Blockchain May Be Overkill for Most IIoT Security

Without an efficient blockchain template for IoT, other options are better.


Blockchain crops up in many of the pitches for security software aimed at the industrial IoT. However, IIoT project owners, chipmakers and OEMs should stick with security options that address the low-level, device- and data-centered security of the IIoT itself, rather than the effort to promote blockchain as a security option as well as an audit tool.

Only about 6% of Industrial IoT (IIoT) project owners chose to build IIoT-specific security into their initial rollouts, while 44% said it would be too expensive, according to a 2018 survey commissioned by digital security provider Gemalto.

Currently, only 48% of IoT project owners can see their devices well enough to know if there has been a breach, according to the 2019 version of Gemalto’s annual survey.

Software packages that could fill in the gaps were few and far between. This is largely because securing devices aimed at industrial functions requires more memory, storage or update capability than typical IIoT/IoT devices currently have. That makes it difficult to apply security software to networks with IIoT hardware, according to Steve Hanna, senior principal at Infineon Technologies, who co-wrote an endpoint-security best-practices guide published by the Industrial Internet consortium in 2018.

Still, the recognition is widespread that security is a problem with connected devices. Spending on IIoT/IoT-specific security will grow 25.1% per year, from $1.7 billion during 2018, to $5.2 billion by 2023, according to a 2018 market analysis report from BCC Research. Another study, by Juniper Research, predicts 300% growth by 2023, to just over $6 billion.

Since 2017, a group of companies including Cisco, Bosch, Gemalto, IBM and others have promoted blockchain as a way to create a tamper-proof provenance for everything from chips to whole devices. By creating an auditable history, where each new event or change in status has to be verified by 51% of the members of the group participating in a particular ledger, it should be possible to trace an individual component from point of sale to the original manufacturer to verify whether it’s been tampered with.

Blockchain also can be used to track and verify sensor data, prevent duplication or the insertion of malicious data and provide ongoing verification of the identity of individual devices, according to an analysis from IBM, which promotes the use of blockchain in both technical and financial functions.

Use of blockchain in securing IIoT/IoT assets among those polled in Gemalto’s latest survey rose to 19%, up from 9% in 2017. And 23% of respondents said they believe blockchain is an ideal solution to secure IIoT/IoT assets.

Any security may be better than none, but some of the more popular options don’t translate well into actual IIoT-specific security, according to Michael Chen, design for security director at Mentor, a Siemens Business.

“You have to look at it carefully, know what you’re trying to accomplish and what the security level is,” Chen said. “Public blockchain is great for things like the stock exchange or buying a home, because on a public blockchain with 50,000 people if you wanted to cheat you’d have to get more than 50% to cooperate. Securing IIoT devices, even across a supply chain, is going to be a lot smaller group, which wouldn’t be much reassurance that something was accurate. And meanwhile, we’re still trying to figure out how to do root of trust and key management and a lot of other things that are a different and more of an immediate challenge.”

Others agree. “Using blockchain to track the current location and state of an IoT device is probably not a good use of the technology,” according to Michael Shebanow, vice president of R&D for Tensilica at Cadence. “Public ledgers are a means of securely recording information in a distributed manner. Unless there is a defined need to record location/state in that manner, then using blockchain is a very high-overhead means of doing so. In general, applications probably don’t need that level of authenticity check.”

Limitations of blockchains
Even the most robust public blockchain efforts are often less efficient than the solutions they replace. But more importantly, they don’t make a process more secure by removing the need for trust, argues security guru Bruce Schneier, CTO of IBM Resilient.

Blockchain reduces the amount of trust we have to put in humans and requires that we trust computers, networks and applications that may be single points of failure. By contrast, a human-driven legal system has many potential points of failure and recovery. One can make the other more efficient, but there’s no reason to assume that simply shifting trust to machines, regardless of context or quality of execution, will make anything better, Schneier wrote.

Public-ledger verification methods can be applied to many aspects of identity and supply chain for IIoT/IoT networks, according to a 2018 report from Boston Consulting Group. Only 25% of the applications BCG identified had completed the proof-of-concept phase, however, and problems such as faked or plagiarized approvals identified in cryptocurrency cases, a lack of standards, performance issues and regulatory uncertainty all raised doubts about its usefulness as a way to manage basic security and authentication this early in the maturity of both the IIoT and blockchain.

“When we have blockchain worked out for supply chain, we’ll probably have the means to apply it to chips and IoT, but it probably doesn’t work the other way,” Chen said.

The overhead required for blockchain verifications of location or status data for thousands of devices is off-putting, and it’s much easier to identify hardware using a public/private key—especially if the private key is secured by a number identified in a physically unclonable function, Shebanow agreed. “Barring a lab attack, PUF via hardware implementation makes it nearly impossible to spoof an ID, whereas software is never 100% secure. It is virtually impossible to prove that a complex software system has no back door.”

The bottom line: Stick with root of trust, secure boot and build from there, until there’s an efficient blockchain template for IoT.

Related Stories
Blockchain: Hype, Reality, Opportunities
Technology investments and rollouts are accelerating, but there is still plenty of room for innovation and improvement.
IoT Device Security Makes Slow Progress
While attention is being paid to security in IoT devices, still more must be done.
Are Devices Getting More Secure?
Manufacturers are paying more attention to security, but it’s not clear whether that’s enough.
Why The IIoT Is Not Secure
Don’t blame the technology. This is a people problem.

Leave a Reply

(Note: This name will be displayed publicly)