Analysing blockchain security risks to your supply chain
28th January 2019
In the first article of our blockchain series, we explained how the use of blockchain technology had the potential to offer security benefits to its users. This is because blockchain technology can enable the secure transmission of information between users. It also provides visibility and traceability of data to users.
Given this, introducing blockchain technology into supply chain processes presents an attractive prospect, particularly from an ethical trading and verification/authenticity perspective.
Unlike traditional data exchange systems which rely on extraneous security systems to protect data transfers, blockchain has its own in-built process that enable security and authenticity.
- Data in blockchain uses encryption – so it is necessary to have the corresponding decryption “keys” to be able to read/use the data.
- Blockchain technology uses cryptographic hashing (a unique series of digits which act like a “signature”) when data is added or altered. This means that changes and/or additions can be tracked by the cryptographic hash, with duplicate or corrupt data being easily identifiable as a result.
- The process of introducing changes into the data stored within a blockchain based database requires a user to take a number of steps, making the data harder to tamper with. Practically this means that the only viable way of retrospectively altering data would be to have agreement from a majority of users prior to making changes to a “block” within the database.
- As there is no centralised server location for a blockchain based database, there is no single point of failure. This is because blockchain technology relies on the network of its users who connect via the internet rather than any one entity/server (i.e. it is “decentralised”). The data is distributed across the network so each user has the exact same data. This means that if any one user or part of the network is disrupted (e.g. because of a cyber-attack on systems), then there is likely to be minimal disruption because the data will still exist unaffected in the wider network for all other users.
- Blockchain technology enables and displays real-time updates for all users. This level of visibility provides an added layer of security, given that all users (subject to permissions) will have access to the same data and also to the changes/updates, which can be tracked and traced.
However, as with any technology solution, the technology behind blockchain is not infallible. Indeed, it is said that “blockchain’s characteristics do not provide an impenetrable panacea to all cyber ills…, instead as with other technologies blockchain implementations and roll outs must include typical system and network cyber security controls, due diligence, practice and procedures”.
Whilst blockchain based solutions are highly sophisticated and have the potential to offer significantly enhanced security and integrity, there are still vulnerabilities that need to be considered.
So, in the context of security and integrity, what are the main risk areas for a supply chain organisation to take note of when considering the potential roll out of a blockchain-technology based solution? In our view, the key risks to be aware of are:
- Whilst a decentralised structure promotes increased security, there are still risks associated with this structure. This is particularly so where the power to add/alter data in a blockchain is consensus based – e.g. by users voting, with a majority needed to rubber stamp additions/changes.
- In such circumstances, the “51% concept” becomes a significant risk. This is where one entity obtains (by legitimate or illegitimate means) more than half of the power in the blockchain solution – where that user could then alter previously captured/inputted data however they see fit without needing to get consensus from the other 49% of other users. This would of course undermine the integrity of the database.
- Another potential and related risk is something called a “Sybil attack”, in which a disruptive outside actor fraudulently forges multiple identities to make itself be seen as many different users. By doing this, they could amongst other things take advantage of the 51% concept described above. It is a complex form of cyber-attack which can be guarded against by all users on a network having strong cyber defences and also becomes more difficult for a perpetrator with an increased number of users within a blockchain.
- The interface between each user and a blockchain based solution is often termed an “endpoint”. Endpoints include computer systems/other devices that connect to the solution.
- Endpoints can be vulnerable to human error/cyber-attacks; it is during the process that endpoints are used to access/input data into a blockchain based solution that the solution is potentially at its most vulnerable.
- Whilst endpoint vulnerabilities are not down to the blockchain technology itself, any blockchain based solution is only as strong as its weakest endpoint.
Third party risk
- A business or consortium of businesses utilising a blockchain based solution is unlikely to code, host and maintain the system itself, and will invariably look to a third party entity (or entities) to assist with this.
- This creates another potential point of weakness. Indeed, “organisations wishing to deploy 3rd-party blockchain apps and platforms must be aware that the security of their blockchains is no greater than the trustworthiness of their vendor.”
Conclusion and points to consider
As the above examples illustrate, whilst blockchain based solutions are highly sophisticated and have the potential to offer significantly enhanced security and integrity, there are still vulnerabilities that need to be considered.
From a risk management perspective, we suggest considering the following, in order to minimise the risk presented by the issues we have identified in this article:
- In the context of supply chains, it is more likely than not that one entity will want to have “control” over what can be inputted/edited in the blockchain based solution, rather than allowing for consensus decision making. In which case thought should be given as to how any issues arising from a controlling user’s misuse (intentional or otherwise) of its control are to be dealt with. This is a new area of liability (with associated loss/damage) that ought to be considered and addressed early on.
- Following on from that, the access rights and powers granted to each respective user should be considered carefully. It would be sensible to have robust user agreements in place to manage the use of the blockchain based solution and the associated risks/liabilities. For example, if a blockchain based solution is set up to give control to all users, then there ought to be clear repercussions in place to minimise the risks of a user taking/trying to take advantage of the level of control it has.
- There should be robust security protocols/requirements for all users of a blockchain based solution, given the potential of endpoint vulnerabilities.
- Conduct due diligence on the system itself. Ensure that before launching and/or participating in a blockchain based solution it has undergone satisfactory peer-to-peer review and testing.
- Carefully vet third party suppliers and vendors feeding into the system. Particularly given the relative infancy of the use of blockchain in non-cryptocurrency settings, consider the experience and reputation of each third party vendor who interacts with the system.
For more information please contact Adam Fisher or Ridah Iqbal.
 - Deloitte