With the rise of ransomware and other cyber hacks, how might blockchain technology be used to mitigate and manage threats to the IoT, asks Antony Savvas?
In recent months, the global WannaCry and NotPetya ransomware attacks have been in the headlines, as major global corporates and government organizations fell victim to malicious malware. Many commentators were quick to point out that old and inadequately protected operating systems like Microsoft Windows XP were still being used by many of the casualties, and that all companies should urgently upgrade their security systems against future ransomware and other attacks.
The use of blockchain technologies to tackle the growing ransomware threat did not feature widely in the protection strategies being suggested – but IT security experts have told Internet of Business that blockchain technologies should now be considered as means for protecting both data travelling between IoT end points and the data silos that underpin IoT implementations.
A broad use case
Blockchain is most typically associated with the exchange of cryptocurrencies such as bitcoin, but other uses, in other industries are emerging for the technology, which is used to create tamper-proof, cryptographically secure distributed ledgers of transactions.
That’s because it’s underlying concept is pretty broad, as 451 Research analyst Ian Hughes explains. “[It] seeks to ensure [that] any transaction between two parties is valid, with consensus from all other parties, and then, once made, the provenance of that transaction is maintained in a distributed fashion.”
So in IoT transactions, he adds, “this could be used to ensure a valid and trusted device with a known past is interacting on the network, versus a rogue intruder device.”
He says: “The history of transactions could also be used to spot anomalies in data patterns between devices using machine learning and AI techniques, which are starting to be used today in some network security tools. It is early days for blockchain concepts in this space, but it is certainly being explored.”
Improved security, increased resistance
At service assurance and data security firm NetScout, meanwhile, senior enterprise solutions manager Ron Lifton is optimistic about the blockchain opportunity in financial services and beyond. He cites figures that forecast that the use of blockchain in capital markets applications alone will be worth $400 million. More importantly, he cites others that estimate that one in five IoT deployments will utilize basic blockchain service in 2020.
Using blockchain for IoT transactions and data sharing could ease security concerns, remove single points of failure, streamline processes and cut costs, he claims. Although the ‘blocks’ in a blockchain may be publicly visible, their contents (detailing the time and date of the transaction, for example) are available only to organizations with the right encryption key.
“Because transactions must be authorized by multiple parties before acceptance, this technology creates a high degree of trust,” Lifton explains. “Additionally, you can only add transactions, not remove or alter them.” This ‘immutability’ is one of the aspects that makes blockchain attractive to organizations, he adds.
So, on an IoT network, blockchain might facilitate secure messaging between devices. Two parties can share data without ever compromising the privacy of its owner. Although blockchain won’t solve every security problem for IoT devices, such as the hijacking for use in DDoS [distributed denial of service] botnets, it helps protect data from attackers.
And as the number of IoT devices drastically multiplies, traditional server/client models for handling network traffic will prove too cumbersome and too unwieldy to be effective. “The simplicity of distributed blockchain transactions is their beauty,” says Lifton. “Supported by growth in edge computing devices and 5G networks, this simplicity will enable faster, more efficient communications between autonomous devices, all without passing them through single points of failure.”
These data security benefits are precisely why some major organizations have started the Blockchain IoT Protocol Initiative. Bosch, Cisco, Gemalto and Foxconn are among the big names behind the effort, and want to use blockchain as part of the IoT-based supply chain networks they are building.
They plan to use blockchain to assure transit and delivery of smart, connected devices and to meet after-sales requirements over vast global IoT networks. In many ways, these plans are a big jump forwards from the humble barcode – which is seen as the original digital product identifier, but which is not secure and which can be bypassed by the counterfeiting industry.
Being able to create a tamper-proof history of manufactured products, and record how they are moved and maintained across large supply chains is seen as critical, and blockchain is now seen as the key.
The recent NotPetya ransomware attack crippled shipping giant Maersk Line, with its container terminals forced to shut down. This attack highlighted underlying weaknesses in existing supply chain infrastructure and industrial internet-based IT as a whole.
Antony Abell, managing director of blockchain deployment firm TrustMe, says: “If Maersk had moved from their existing electronic data interchange (EDI) system to a blockchain-enabled platform, the ransomware attack on them would not have taken place.”
Abell says IoT industrial devices require secure communications for updating their firmware and the storage/retrieval/transmission of sensitive data. Blockchain can enable this and stop third-party code and third-party control or misdirection of content being added to IoT devices. An example of this, he continues, would be an IoT device accessing critical data in petrochemical industrial processes from a blockchain, and executing functionality from verified firmware and verified data stored on that blockchain.
“Without a blockchain system, the IoT device would require an enormous amount of layered security starting from internet access, protection from hacking of the firmware, protection from industrial espionage and other security systems,” Abell says. Blockchain enables the widespread, safe and cost-effective deployment of IoT process controllers across a multitude of industrial environments.
Overcoming potential barriers
So blockchain is clearly a good bet for securely supporting IoT, but like any new technologies, perceived obstacles have to be overcome.
Pascal Geenens, EMEA security evangelist at load balancing and security firm Radware, says: “Blockchain holds a lot of promise in many areas and might be instrumental for digital transformation in coming years. That said, it also comes with some technical hurdles. Many IoT devices are resource-constrained and as such do not provide adequate compute power to participate in blockchains directly. They need some sort of proxy or central service in order to make the technology available on the platform.”
Another issue, says Geenens, might arise from the decentralized consensus protocols involved (approving transactions, for example), or more specifically, the average time for ‘converging to consensus’ among participants in a blockchain. Using blockchain to protect communications might prove too slow for some real-time requirements for applications and services.
But, adds Geenens, “I know there are some studies on their way to address some of these limitations and I’m sure that if the technology proves to be an enabler for the security of IoT, the hurdles will be solved and overcome at some point.”
Guy Bunker, senior vice president of products at cyber security firm Clearswift, says: “Blockchain is useful in many scenarios and an understanding of where it is best used, rather than assuming it is useful for everything, is required.
“When using blockchain, consideration should also be given to future legislation such as GDPR, to ensure that the information which is protected and how it is protected can also support requirements such as ‘right to be forgotten’. Without these considerations, the solution may create more problems than it potentially solves.”
But despite some concerns, it is certainly clear that blockchain is showing wider technology potential, over and above securing transactions in the banking industry, at which it has been aimed up to now. This is particularly true if major players in different industries can settle on blockchain IoT standards and procedures.