1 Introduction to Cybersecurity, Regulations, and Standards for New and Emerging Blockchain Technologies

This article reviews the cybersecurity regulations and standards that are in existence in 2023, and derives conclusions on gaps in standards and regulations, and how these gaps can impact individuals and companies in terms of financial impact and socio-economic impact. With the emergence of new layer-2 Blockchains such as Arbitrum and Optimism, and many new layer-2 solutions expected to emerge as leaders in Blockchain projects in 2023 (e.g., ZKSync, StarkNet, Sui and Layer Zero), we can expect this technology to predominate the Web3 development. The collapse of many well-known Blockchain projects in 2022 (e.g., Terra Luna, FTX) and the recent depegging of the USD Coin (USDC) has exposed some major risk in Blockchain Technologies, even Stablecoins.

Another major concern in the increasing number of Blockchain projects and the increased investment in these projects (despite the financial risks), is the cyber risk. In the past year, we have witnessed numerous cyber-attacks to Blockchain projects, some examples of cyber-attack breaches include:

  • Ronin network—$625 million.

  • Wormhole bridge—$325 million.

  • Nomad bridge—$190 Million.

  • Beanstalk farms—$182 million.

  • Wintermute—$162 million.

The review includes aspects related to technical attacks and non-technical attacks (e.g., social engineering, insider threats). Some of the biggest cyber threats in Blockchain Technologies in 2023 are insider threats, ransomware, and phishing/social engineering attacks. These threats can take different forms and insider threats are not always malicious. Non-malicious examples include the use of default passwords, poor data hygiene, server misconfigurations, etc. For this king of cyber threats, even the most secure cryptographic algorithm would not be very helpful because the risk is not placed in the communication, or in the device, the risk is in the implementation of cybersecurity for the blockchain system that is secured with cryptography.

1.1 Types of Cyber Attacks

Even the most secure Blockchain systems, with the strongest cryptography, are vulnerable to malicious attacks when cybersecurity is badly implemented. The implementation exposes organisations to phishing attacks [1] and social engineering attacks [2]. These are also very effective tools for hackers, especially if privileged user gets phished and a hacker gets administrative access to critical systems.

Ransomware is another example of cyber threats [3], for Blockchain Technologies, and has proven very effective for cyber attackers. We can expect ransomware to continue to be heavily favourite tool for hackers, especially state-sponsored hackers like the Lazarus Group.

Such attacks are extremely difficult to detect, unless the attacker triggers the suspicious activity monitoring systems, or the phished user reports the event. While continuous training and cyber education is considered as the best preventative measure [4], it is easy to fall for extremely well disguised social engineering attacks [5,6,7,8]. Hence, cybersecurity focus needs to be placed on the network, and on ‘employee education, training, and awareness’ [9]. While staff training and network security can help with avoiding some of the common vulnerabilities, organisations should develop and maintain plans for delivering critical services with business resilience system integrated with artificial intelligence systems [10, 11] and anticipate that at some point, cyber-attack will create a system wide disruption, as we have witnessed in Ukraine [12].

The article is statured with an introduction, literature review, technical review, comparison, lesson learned, discussion, and a conclusion sections.

2 Review

2.1 Literature Review

According to one recent study, Blockchain-based systems expose five major attack vectors, categorised as: ‘blockchain infrastructure, subsuming the P2P network, consensus mechanism, VM, and blockchain applications, including the application logic and wallets’ [13]. Another recent study found that ‘that malleability attacks, 51% attacks, and wallet security attacks are the most common attacks’ on Blockchain projects [14]. Existing standards are used to attempt to assess the risk from these new technologies, including the ‘ISO 27001 and the General Data Protection Regulations’ [15].

Although Blockchain-based systems open new attack vectors, Blockchain Technologies are also considered for cybersecurity management, some examples include to ‘to examine if a network has been compromised and to what extent’ [16], to secure the Internet-of-Things (IoT) [17], including the Industrial Internet of Things (IIoT) [18]. One emerging study presents a ‘blockchain-based solutions for the cybersecurity of the main smart city applications, namely smart healthcare, smart transportation, smart agriculture, supply chain management, smart grid, and smart homes’ [19]. Multiple research studies have been published recently conducing a systematic literature review and classification of blockchain for cybersecurity [20], or a comprehensive survey of blockchain enabled cyber security [21]. However, major concerns remain on ‘several vulnerabilities associated with blockchain technology’ [22], with the same study reporting that some of the most frequent and common vulnerabilities on blockchain networks include:

  • 51% or majority attack (in PoW-based blockchains like bitcoin),

  • routine attack (double coin spent),

  • BC endpoint vulnerabilities,

  • attacks due to vulnerability in smart-contracts and their deployment,

  • transaction privacy leakage, and,

  • phishing attacks.

This study is focussed on identifying solutions from existing cybersecurity standards and regulations. The next section reviews technical reports on cybersecurity that can provide insights into the Blockchain security problem.

2.2 Review of Technical Reports on New Cybersecurity, Regulations, and Standards for New and Emerging Blockchain Technologies

To ensure coverage of the numerous technical publications on the topic of cyber risk, and to keep the volume of this review within a reasonable length, while eliminating potential bias, this section outlines how the technical papers are selected in this review.

  • First, Google scholar was used.

  • Second, the Web of Science Core Collection was searched.

  • Third, Scopus was used.

  • Finally, multiple reciprocities were researched for the inclusion of missing technical papers.

To ensure state-of-the-art is presented in the review, the search for literature includes only the most prominent records (selected by number of citations and quality of journals published) and most recent studies (records from 2021 onwards). Hence, the review and the results are influenced by the most cited records—published in top technical journals. The reputation of the journal publisher was strongly considered—only reputable publishers, e.g., Springer, IEEE, Elsevier.

2.3 The MiCA Crypto-Assets Regulation

The Markets in Crypto-Assets Regulation (MiCA) [23] is a new European Union (EU) legislation designed to regulate crypto-asset-related activities carried on in the EU. The EU Parliament Committee on Economic and Monetary Affairs (ECON) endorsed the approved text for the Markets in Crypto-assets regulation (MiCA) on the 10th of October 2022. In 2022, the collapse of multiple crypto projects (e.g., FTX, Alameda Research, Terra Luna) triggered the debate on regulating the crypto markets and how we can ensure a more diligent risk management, including the management of counter-party risk between crypto market participants and projects.

MiCA divides cryptocurrencies into four categories:

  1. 1.

    Crypto assets that are rewarded for maintaining distributed ledger technology or validations of transactions (e.g., Bitcoin) seem like they will be exempted from MiCA, because layer one assets are seen as commodities of their systems.

  2. 2.

    Utility tokens that are used for exchange of goods and services seem like will also be exempted from MiCA,

  3. 3.

    Asset-reference tokens (ART), are money market accounts known as stable coins and although they include real government issued money (fiat money), they might also include treasury and other debt,

and

  1. 4.

    Electronic money tokens (e-money or EMT), are real government issued money, pegged by the value of one type of fiat currency and used for payment processing (e.g., Wise, Revolut, Alipay, WeChat Pay)

MiCA provides:

  • important rules for the crypto industry,

  • market guidelines for crypto companies, requiring them to provide detailed information about their projects (e.g., if a crypto company is paying 10% yield, where are they getting that yield from),

  • it mandates stable coins issues to maintain sufficient liquidity in the form of deposits to prevent crashes like Terra UST.

Regulations like MiCA might encourage big companies to get involved into crypto. The challenge for traders is that MiCA introduces a transaction value cap of 200 m euros per day, for non-euro stable coins and most crypto traders trade USD not Euro. In fact, nobody trades Euros on the crypto markets. The provisional MiCA bill has caused Circle (USDC) to create the Euro Coin (EUROC). In other words, EUROC is a coin designed in collaboration with the EU regulators and USDT seems to be doing the same.

It also restricts stable coin issues on how many tokens they can issue if they are not denominated in Euros or other EU currencies.

2.4 Review of the NIST Approach to Cyber Risk Assessment

The National Institute of Standards and Technology (NIST) Cybersecurity Framework, version 1.1 [24] is considered as the most wide-ranging approach for identity management that contains description of how to manage supply chain cybersecurity (e.g., it includes third party risk, Blockchain technologies, digital currencies, and other risk categories which are not covered by ENISA and/or ISO). Version 1.1 was created in close discussion with 1200 participants. This included annual workshops, open reviews, and the Framework remains as a ‘living document’, with regular updates constantly integrated and published—often as ‘Special Publications’ (SP). Since Version 1.1 was created in 2018, there has been numerous SP documents.

According to NIST, some of the most common questions asked by practitioners are: ‘what is wrong with the way we have been doing’, and ‘why is the additional expense necessary’ [25]. The answer is that NIST Cybersecurity Framework ‘provides a common language, regardless of if you are a CEO, or you just walked into a company as a new employee, it’s something that you can feasibly grasp’. It offers the ‘ease of understanding, simplicity, in a very complex topic’. It helps ‘communicate risk in the way that everyone understands, from the server room to the board room’ [25].

NIST cybersecurity framework is organised into five categories: (1) identify, (2) protect, (3) detect, (4) respond, (5) recover [25]. Version 1.1 includes provisions on supply chain cybersecurity (e.g., third party and/or participants). The framework provides 108 subcategories, and informative references. Subcategories are outcome oriented, and often close ended—you can answer yes/no, and special attention has been placed on the verbs used: e.g., suppliers and third-party partners/participants of information systems, components, and services, are identified, prioritised, and assessed, using the cyber supply chain risk assessment process’ [25]. The NIST Cybersecurity Framework is used by non-cyber experts to translate the meaning of documents like ISO/IEC27001 into understandable information, like from the function respond, into a category, then subcategory, and finally into a technical objective. This transformative structure enables almost anyone to engage in the topic of cybersecurity. The NIST Cybersecurity Framework consists of seven step process—which can also be described as a gap analysis using the framework profiles:

  • Step 1: prioritise and scope—implementation tiers can be used to express varying risk tolerances,

  • Step 2: orient,

  • Step 3: create a current profile,

  • Step 4: conduct a risk assessment,

  • Step 5: create a target profile—used in conjunction with the implementation tiers, where the characteristic of the tier level should be reflected in the desired cybersecurity outcomes.

  • Step 6: determine, analyse and prioritise gaps,

  • Step 7: implementation action plan.

3 Comparison of Existing Cybersecurity Standards and Their Relevance to Blockchain Projects

This section includes a review and comparison of existing cybersecurity standards (including NIST, ENISA, and ISO271001) with Blockchain standards (MiCA and CPMI-IOSCO) and derives new findings on the relevance of existing cybersecurity standards to Blockchain projects. The review starts with ISO, but focuses more on the NIST standards, as the NIST guidance is more comprehensive and most frequently updated—in relation to Blockchain technologies and cybersecurity.

3.1 ISO Cybersecurity Standards

The ISO standards are on the other hand used by many organisations that seek compliance, and the main concern with ISO 27001 standards (according to Advisera [26]) is that:

  1. 1.

    ISO 27001 is it a management standard framework, not a security specific standard.

  2. 2.

    ISO 27001 provides a framework for the management of security within an organisation’s but does not provide a ‘how to’ guide for implementing the security.

  3. 3.

    Compliance or external certification to ISO 27001 does not mean you are secure. It means that you are managing security in line with the standard, and to the risk level you think is appropriate to the organisation’s.

  4. 4.

    In conjunction with ISO 27002, it provides some guidance on the controls that we should consider. However, it does not provide detailed guidance for the organisation’s, the information that we handle, and the systems that we use.

  5. 5.

    Security expertise is required both to implement an information security risk assessment and to define the required security controls.

While ISO standards are reviewed in this article, the value of ISO for Blockchain projects is currently limited, because Blockchain technologies are adapting and evolving at a pace that ISO cannot catch up with. ISO standards are well established and extremely detailed in areas of risk where the risk is not changing from day to day. If we consider that during the writing of this article, the Blockchain risks have already changed multiple times, it is hard to see how any standard that is based on a consensus of the entire international community, would be able to catch up with the constantly evolving Blockchain risks. In this article, we review ISO, in combination with NIST, and we also consider various less known standards, e.g., MiCA, NVD, EUCS, ENISA.

3.2 NIST 800-53 and NIST CSF

NIST 800-53 [27] is a more comprehensive and more frequently updated cybersecurity standard than the ISO 27001 [28], but NIST Cybersecurity Framework (NIST CSF) [25] is commonly confused with the NIST 800-53. NIST 800-53 is a globally recognised security standard, while NIST CSF is the most used cybersecurity framework [29]. The NIST 800-53 and NIST CSF are used in the developed and developing countries e.g., Argentina, Brazil, Chile, Colombia, and Uruguay [30]. The NIST 800-53 and NIST CSF are adopted by some of the most critical sectors, such as oil and gas [31] and medical systems [32].

3.3 NIST Special Publications on Endpoint Security

The NIST Special Publication 800-128 [33] provides a guide concentrated on implementation of the information system security aspects of configuration management, referred as: security-focussed configuration management (SecCM). This standard is directly relevant to Blockchain projects, because the cryptographic security is not the main security concern for Blockchain projects in 2023, but the implementation of endpoint cybersecurity is a big concern.

3.4 NIST Special Publications on Cryptography

The NIST Cryptographic Standards and Guidelines Development Process: (NISTiR 7977) describes the principles, processes and procedures that drive cryptographic standards and guidelines development efforts at the National Institute of Standards and Technology (NIST). Cryptography involves techniques for exchanging secure messages even in the presence of adversaries. NIST continues to lead public collaborations for developing modern cryptography, including:

Block ciphers [34], which encrypt data in block-sized chunks (rather than one bit at a time) and are useful in encrypting large amounts of data.

Cryptographic hash algorithms [35], which create short digests, or hashes, of the information being protected. These digests find use in many security applications including digital signatures, the development of which NIST also leads.

Key establishment [36], employed in public-key cryptography to establish the data protection keys used by the communicating parties.

Post-quantum cryptography [37], intended to be secure against both quantum and classical computers and deployable without drastic changes to existing communication protocols and networks.

Lightweight cryptography [38], which could be used in small devices such as Internet of Things devices and other resource-limited platforms that would be overtaxed by current cryptographic algorithms.

Privacy-enhancing cryptography [39], intended to allow research on private data without revealing aspects of the data that could be used to identify its owner.

Given the detail of these special publications, we can conclude that individual and isolated issues to cryptography—have been addressed in terms of cybersecurity in 2023. Questions remain on how the new solutions of lightweight cryptography (cryptography for low memory IoT devices), is compliant with the guidance on post-quantum cryptography. This needs to be considered by Blockchain projects operating on IoT devices (e.g., IoTA).

3.5 Cyber risk in Blockchain projects: Example of Lazarus and Suggestions on How to Protect Blockchain Projects from Cyber Campaigns from Groups like Lazarus.

Short discussion on the North Korea-based threat actor widely known as Lazarus. One of their recent campaigns infected networks with a malicious implant designed to hack mobile telecommunications infrastructure (known as: ‘MESSAGETAP’ [40]).

For a Blockchain organisation’s to be secure, we need to consider disabling unnecessary ports and services. Organisation’s need to implement strong Network Detection System (NDS) and Network Prevention Systems (NPS), and have in place account use policies, multi-factor authentication and password policies. Important note here is that cyber-attacks based on internal abuse of system features cannot be easily mitigated [41, 42].

Second point is detection, originations need to trace system and network events, with strong Network Intrusion Detection System that can: (a) monitor for process use of the network; (b) monitor authentication logs for systems and applications; (c) monitor for many failed authentication attempts across various accounts.

Third point is on organisation’s personal preference, but as a minimum, organisation’s need to create and monitor a honeypot service in a common port that the organisation’s doesn’t use, for example. Blockchain organisations (e.g., Arbitrum, Optimism, ZKSync, StarkNet) should create honeypot accounts. User training is also important personal preference, along with limiting credential overlap across accounts. Next generation firewalls can detect indicators in RAM, perform real-time monitoring of incoming and outgoing network traffic, and detect unwanted tasks in operations e.g., The Cisco Firepower™ Next-Generation Firewall (NGFW) [43].

Main cybersecurity problems derived from the review—root risk causes

Legacy systems

Default users and passwords

Reused accounts

No password policy

No monitoring of privileged accounts

Main recommendations derived from the review—to avoid cyber risk

An organisation’s patch policy and enforcement of this in critical assets

Isolate the legacy systems

An organisation’s password and user policy that includes no default surnames, good password rotation, and not allow users to reuse passwords in different environments

Use PAM, PUM or both to manage administrate and user accounts

Enforce active monitoring in critical assets

3.6 National Blockchain Cybersecurity Strategies

National efforts are placed by governments around the world to increase national capacity to ‘..withstand threats to the security of their citizens and their digital resources.’, and such ‘cybersecurity capacity-building initiatives entail a multidimensional range of actions to address problems, ranging from awareness-raising to technological innovations.’ [44]. Cybersecurity capacity-building needs to be prioritised by national policymakers to address the global cybersecurity gaps, because ‘there are incremental differences in capacity that are tied to the wealth of nations’ [44]. This requires understanding cybersecurity behavioural habits, because ‘cybersecurity behaviours do not necessarily come naturally, and people need support and encouragement to develop and adopt them’ [45]. Habits are important factors in cybersecurity behaviours, and ‘efficacy and behavioural comprehensiveness predict cybersecurity behavioural habits’, ‘efficacy has a positively impact on behavioural comprehensiveness’ and ‘situational support has a positive influence on efficacy’ [45]. This means that cybersecurity behavioural habits can be formed by promoting the diversity of cybersecurity measures practiced and efficacy [45].

In the most recent EU cybersecurity strategy published in open access (from the Republic of Poland), the national cybersecurity system includes entities which cannot be subject to the provisions of the Strategy e.g., under Article 4 of the NCSA, the national cybersecurity system consists of: operators of essential services—digital service providers; CSIRT MON; CSIRT NASK; CSIRT GOV. Given such status of the ‘strategy’, it can have a direct impact on government administration authorities, but, given its legal status in relation to generally applicable law, its impact on other public authorities, entrepreneurs, and citizens is only indirect [46]. Building upon the argument from the previous paragraph, the strategy includes provisions for educational, informational, and training programmes in cybersecurity.

Bringing this into banking perspective, one of the recent technical papers reviewed is related to applying the Framework for Improving Critical Infrastructure Cybersecurity, created by NIST to a case study of a large Brazilian bank in Brazil [47]. The technical paper concluded that the category of Security Continuous Monitoring controls is more important than other cybersecurity categories. It also shows the importance of ‘applying the constructivist method for the management of cyber risks by unravelling a problem and providing a basis for decision making’. This is compliant with a recent Master thesis on ‘Banking and Cybersecurity Governance’. The Master thesis argues that ‘while the various cybersecurity frameworks are present for financial organisations to choose from, NIST is the current cybersecurity framework recommended.’ and that ‘The research also found that there is no single cybersecurity framework that encompasses all the requirements needed for the technical infrastructure of financial service providers.’ [48].

3.7 International Blockchain Cybersecurity Strategies

While some central banks still perceive cyber risk as financial risk, IMF has conducted a review of nine central bank cases and presented an argument that cyber risk is a non-financial risk [49]. Cyber risk is categorised as ‘fintech’ risk and its related to technological innovation. This view is supported by a review paper on the designs, problems, and prospects of the Central Bank Digital Currency (CBDC) in China [50]. Although most CBDC projects are still in research and development stage, there are some projects that are in advanced stages e.g., Digital renminbi (e-CNY), mobile phone-based money transfer service (M-Pesa).

The Federal Reserve recently published a report [51] on the ‘Security Considerations for a Central Bank Digital Currency’, in which they present four key points:

  • Supporting a resilient payment system.

  • Building trust in a payment instrument.

  • Protecting end user asset and sensitive personal information, and

  • Preventing reputational harm to a Central Bank.

The report proposes a new framework for ‘General Risk Management Guidance’ called NIST Risk Management Framework (NIST RMF). In Table 1, we can see the basic characteristics of the new framework.

Table 1 NIST risk management framework (NIST RMF)
Full size table

As with previous NIST frameworks, the approach is built upon existing standards that include the International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) 27000 Series, the Committee on Payments and Market Infrastructures and the International Organisation of Securities Commissions (IOSCO), the NIST developed the Cybersecurity Framework (NIST CSF), among other standards.

In Table 2, we can see examples of how CPMI-IOSCO principles are used.

Table 2 CPMI-IOSCO principles 2 and 17
Full size table

While using the NIST approach was expected, the lack of detail in this report also confirms that US is lagging behind some countries in terms of developing its own CBDC. It is possible that at the time of writing this report, the IOSCO considered the US banking systems as sufficiently advanced to integrate in the Industry 4.0 and Web3, because the payment systems are already distributed and digitalised. Maybe the IOSCO considered that the US banking systems simply do not need a digital currency given the strength of their actual currencies.

However, the Federal Reserve is still considering the potential of CBDC and although they haven’t made any official decision at present, the Federal Reserve states on their main webpage that ‘a CBDC would be the safest digital asset available to the general public, with no associated credit or liquidity risk’ [52]. The point made here is that the Federal Reserve is currently considering CBDC and has funded and published in open access numerous reports on a USA CBDC [53]. If this was not the case, and if a USA CBDC was not a desired approach, this point would have been rather superficial, but since they are, and there is no working USA CBDC at present, then it becomes obvious that China—with its e-CNY, is leading the innovation in the field of CBDC research and development.

3.8 ENISA Cloud Security for Blockchain Projects

The ENISA Cloud security risk assessments discussed in previous section, seem focussed on the simplified version of the NIST CSF, and do not cover the cryptography algorithms that NIST was originally designed to develop. Since Cloud security is predominately about security of data in transit or data in storage, ENISA should focus on advancing their risk assessment with a deeper understanding of the cryptography algorithms. In the next section, we describe the most important algorithms that NIST includes in their guidance documents but are not present in the ENISA guidance documents. These special publications need to be considered by ENISA when designing the new standards and regulations for Blockchain projects.

4 Lessons for Blockchain Projects from Existing EU Standards and Regulations on Cyber Risk and Risk Assessment

The new and emerging Blockchain projects are also addressing the cloud risk, moistly by developing decentralised blockchain based cloud solutions, but the innovation in the Blockchain cloud space is continuous and evolving. In current cloud solutions, Private cloud is frequently used in centralised financial transactions for making resources available on-demand, without moving to the public cloud. However, Private cloud still requires third party services (e.g., encryption protocols, firewalls), but theoretically, adds additional security because access is limited. However, encryption and firewalls can still be exploited by adversaries, and this risk increases with adding third party services to managed private clouds (e.g., infrastructure-as-a-service or platform-as-a-service) which can be used as a gateway for cyber-attack. In short summary, the current clous solutions can be categorised as:

  • Private cloud—more system control but less scalability.

  • Public cloud—less system control greater scalability.

  • Hybrid cloud—deployed on private, scaled on public on demand.

While Blockchain cloud solutions offer various alternatives to centralised clouds, existing cloud providers can still benefit from the incorporation of blockchain in cloud computing. Some examples include better data security, easy traceability, improved system interoperability, decentralisation, faster system discovery. AWS and many other cloud providers are already building Blockchain technologies in their cloud solutions.

However, in terms of cloud security, according to The European Union Agency for Cybersecurity (ENISA), organisations’ need ask specific questions to the supply chain participant in a cloud infrastructure, and most of these are also relevant to Blockchain projects. In other words, Blockchain projects can learn from existing cyber risk assessment standards and regulations, even if not all aspects are directly relevant, some if not most, will still be relevant. Here, we include a list of questions taken from existing EU standards and regulations on cloud cyber risk and risk assessment, that can be used for risk assessing new and emerging Blockchain projects. Although the list of questions is too long to conclude in this paper, some of these questions are included below as examples:

  • ‘Question 1: How do you check (and do they) for third party obligations already set out under the PRA SS and the EBA Guidelines on Outsourcing?’

  • ‘Question 2: Do you have any cloud exposure? If so, which cloud solution for financial transactions:

  • platform-as-a-service (CPaaS);

  • infrastructure-as-a-service (IaaS);

  • software-as-a-service (SaaS);

  • multi-cloud?’

  • ‘Question 3: What cloud solutions would be most beneficial for our future supply chains?

  • Storage

  • Data management

  • Reporting and analytics

  • Risk and regulatory: risk calculation, transaction surveillance, regulatory reporting: (e.g., Solvency 2)

  • ‘Question 4: Do you expect any changes in operations as a result of the new Digital Operational Resilience Act (DORA)?’

The conclusions we can draw from the format of these questions is that ENISA has worded the questions as open-ended, seeking information, not giving authorities statements on how to review cyber risk from cloud computing. Although the attempt of ENISA is to provide guidance on Cloud security for companies operating in European Union (EU), this version of the document doesn’t seem to provide guidance but seek information that is needed to develop the guidance.

4.1 EU Standards: EUCS—Cloud Services Scheme and Blockchain Technologies

In December 2020, the European Union agency for cybersecurity published a draft version of the EUCS candidate scheme [54] (European Cybersecurity Certification Scheme for Cloud Services), which investigates the certification of the cybersecurity of cloud services. This is a draft version to be used as basis for an external review. The objective of the review is to validate the principles and general organisations of the proposed scheme, and to gather feedback on the proposed wording of the sections and annexes. In Table 3 we can see one of the many requirements listed in the emerging EU standard on cloud security. Table 2 presents a sample of the most recent framework from ENISA, and it shows the similarities in how risk categories are structured in accordance with NIST.

Table 3 One example of EU requirements—ENISA/EUCS
Full size table

Earlier versions of the ENISA Cloud Computing Risk Assessment (from 2009) [55] can be seen in Tables 4 and 5.

Table 4 ENISA cloud computing risk assessment—estimation of risk levels based on ISO/IEC 27005:2008
Full size table
Table 5 Example of the ENISA 35 questions on cloud risk—loss of governance and control
Full size table

This is an in-depth and independent analysis that outlines some of the information security benefits and key security risks of cloud computing. The report provides a set of practical recommendations. Certain organisation’s migrating to the cloud have made considerable investments in achieving certification either for competitive advantage or to meet industry standards or regulatory requirements (e.g., PCI DSS).

One example of how ENISA recommends for cloud risk assessment [55] is set of 35 questions based on vulnerabilities assessment—see. ENISA builds on the work of NIST, but it has a different approach for quantifying Cloud risk—we show this in the example presented in Table 5.

A more comprehensive and up-to-date version for cyber risk assessment is by using the NIST vulnerability metrics, based on the national vulnerability database—see section: product.

4.2 USA Standards: NVD CVSS/CVE Vulnerability Database

Integration using NVD CVSS Calculators [56]. Although this can be seen as a daunting task for a novice cybersecurity practitioner, the security community has created a ‘Current CVSS Score Distribution for All Vulnerabilities’—see CVE [57] visualised in Table 6.

Table 6 Current CVSS Score distribution for all vulnerabilities
Full size table

The database also contains ‘Search Option’ for: Vendor, Product, Version, Vulnerability search. Accredited vendors can be recognised by their confidence in presenting their vulnerabilities – for each product, in open access – see example of Cisco product vulnerabilities in Table 7.

Table 7 Vendor search: current CVSS Score distribution for all vulnerabilities—Cisco Systems
Full size table

Vulnerabilities are scored in accordance with their score, complexity, authentication, etc.—see Table 8. For better visibility, this exercise can be performed (repeated) on any computer connected to the internet, by using the links provided in this text.

Table 8 Example of open access vulnerability scoring—Cisco
Full size table

The CVE database contains a detailed list of over 170,000 known vulnerabilities, including a long list of 386 pages of Security Vulnerabilities with CVSS score between 9 and 10. See: Table 9.

Table 9 Security vulnerabilities with CVSS score between 9 and 10
Full size table

4.3 NIST Endpoint Security and Blockchain Technology

In NIST ‘Endpoint Protection Platform’ is defined as: ‘Safeguards implemented through software to protect end-user machines such as workstations and laptops against attack (e.g., antivirus, antispyware, antimalware, personal firewalls, host-based intrusion detection and prevention systems, etc.).’ The main SP on End-point Protection is NIST SP 800-128 and the SP argues that the ‘secure configurations for a system are most often achieved through the application of secure configuration settings to the IT products (e.g., operating systems, databases, etc.) used to build the system.’. The NIST SP 800-128 lists 4 main categories for implementing endpoint protection platforms, those are: anti-malware, personal firewalls, host-based intrusion detection and prevention system (IDPS) and restrict the use of mobile code. In the text below, the use of mobile code is discussed in more detail.

The general recommendation from NIST is to restrict the use of mobile code, hence caution should be exercised in allowing the use of ‘mobile code’ in Blockchain projects, e.g., ActiveX, Java, and JavaScript. An attacker can easily attach a script to a URL in a Web page or email that, when clicked, will execute malicious code within the computer’s browser. The associated NIST [SP 800–53] controls are: SC-7, SC-18, SI-3, SI-4.

5 Discussion on New and Emerging Technologies – IoT and Blockchain Metaverses

New technologies such the internet-of-things (IoT) and Blockchain Metaverses are also affecting the cyber and cloud security. For example, IoT devices have been used for a Distributed Denial of Service (DDoS) attacks on cloud infrastructure. The increased usage of new IoT devices is creating different types of cyber risk that are not fully understood by cyber security practitioners. This is mainly because of the fast developments in these technologies. While with traditional IT infrastructures, like desktop computers, the communication protocols are quite consistent. The operating models are also limited in number (e.g., Windows, iOS, Linux). But with IoT technologies, there is a vast number of communication protocols (e.g., LoRa, ZigBee, 5G). There is also a vast number of different devices, designed for specific and difficult to solve problems. Their main strengths are their low cost, low computational power, low memory, and low energy consumption. These characteristics also make IoT devices the most vulnerable from all IT systems. It seems really challenging to secure a device that cannot run most antivirus programs. We can expect such solutions to emerge in the future, just based on the rapid number of IoT devices added to the network.

Second major technological trend in 2023 is the Blockchain Metaverses. The term Metaverse originates from a 1992 science function novel from Neal Stephenson [58], but since then, it has become a definition for the future version of the immersive Internet. The Metaverse concept relies on a coordinated integration of a specific set of new technologies, which include the Cloud, IoT, and Blockchains. Some of these technologies are regulated individually (e.g., the Cloud), and some are not regulated at all (e.g., cryptocurrencies).

The Blockchain started with the emergence of Bitcoin in 2009, but at present (29th March 2023), there are over 2309921872 Crypto projects [59]. According to the same source, the total market cap was almost $2 trillion (January 2022), and at that time, the Crypto market had over $100 billion in trading volume per day, traded on over 475 different exchanges. These figures are confirmed (in January 2022) by a different source, which stated that the total market cap is over $2 trillion, the trading volume per day is over $100 billion, and crypto is traded on over 587 different exchanges [60]. Although the market cap has reduced since these dates, the Market Cap is still significant ($853bn—on 28th of November 2022, and $1.1 trillion as of 29th of March 2023) [60]. These new technologies have increased the cyber-attack surface, and currently there are almost no regulations or security guidance on these technologies. It feels as if MiCA bill comes too late, because many of the issues the bill is designed to prevent, already happened. But at least they are coming in, and it will help prevent future crashes with the likes of Terra Luna.

6 Conclusion

While cybersecurity awareness is increasing, some of the main cyber risks remain. The review includes the newest security standards on cryptocurrencies, internet-of-things, and blockchain technologies, which have not been reviewed in combination with other cybersecurity standards. Organisations need to take action to prevent hackers from accessing their critical data and technologies. This review article is focussed on multiple standards and regulations, while NIST and ISO27001 are used for comparison. New standards are also discussed, like ENISA. Although these standards are still in their infancy comparing to NIST, their contributions should not be ignored. Some of the key findings from this review study are:

  1. 1.

    ENISA follows the NIST approach but provides a different perspective on how cyber risk should be assessed.

  2. 2.

    ENISA seems to be following the non-technical design of the NIST standards, but the technical guidance from the NIST cryptographic algorithms is missing from the ENISA cyber risk assessment guidance documents.

  3. 3.

    Future research is needed to help understand the new risks from increased adoption of new technologies (e.g., IoT and Blockchain).

  4. 4.

    There are no current standards to govern the use of Blockchains, and their value has increased to over a trillion.

  5. 5.

    Failure of one main stable-coins, like USDT, USDC, or BUSD, could trigger a domino effect in other stable-coins, and spill over into a crypto winter for all Blockchains.

  6. 6.

    The Federal Reserve has been slow in responding to the systemic risk created by stable coins and cryptocurrencies.

  7. 7.

    The continuous funding of new reports on CBDC has not resulted with any significant advancements in the developments a USA regulated CBDC.

  8. 8.

    The asset value (as of 28th November 2022) of USDT was $65bn, of the USDC was $44bn, and BUSD was $22bn, and those are just 3 cryptos out of 21,872 cryptos and these projects operate with almost no regulation from any government in the world.

    1. a.

      The current asset value (as of 29th March 2023) of USDT is changed to $79.5bn, of the USDC is $33bn, and BUSD is $7bn.

    2. b.

      This change was caused by the depegging of the USDC that traded over 12% below the US dollar beginning of March 2023, following the collapse of Silicon Valley Bank (SVB).

    3. c.

      The BUSD was partially affected by the collapse of SVB, but also by other factors, for example, today, investors decided to ‘pull $1.6 billion from Binance after CFTC lawsuit’ [61].

  9. 9.

    Financial regulators have ignored the cryptocurrencies, but without regulations, we can expect these assets to remain volatile and many individuals will lose their savings.

  10. 10.

    The crypto market is difficult for EU and US regional regulators to supervise, because many project are based abroad and operate on the Internet. One of the key measures for success is to regulate crypto exchanges that are allowed to operate in the region, and not push the exchanges away into countries that are out of their jurisdictions.

  11. 11.

    The EU is much further away than the US, from regulating the crypto market and bringing it into the mainstream. The MiCA is not perfect, but at least it’s a framework and infrastructure to use as a guidance point.

  12. 12.

    It looks like layer one coins will be exempted—in the EU at least.

This review of cybersecurity and cyber risks in 2022/23 has covered a variety of risks, starting from Cloud security, IoT security, cybersecurity risk assessment and governance, and Blockchain technologies, including cryptocurrencies. The overarching conclusion is that many cyber risks remain unregulated, including IoT and crypto. With this analysis, we can forecast that:

  1. A.

    DDoS attacks will continue in 2023 and beyond and become more sophisticated.

  2. B.

    Crypto markets are likely to cause significant loss of savings for individuals that invest in them.

These forecasts are not based on any specific risk factor that makes these new technologies more risky than other technologies. The main factor for the cyber risk from these two technologies is the lack of regulations, in the US, EU, UK, and globally.

6.1 Limitation of This Study

This study is based on a literature review and case study of existing documents and secondary data. Many of the new and emerging regulations for Blockchain security are still in the infancy, and it is hard to assess their value without a detailed guidance on cryptography, because Blockchain computing is simply a virtual computer operating in a virtual database, and the main risk is the data. The remaining aspects of cybersecurity are relatively similar to the cyber risk before Cloud computing (e.g., access management). It is also quite difficult to assess individual risk from various cryptos because they do not disclose any data, not even how and where their funds are stored. Many of the 21,872 cryptos do not even have a white paper published on their projects. The value of this study is purely to present a snapshot in time, so future researchers can refer to the known cyber risks of the 2022/23, that remained ignored for far too long, and already triggered some major losses for investors (e.g., FTX collapse). Worth mentioning that the number of cryptos and the market cap has changed multiple times during the writing of this paper. We can assume that the data will be very different at the time this paper is published and has reached the readers.