Table of Contents
In today’s interconnected world, the risks associated with supply chain attacks have magnified, especially with incidents like the ones against IT giants SolarWinds and Kaseya. These incidents have exposed vulnerabilities and highlighted the cascading effects of such breaches on countless organizations globally.
Telecommunications companies, the backbone of our digital age, are entrusted with vast amounts of sensitive data. This makes them an enticing target for cyber adversaries ranging from nation-state actors with geopolitical motives to cybercriminals seeking financial gains.
A Single Breach Can Ripple Across the Ecosystem
The essence of supply chain attacks lies in their domino effect: breach one entity and the repercussions are felt across the board. Given their pivotal role in managing critical infrastructure, telecom companies can inadvertently become the epicenter of such attacks. A breach jeopardizes the telecom provider and endangers its expansive clientele, putting their data in the crosshairs.
Take the incident involving Optus, Singtel’s Australian mobile phone subsidiary. Attackers accessed the personal data of nearly 10 million customers, a staggering one-third of Australia’s populace. This breach wasn’t just about numbers; it involved sensitive data like passports, driver’s licenses, and government-issued medical IDs. Such incidents raise alarms about potential large-scale identity theft and tarnish the brand’s reputation, affecting its market standing.
The European Union Agency for Cybersecurity mapped emerging supply chain attacks and found that 66% of these attacks focus on the supplier’s code. This statistic underscores the importance of ensuring secure coding practices.
A Glimpse into the Underworld of Cyber Espionage
Cybereason’s decade-long vigilance has unearthed some of the most sophisticated cyber espionage campaigns targeting telecoms.
Operation SoftCell (2019 & 2023): This global campaign targeted Telcos across five continents, affecting hundreds of millions. The modus operandi involved extracting sensitive data from high-profile targets, including political figures and business leaders. The economic implications of such operations are astronomical, with losses estimated in billions annually.
Operation DeadRinger (2021): This operation targeted Telcos in Southeast Asia. The objective? Gain persistent access to Telecom networks and siphon off sensitive customer data. The perpetrators believed to be working for China, infiltrated servers containing Call Detail Record (CDR) data and other critical network components. The scale of data theft was monumental, and the repercussions on intellectual property and market competitiveness are immeasurable.
Singtel Supply Chain Attack (2021):
In February 2021, Singapore’s leading telco, Singtel, fell victim to a supply chain attack. The breach was attributed to a legacy file-sharing system that the company had been using. The attackers exploited vulnerabilities in the software, leading to a significant breach.
Hackers Target Pakistani Government and Telecom Provider (2023):
In July 2023, cyber attackers targeted the Pakistani government and its telecom providers. The researchers believe it might have been a supply-chain attack, where hackers compromised third-party software to gain unauthorized access.
Supply Chain Security for Telecom Operators
These types of cyber-attacks have increased the focus on supply chain vulnerabilities. The UK’s National Cyber Security Centre (NCSC) has even assessed the risk of disruptions or data compromises via vendor access to telco networks as “high.”
Given these threats, telecom companies need to be more proactive. They must demand greater transparency and security verification from their suppliers. The NCSC recommends a multi-faceted approach, emphasizing understanding risks, establishing control, routinely checking arrangements, and aiming for continuous improvement. Automation plays a crucial role in this strategy.
Managing software vulnerabilities is a comprehensive process encompassing the entire telco supply chain. This includes third-party IT and telecom software vendors and the telecom company’s own IT and telecom domains. Key areas of focus should be:
Open Source Software Vulnerabilities: With the increasing use of open source software by telecom vendors and telcos, it’s essential to use software composition analysis (SCA) tools. These tools scan open-source software packages, evaluate potential exposure risks from vulnerabilities, and ensure licensing compliance.
Third-Party Vendor Security Practices: Telcos traditionally require vendors to share their secure software development and life cycle (SDLC) policies. However, the rising cyber threats necessitate a more rigorous approach. Telcos should now demand independent audits and certifications to verify that vendors genuinely adhere to their stated SDLC policies.
Vetting Open Source Software: Beyond just analyzing open source software, it’s crucial to ensure that vetted packages are securely hosted in internal repositories. Developers should be mandated to download from these trusted repositories rather than sourcing open-source software independently.
Security in Development and Operations: As telcos migrate to agile development based on 5G microservices, security must be integrated throughout the development and operations process. This involves “shifting left” to address security early in the development phase and creating a feedback loop to inform development about network attacks.
In essence, supply chain security requires a collaborative approach, with security teams working closely with vendors, and development and operations teams. The goal is to balance rapid market deployment and minimizing business risks.
Unpacking the SBOM: The Cornerstone of Software Supply Chain Security
An SBOM, or Software Bill of Materials, is a foundational element of Software Supply Chain Security. It provides the transparency and insight needed to manage risks in today’s complex software ecosystems, ensuring that organizations can trust the software they use and deliver to their users.
An SBOM is a comprehensive list or inventory of all components, libraries, and modules used to construct a piece of software. It provides detailed information about each component, including its source, version, and associated licenses or dependencies. In the context of Software Supply Chain Security, the SBOM plays a pivotal role for several reasons:
Transparency: An SBOM provides complete visibility into the components that make up a software product. This transparency is crucial for understanding potential risks associated with third-party components, especially in complex software ecosystems where a single product might be built using numerous libraries and modules.
Vulnerability Management: With an SBOM, organizations can quickly determine if their software components have known vulnerabilities. This proactive approach allows for timely patching or mitigation, reducing the window of exposure and potential damage from exploits.
License Compliance: Beyond security, an SBOM helps organizations comply with the licensing terms of all software components they use. This is particularly important for open-source details with varied and sometimes complex licensing terms.
Supply Chain Integrity: In an era where software supply chain attacks are on the rise, an SBOM ensures that the components in the final product are exactly what they are supposed to be, helping to detect any unauthorized or malicious alterations.
Efficient Incident Response: In the event of a security breach or vulnerability disclosure, having an SBOM allows organizations to quickly assess their exposure and take appropriate action, be it patching, mitigation, or user notification.
Vendor Accountability: Organizations can demand an SBOM from their software suppliers, ensuring that vendors are transparent about the components they use. This can lead to higher security and quality standards across the software supply chain.
Risk Management: By understanding the components within their software, organizations can make informed decisions about risk acceptance, mitigation, or transfer. This is especially crucial when considering the use of third-party components that might come with unknown or unassessed risks.
Promotion of Secure Development Practices: As the adoption of SBOMs becomes more widespread, it can drive a broader industry shift towards secure software development practices. Developers and organizations will be more inclined to keep their components updated and choose actively maintained and deemed secure components.
Beyond Data: The Real Stakes
While data breaches are concerning, the real threat lies in intellectual property theft. Organizations pour millions into R&D to spearhead innovations. When this intellectual property is stolen, it erases their competitive edge and forces them to compete against their own innovations in the market.
Supply chain attacks are an IT concern and a strategic business risk. For Telecommunications providers, the stakes are even higher. Beyond the economic implications, there’s a looming threat of adversaries leveraging stolen data for more sinister purposes.
In Conclusion, telecommunications providers are at the forefront of this digital era, making them invaluable and vulnerable. Telco directors must recognize the magnitude of supply chain attacks and fortify their defenses. The future of their business and the safety of their customers depends on it.