Key Takeaways:

• Blockchain requires specialised security standards beyond traditional IT frameworks

• Common Criteria (CC) provides a potential foundation, but may need adaptation for blockchain

• Protection Profiles (PP) and Security Targets (ST) could guide security implementation

• Startups face resource constraints while still needing robust security standards

• BGIN is positioned to identify gaps and develop blockchain-specific security frameworks

The Security Framework Challenge

The BGIN Block #12 session in Tokyo addressed a critical question facing the blockchain ecosystem: How do we standardise security evaluation for a technology that's inherently decentralised and rapidly evolving?

"We've been discussing this need for seven years since 2018," noted the session presenter. "It's time to move from conversation to action on blockchain-specific security standards."

The blockchain ecosystem faces unique security challenges across multiple dimensions, from cryptographic implementations to operational considerations. While numerous security standards exist, none fully addresses the specific needs of blockchain applications and infrastructure.

The Security Dimensions of Blockchain

The session outlined six key security aspects that must be considered in blockchain systems:

1. Cryptography: ECDSA, SHA, and other algorithms and their implementations

2. Backbone Protocols: P2P networks, consensus mechanisms, marketplace infrastructure

3. Application Protocols: Privacy enhancements, secure transaction mechanisms

4. Application Logic: Smart contract languages and execution environments

5. Implementation: Software and hardware vulnerabilities

6. Operations: Key management, security audits, governance

While standards exist for many of these areas—NIST and ISO for cryptography, ISO/IEC 29128 for protocols, ISO/IEC 27000 for operations—implementation security requires special attention for blockchain.

Common Criteria: A Foundation for Evaluation

The session introduced Common Criteria (CC), an international standard for IT product security evaluation, as a potential framework for blockchain security certification:

• Recognised by over 25 countries including the US, Japan, and EU nations

• Features seven Evaluation Assurance Levels (EAL 1-7), with higher levels requiring more rigorous verification

• Provides design guidance, documentation standards, and development process evaluation

Two key components of Common Criteria were highlighted:

Protection Profiles (PP)

A PP defines security requirements for a category of products, such as:

• Bitcoin wallets

• Hardware security modules (HSMs)

• Smart contract platforms

Security Targets (ST)

An ST provides detailed specifications for a specific product, defining:

• The Target of Evaluation (TOE)

• Security functional requirements

• Implementation details

The Certification Conundrum

Participants debated whether blockchain needs its own certification program or could adapt existing frameworks:

"Common Criteria certification is thorough but heavyweight," noted one participant. "A typical certification costs hundreds of thousands of dollars and takes 9-12 months, potentially prohibitive for startups."

This sparked a broader discussion about balancing security rigor with practical considerations:

• For Startups: Using PPs as self-assessment checklists rather than pursuing full certification

• For Established Companies: Formal certification providing market differentiation and trust

• For the Ecosystem: Tiered approaches that scale with organisation size and risk profile

BGIN's Potential Role

The discussion clarified that BGIN's role should not be creating a new certification program or testing lab, but rather:

1. Identifying gaps in existing frameworks for blockchain security

2. Developing industry-specific Protection Profiles and Security Targets

3. Creating standards that other entities (auditors, certification bodies) can verify

"It's about creating the standards, not enforcing them," emphasized one participant. "We need to define what good looks like in blockchain security implementation."

Alternative Models Considered

The session explored alternatives to the Common Criteria approach:

• SOC 2 Model: BGIN sets standards, and independent auditors verify compliance

• CCSS Approach: Similar to C4's Cryptocurrency Security Standard, which focuses on key management but could expand to other areas

• GBA Framework: Government Blockchain Association's maturity model for blockchain products

• Tailored Frameworks: Lighter-weight standards that balance security needs with implementation costs

Market Drivers and Stakeholder Benefits

For any security standard to gain traction, it must provide clear value to stakeholders:

Who Benefits?

• Insurers: Reduced risk assessment costs, more accurate premium pricing

• Investors: Enhanced due diligence for funding decisions

• Regulators: Frameworks for compliance verification

• Consumers: Confidence in platform/wallet security

Value Proposition

• Market Differentiation: "Our wallet is certified secure"

• Reduced Incidents: Fewer hacks and exploits

• Systematic Approach: Replacing ad-hoc security with methodical processes

"Certification must be self-funding and value-driven," noted a participant. "If there's no market advantage, adoption will falter."

Unique Blockchain Considerations

The discussion highlighted several aspects that make blockchain security certification unique:

• On-Chain Verification: Potential for storing certification status on-chain for global accessibility

• Decentralised Governance: Standards that work for both centralised entities and decentralised protocols

• Rapid Evolution: Frameworks flexible enough to adapt to technological changes

• Cross-Border Application: Standards relevant across jurisdictional boundaries

"An on-chain registry of certified entities could be a powerful differentiator," suggested one participant. "It aligns with blockchain's transparency ethos and provides global access to certification status."

The Gap Analysis Approach

The session concluded with consensus around a gap analysis approach:

1. Map Existing Standards: Identify what's already covered by CCSS, ISO, NIST, etc.

2. Prioritise Use Cases: Focus on high-risk, high-value blockchain applications first

3. Develop Prototypes: Create example PPs for common blockchain components

4. Test with Stakeholders: Ensure standards meet real-world needs

"We need to understand where current standards fall short before creating new ones," summarised one participant. "The goal is to fill gaps, not duplicate efforts."

Looking Forward

The discussion revealed strong interest in developing blockchain-specific security standards, with several next steps identified:

• Research existing standards and their applicability to blockchain

• Create a matrix mapping security aspects against management considerations

• Identify volunteers to drive specific aspects of the standards development

• Continue discussions in the cybersecurity working group

As one participant noted: "Security is only as strong as its weakest link. We need comprehensive standards that address the full spectrum of blockchain security, from cryptography to operations."

Get Involved

The BGIN cybersecurity working group welcomes participants interested in developing security standards for blockchain. Whether you have expertise in security evaluation, blockchain implementation, or standards development, your input is valuable.

This blog post is based on discussions from BGIN Block #12, Tokyo, Japan, March 3, 2025.

For more information about BGIN and upcoming events, visit BGIN.

Join the conversation on our forum & Working Group Calls.