Key Takeaways:
Blockchain requires specialised security standards beyond traditional IT frameworks
Common Criteria (CC) provides a potential foundation, but may need adaptation for blockchain
Protection Profiles (PP) and Security Targets (ST) could guide security implementation
Startups face resource constraints while still needing robust security standards
BGIN is positioned to identify gaps and develop blockchain-specific security frameworks
The Security Framework Challenge
The BGIN Block #12 session in Tokyo addressed a critical question facing the blockchain ecosystem: How do we standardise security evaluation for a technology that's inherently decentralised and rapidly evolving?
"We've been discussing this need for seven years since 2018," noted the session presenter. "It's time to move from conversation to action on blockchain-specific security standards."
The blockchain ecosystem faces unique security challenges across multiple dimensions, from cryptographic implementations to operational considerations. While numerous security standards exist, none fully addresses the specific needs of blockchain applications and infrastructure.
The Security Dimensions of Blockchain
The session outlined six key security aspects that must be considered in blockchain systems:
Cryptography: ECDSA, SHA, and other algorithms and their implementations
Backbone Protocols: P2P networks, consensus mechanisms, marketplace infrastructure
Application Protocols: Privacy enhancements, secure transaction mechanisms
Application Logic: Smart contract languages and execution environments
Implementation: Software and hardware vulnerabilities
Operations: Key management, security audits, governance
While standards exist for many of these areas—NIST and ISO for cryptography, ISO/IEC 29128 for protocols, ISO/IEC 27000 for operations—implementation security requires special attention for blockchain.
Common Criteria: A Foundation for Evaluation
The session introduced Common Criteria (CC), an international standard for IT product security evaluation, as a potential framework for blockchain security certification:
Recognised by over 25 countries including the US, Japan, and EU nations
Features seven Evaluation Assurance Levels (EAL 1-7), with higher levels requiring more rigorous verification
Provides design guidance, documentation standards, and development process evaluation
Two key components of Common Criteria were highlighted:
Protection Profiles (PP)
A PP defines security requirements for a category of products, such as:
Bitcoin wallets
Hardware security modules (HSMs)
Smart contract platforms
Security Targets (ST)
An ST provides detailed specifications for a specific product, defining:
The Target of Evaluation (TOE)
Security functional requirements
Implementation details
The Certification Conundrum
Participants debated whether blockchain needs its own certification program or could adapt existing frameworks:
"Common Criteria certification is thorough but heavyweight," noted one participant. "A typical certification costs hundreds of thousands of dollars and takes 9-12 months, potentially prohibitive for startups."
This sparked a broader discussion about balancing security rigor with practical considerations:
For Startups: Using PPs as self-assessment checklists rather than pursuing full certification
For Established Companies: Formal certification providing market differentiation and trust
For the Ecosystem: Tiered approaches that scale with organisation size and risk profile
BGIN's Potential Role
The discussion clarified that BGIN's role should not be creating a new certification program or testing lab, but rather:
Identifying gaps in existing frameworks for blockchain security
Developing industry-specific Protection Profiles and Security Targets
Creating standards that other entities (auditors, certification bodies) can verify
"It's about creating the standards, not enforcing them," emphasized one participant. "We need to define what good looks like in blockchain security implementation."
Alternative Models Considered
The session explored alternatives to the Common Criteria approach:
SOC 2 Model: BGIN sets standards, and independent auditors verify compliance
CCSS Approach: Similar to C4's Cryptocurrency Security Standard, which focuses on key management but could expand to other areas
GBA Framework: Government Blockchain Association's maturity model for blockchain products
Tailored Frameworks: Lighter-weight standards that balance security needs with implementation costs
Market Drivers and Stakeholder Benefits
For any security standard to gain traction, it must provide clear value to stakeholders:
Who Benefits?
Insurers: Reduced risk assessment costs, more accurate premium pricing
Investors: Enhanced due diligence for funding decisions
Regulators: Frameworks for compliance verification
Consumers: Confidence in platform/wallet security
Value Proposition
Market Differentiation: "Our wallet is certified secure"
Reduced Incidents: Fewer hacks and exploits
Systematic Approach: Replacing ad-hoc security with methodical processes
"Certification must be self-funding and value-driven," noted a participant. "If there's no market advantage, adoption will falter."
Unique Blockchain Considerations
The discussion highlighted several aspects that make blockchain security certification unique:
On-Chain Verification: Potential for storing certification status on-chain for global accessibility
Decentralised Governance: Standards that work for both centralised entities and decentralised protocols
Rapid Evolution: Frameworks flexible enough to adapt to technological changes
Cross-Border Application: Standards relevant across jurisdictional boundaries
"An on-chain registry of certified entities could be a powerful differentiator," suggested one participant. "It aligns with blockchain's transparency ethos and provides global access to certification status."
The Gap Analysis Approach
The session concluded with consensus around a gap analysis approach:
Map Existing Standards: Identify what's already covered by CCSS, ISO, NIST, etc.
Prioritise Use Cases: Focus on high-risk, high-value blockchain applications first
Develop Prototypes: Create example PPs for common blockchain components
Test with Stakeholders: Ensure standards meet real-world needs
"We need to understand where current standards fall short before creating new ones," summarised one participant. "The goal is to fill gaps, not duplicate efforts."
Looking Forward
The discussion revealed strong interest in developing blockchain-specific security standards, with several next steps identified:
Research existing standards and their applicability to blockchain
Create a matrix mapping security aspects against management considerations
Identify volunteers to drive specific aspects of the standards development
Continue discussions in the cybersecurity working group
As one participant noted: "Security is only as strong as its weakest link. We need comprehensive standards that address the full spectrum of blockchain security, from cryptography to operations."
Get Involved
The BGIN cybersecurity working group welcomes participants interested in developing security standards for blockchain. Whether you have expertise in security evaluation, blockchain implementation, or standards development, your input is valuable.
This blog post is based on discussions from BGIN Block #12, Tokyo, Japan, March 3, 2025.
For more information about BGIN and upcoming events, visit BGIN.
Join the conversation on our forum & Working Group Calls.