23andMe and 2TB – Your Supply Chain’s DNA

November 14, 2024 @ 14:20 - 14:55

  • Main Track, Sessions

About Session

Technical Level: Slightly Advanced

This session is for organizations developing products that have deep complexity in their software supply chains — lots of assets, countless 3rd-party suppliers, multiple eras of technology, and frequent M&As. Facing a barrage of new supply chain legislation both in Europe and North America, these organizations need to know what is in their products — its inherited DNA. A risky entity or component could potentially block sales and even entire markets. To illustrate the value of transparency, we scraped the Download/Support portals of multiple critical infrastructure industry OEMS and analyzed over 2 terabytes (2TB) of raw data. Much like the genetic testing analysis of 23andMe, we discovered a complex portrait of their suppliers, ownership, and end-of-life products. Our research revealed some surprising trends:

  • • Products full of inherited subcomponents and added suppliers
  • • Historically “dead” or M&A companies that can impose inherited risks
  • • Incomplete knowledge of the subcomponents in products or deployed assets
  • • Significant gaps between assumption and reality in a product’s assessment
  • • Illicit sharing of OT software as a distribution system for malware

This presentation is vendor agnostic, focused on all audiences, and provides attendees key takeaways on how we, as a community, can limit risk in our software supply chain DNA.


Ron Brash

Ron Brash

VP of Technical Research & Integrations, aDolus Technology Inc.