This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Software Supply Chain Attacks and the Need for Security

Introduces the importance of software supply chain security, recent threat trends, and the essential strategies for defending against them.

1. What Is a Software Supply Chain Attack?

A software supply chain attack is a cyberattack technique in which an attacker infiltrates the systems of a software developer or supplier, or the development process itself, to plant malicious code or exploit vulnerabilities.

Whereas traditional attacks directly target end users, supply chain attacks contaminate trusted software updates or development tools, thereby simultaneously infecting the many downstream companies and users that rely on them.

graph LR
    A[Attacker] -->|Infiltrate| B[Supplier Build Server]
    B -->|Inject Malware| C[Compromised Software Update]
    C -->|Distribute| D[Customer A]
    C -->|Distribute| E[Customer B]
    C -->|Distribute| F[Customer C]
    style B fill:#f9f,stroke:#333,stroke-width:2px
    style C fill:#f96,stroke:#333,stroke-width:2px

2. Notable Attack Cases

The major security incidents of recent years have impressed the importance of supply chain security on the entire world.

The SolarWinds Incident (2020)

  • Overview: The build system of SolarWinds Orion, a network monitoring solution, was hacked, and a backdoor was planted in legitimate update files.
  • Impact: Some 18,000 organizations worldwide were affected, including U.S. government agencies and Fortune 500 companies.
  • Lesson: It demonstrated that even officially signed software from a trusted vendor may not be safe.

The Log4j Vulnerability (2021)

  • Overview: A critical vulnerability enabling remote code execution (RCE), known as Log4Shell, was discovered in Log4j, a Java-based logging library.
  • Impact: Hundreds of millions of devices and servers worldwide that use this library directly or indirectly were exposed to risk.
  • Lesson: It became a turning point that made organizations realize how important it is to understand which open source components their systems use, through an SBOM (Software Bill of Materials).

The 3CX Supply Chain Attack (2023)

  • Overview: The desktop app of the VoIP software 3CX was distributed while infected with a trojan.
  • Characteristics: The attackers first hacked the PC of a 3CX employee and then moved laterally into the development environment to tamper with the binaries.

3. Why Supply Chain Security?

Modern software development environments are built on top of complex, interwoven dependencies.

  1. Growing open source dependencies: 70-90% of modern application code consists of open source components.
  2. Ripple effect: When a single common component is compromised, the damage spreads worldwide.
  3. Difficulty of detection: Code that is compromised during the development and build stages can easily bypass traditional security checks (firewalls, antivirus, etc.).

Accordingly, SK Telecom has established and enforces SBOM adoption and a rigorous supply chain security policy in order to ensure transparency across the supply chain and to manage risk.

1 - Regulatory Trends

Examines the state of software supply chain security regulations that are being strengthened worldwide, such as U.S. EO 14028 and the EU CRA.

1. United States: Executive Order 14028 (EO 14028)

In May 2021, the Biden administration issued the “Executive Order on Improving the Nation’s Cybersecurity (Executive Order 14028).” This was a decisive turning point at which supply chain security began to be addressed at the level of national security in the aftermath of the SolarWinds incident.

Key Provisions

  • Mandatory SBOM submission: Companies that supply software to the federal government must submit an SBOM.
  • NIST guideline compliance: Companies must comply with the Secure Software Development Framework (SSDF) defined by NIST (the U.S. National Institute of Standards and Technology).
  • Minimum standards: The U.S. administration led standardization by defining the minimum elements of an SBOM (data fields, automation support, etc.).

2. European Union (EU): Cyber Resilience Act (CRA)

Through the Cyber Resilience Act (CRA), the EU has enacted into law security requirements spanning the entire lifecycle of digital products.

Key Provisions

  • CE marking certification: All products with digital elements can only be sold within the EU if they meet the cybersecurity requirements and bear the CE mark.
  • Defined security support period: Manufacturers must provide security updates throughout the expected product use period (up to 5 years).
  • Vulnerability reporting obligation: Critical vulnerabilities must be reported to ENISA (the European Union Agency for Cybersecurity) within 24 hours of discovery.
  • SBOM management: Manufacturers must identify and document (via an SBOM) the software components of their products.

3. South Korea: SW Supply Chain Security Guidelines

In step with the global trend, the South Korean government (the Ministry of Science and ICT, KISA, and the National Intelligence Service) has also released the “SW Supply Chain Security Guidelines” and is pursuing proof-of-concept initiatives.

Key Contents (based on v1.0)

  • Recommendation to adopt SBOM: It is recommended that an SBOM be generated and utilized when developing and delivering software in both the public and private sectors.
  • Definition of security activities by role:
    • Supplier (developer): Build a secure development environment, generate and provide an SBOM, and inspect for security vulnerabilities.
    • Consumer (operator): Require and verify the SBOM of delivered software, and continuously monitor for vulnerabilities.

SK Telecom’s Response

To proactively respond to these domestic and international regulatory trends, SK Telecom has established its own supply chain security policy and requires all partners to submit SBOMs that conform to global standards (SPDX, CycloneDX).

2 - SK Telecom Supply Chain Security Policy

Describes the supply chain security policy and principles that partners supplying software to SK Telecom must comply with.

NOTICE.

In accordance with internal security and document management policies, this document is a summary that excludes confidential content. Please note that it is written around high-level key points rather than the full content.

1. Purpose of the Policy

The purpose of this policy is to ensure the transparency of all software that SK Telecom adopts, and to identify and eliminate, in advance, the risks of known vulnerabilities and license violations.

2. Scope of Application

All suppliers that enter into a software supply contract with SK Telecom are subject to this policy.

3. Key Requirements

Suppliers must comply with the following three principles.

Principle 1: Mandatory SBOM Submission

  • For every software delivery, the supplier must submit an SBOM (Software Bill of Materials) corresponding to that version.
  • Accepted formats: CycloneDX (v1.3 or later) or SPDX (v2.2 or later)
  • Required information: supplier name, component name, version, dependency relationships, and Package URL (PURL)

Principle 2: Vulnerability Inspection and Remediation

  • Before delivery, the supplier must independently check for the latest security vulnerabilities (CVEs).
  • If Critical/High severity vulnerabilities are found, the supplier must patch them or apply mitigation measures before delivery.
  • If patching is not possible, the supplier must prove, through a “vulnerability justification statement,” that the vulnerability has no actual impact on the service.

Principle 3: Transparent Change Management

  • If the components of the software change during the contract period (updates, patches, etc.), the supplier must immediately submit an updated SBOM.
  • The supplier must warrant that it has complied with open source license obligations (notice obligations, source code disclosure obligations, etc.).