About Session
Technical Level: Slightly Advanced
This session is for organizations developing products that have deep complexity in their software supply chains — lots of assets, countless 3rd-party suppliers, multiple eras of technology, and frequent M&As. Facing a barrage of new supply chain legislation both in Europe and North America, these organizations need to know what is in their products — its inherited DNA. A risky entity or component could potentially block sales and even entire markets. To illustrate the value of transparency, we scraped the Download/Support portals of multiple critical infrastructure industry OEMS and analyzed over 2 terabytes (2TB) of raw data. Much like the genetic testing analysis of 23andMe, we discovered a complex portrait of their suppliers, ownership, and end-of-life products. Our research revealed some surprising trends:
- • Products full of inherited subcomponents and added suppliers
- • Historically “dead” or M&A companies that can impose inherited risks
- • Incomplete knowledge of the subcomponents in products or deployed assets
- • Significant gaps between assumption and reality in a product’s assessment
- • Illicit sharing of OT software as a distribution system for malware
This presentation is vendor agnostic, focused on all audiences, and provides attendees key takeaways on how we, as a community, can limit risk in our software supply chain DNA.