, private chains are generally smaller and chains, they may incorporate higher risks in general.
hence more easily disrupted by traditional DDoS or eclipse
attacks. Permissioned chains also introduce points of failure Mitigation strategies:
with access control mechanisms that can be targeted and
indirectly affect the availability of the chain. – Use traditional IT security measures: anti-virus protection,
regular patching, etc.
Mitigation strategies:

– Use traditional IT availability measures: load balancing, Public Private

redundancy, anti-DDoS measures etc.
– Ensure gatekeeping redundancy in the case of a Permissioned Medium Low
permissioned chain. Permissionless Critical High

Public Private

Permissioned Low Medium

Permissionless Low Low

20 Inclusive Deployment of Blockchain for Supply Chains: Part 5 – A Framework for Blockchain Cybersecurity
Smart contract: When talking about typical use cases
in a supply chain such as the bill of lading or financial
instruments, automation with smart contracts is the
core of blockchain-based solutions. If such automation
incorporates vulnerability, it may lead to disturbance
of operations or immediate financial misoperation. In
public chains, smart contract code is visible to all and
hence much more accessible for hackers to browse for
vulnerabilities. In contrast, public chains also gather more
experts auditing the code and detecting failure. This is
exactly the same as has happened with the open-source
versus closed-source argument.

Permissionless chains also leave greater opportunities for

attackers to interact with the code, as KYC procedures in
permissioned chains reduce the likelihood of a validated
user attacking the smart contracts.

Mitigation strategies:

– Ensure developers apply secure coding practices.

– Ensure smart codes are audited by a third party before
uploading them on a blockchain.
– Consider using multi-signature smart contract-based
ownership. Alternatively, consider vote-driven smart
contract-based ownership.
– Define processes for smart contracts to be able to be
phased out or to self-destruct in certain conditions.

Public Private

Permissioned Medium Low

Permissionless Critical Medium

Inclusive Deployment of Blockchain for Supply Chains: Part 5 – A Framework for Blockchain Cybersecurity 21
Glossary

51% attack: when one or more persons collectively control Membership service provider (MSP): a modular
more than 50% of a network’s computing power and component that is used to manage identities on the
maliciously use their hashing power to reverse confirmed blockchain network. An MSP is used to authenticate
transactions, interfere with the process of recording new clients who want to join the blockchain network. Certificate
blocks, prevent new transactions from gaining consensus, authority is used in MSP to provide identity verification and
allow double spending of the local currency, or take other binding service.
actions to undermine the integrity of a blockchain.18
Oracle: an interface with a data source external to a
Anonymity: characteristic of information that does not blockchain that provides input data (e.g. share price
permit a personally identifiable information principal to be information) required for a determination of outcomes under
identified directly or indirectly.19 a smart contract.25

Consensus (mechanism): a process (or a mechanism Penetration-testing (pentesting): the process of probing
that implements) to achieve agreement by the majority of and identifying security vulnerabilities and the extent to
peers within a distributed network. Achieving consensus which they are used to a cracker’s advantage. Penetration-
means the group of peers participating in a blockchain have testing is a critical tool for assessing the security state of
evaluated and agreed on the state of the blockchain, most an organization’s IT systems, including computers, network
commonly when there is an addition to the blockchain.20 components and applications. Hackers of the white-hat
variety are often hired by companies to do penetration-
Cryptographic key: a sequence of symbols that controls testing. It is money well spent, computer security experts
the operation of a cryptographic transformation. A contend.26
cryptographic transformation can include but is not limited
to encipherment, decipherment, cryptographic check Smart contract: Blockchains can be programmed to
function computation, signature generation or signature automate business processes (e.g. making payments)
verification.21 in different entities. A smart contract is a computerized
transaction protocol that automatically executes the terms
Denial of service (DoS): prevention of authorized access of a contract upon a blockchain once predefined conditions
to a system resource or the delaying of system operations are met.
and functions, with resultant loss of availability to authorized
users.22 Vulnerability: a weakness of software, hardware or online
service that can be exploited.27
Hacktivism(-vist): (a person involved in) computer hacking
(as by infiltration and disruption of a network or website) Wallet: a non-physical storage device for cryptocurrency
done to further the goals of political or social activism.23 that a person downloads as a software file and that remains
connected to the internet. A wallet can be downloaded and
Know Your Customer (KYC): the requirement, pursuant installed on a computer, run online via the cloud or run on a
to the Bank Secrecy Act (BSA), that financial institutions smart device via a mobile application.
conduct due diligence on their customers prior to engaging
in transactions with them. The goal is to avoid inadvertently
engaging in criminal activity by furthering money laundering,
terrorism finance, other criminal enterprises, or engaging
in business with persons on the Office of Foreign Assets
Control (OFAC) sanctions list.24

22 Inclusive Deployment of Blockchain for Supply Chains: Part 5 – A Framework for Blockchain Cybersecurity
Contributors

The World Economic Forum’s Centre for the Fourth Industrial Revolution “Redesigning Trust: Blockchain for Supply Chain”
project is a global, multi-industry, multistakeholder endeavour aimed at co-designing and co-creating frameworks to
encourage the inclusive and well-thought-through deployment of blockchain technology. The project engages stakeholders
across multiple industries and governments from around the world. This white paper is based on numerous discussions,
workshops and pieces of research – and the combined effort of all involved; the opinions expressed herein may not
necessarily correspond with those of each individual involved with the project.

Sincere thanks are extended to those who contributed their unique insights to this report. We are also very grateful for the
generous commitment and support of Hitachi and their fellow at the Centre dedicated to the project: Soichi Furuya (also a
lead author of the paper).

Lead authors

Adrien Ogée, Lead, Technology and Innovation, World Economic Forum (Centre for Cybersecurity), Switzerland
Soichi Furuya, Senior Researcher, Hitachi (and World Economic Forum Fellow), USA
Nadia Hewett, Project Lead Blockchain and DLT, World Economic Forum (Centre for the Fourth Industrial Revolution), USA

Contributors

Craig Chatfield, Blockchain Architect and Security Consulting Manager, Accenture, UK

Dominique Guinard, Co-Founder and Chief Technology Officer, EVRYTHNG, Switzerland
Francis Jee, Manager, Deloitte Consulting LLP (and World Economic Forum Fellow), USA
Hanns-Christian Hanebeck, Founder and Chief Executive Officer, Truckl.io, USA
Partha Das Chowdhury, Head, Blockchain CoE, VARA Technology, India
Ramón Gómez-Ferrer, Head of Strategy and Innovation, Valencia Port Authority, Spain
Sheila Warren, Head of Blockchain and DLT, World Economic Forum (Centre for the Fourth Industrial Revolution), USA
Sumedha Deshmukh, Project Specialist, World Economic Forum (Centre for the Fourth Industrial Revolution), USA

Commentator

Jaka Mele, Chief Digital Officer, CargoX, Slovenia

Inclusive Deployment of Blockchain for Supply Chains: Part 5 – A Framework for Blockchain Cybersecurity 23
Endnotes

1. http://www3.weforum.org/docs/48423_Whether_Blockchain_WP.pdf
2. http://www3.weforum.org/docs/WEF_Introduction_to_Blockchain_for_Supply_Chains.pdf
3. https://fintechnews.sg/23594/blockchain/cryptocurrency-hack-binance/
4. https://fortune.com/2017/07/18/ethereum-coindash-ico-hack/
5. https://blog.tradelens.com/news/5-key-points-about-tradelens-platform-security/
6. https://deloitte.wsj.com/cio/2019/06/10/emerging-disruptors-lead-the-way-on-blockchain/
7. https://www.bbc.com/news/technology-47454528
8. https://www.forbes.com/sites/danielnewman/2017/10/24/blockchain-and-digital-transformation-go-hand-in-
hand/#2721404646f7
9. https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-39.pdf
10. https://hackernoon.com/databases-and-blockchains-the-difference-is-in-their-purpose-and-design-56ba6335778b
11. https://www.schneier.com/blog/archives/2013/01/complexity_and.html
12. https://blog.theabacus.io/the-verge-hack-explained-7942f63a3017
13. https://www.mycryptopedia.com/blockchain-oracles-explained/
14. https://mashable.com/2018/04/05/verge-crypto-hack/
15. https://www.developcoins.com/blockchain-consensus-algorithms
16. https://medium.com/solidified/the-biggest-smart-contract-hacks-in-history-or-how-to-endanger-up-to-us-2-2-billion-
d5a72961d15d
17. https://blockchaintrainingalliance.com/products/cbsp
18. Latham and Watkins, The Book of Jargon: Cryptocurrency & Blockchain Technology, https://www.lw.com/
bookofjargon-apps/boj-CryptocurrencyandBlockchain
19. ISO/IEC 29100:2011
20. Latham and Watkins, The Book of Jargon: Cryptocurrency & Blockchain Technology
21. ISO/IEC 19790:2012
22. ISO/IEC 27033-1:2015
23. Merriam Webster, https://www.merriam-webster.com/
24. Latham and Watkins, The Book of Jargon: Cryptocurrency & Blockchain Technology
25. Ibid.
26. Lowery, J. Penetration Testing: The Third Party Hacker. [Online, February 2002.] SANS Institute Website
27. ISO/IEC 29147:2014

(all links as of 7/11/19)

24 Inclusive Deployment of Blockchain for Supply Chains: Part 5 – A Framework for Blockchain Cybersecurity
The World Economic Forum,
committed to improving
the state of the world, is the
International Organization for
Public-Private Cooperation.

The Forum engages the

foremost political, business
and other leaders of society
to shape global, regional
and industry agendas.

World Economic Forum

91–93 route de la Capite
CH-1223 Cologny/Geneva
Switzerland

Tel.: +41 (0) 22 869 1212

Fax: +41 (0) 22 786 2744

[email protected]
www.weforum.org