CSIRO, Australia’s national science agency, has joined forces with Google in a new research partnership aimed at enhancing the security of the nation’s critical infrastructure (CI) software supply chains.
The collaboration is part of Google’s Digital Future Initiative and CSIRO’s mission to protect and strengthen Australia’s critical infrastructure resilience.
The partnership will focus on developing advanced tools and frameworks to assist CI operators in identifying, understanding, and addressing vulnerabilities within their software supply chains.
This effort is particularly significant in light of the amended Security of Critical Infrastructure (SOCI) Act and Australia’s Cyber Security Strategy, which impose stringent obligations on CI operators.
A key aspect of this initiative will be improving the security of open-source software components, which are increasingly integral to the digital transformation of critical infrastructure sectors like public utilities, healthcare, freight networks, and grocery supply chains.
To ensure broad access and impact, all findings from this project will be made publicly available, enabling critical infrastructure sectors across Australia to benefit from the research.
CSIRO’s Project Lead, Dr Ejaz Ahmed, says the creation of new and homegrown technologies will enhance the security of software used in Australian critical infrastructure.
“Software developed, procured, commissioned, and maintained within Australia will also be better aligned with local regulations, promoting greater compliance and trustworthiness,”
“This partnership builds upon a successful track record of AI-powered innovation, demonstrating the transformative power of Google and CSIRO’s expertise.” Dr Ahmed said.
Partnership will see CSIRO work with the Google Open Source Security Team
The partnership will see CSIRO work with the Google Open Source Security Team (GOSST) and Google Cloud to develop novel AI-powered tools for automated vulnerability scanners and data protocols that can quickly and precisely identify and assess the impact of open source vulnerabilities on Australian CI operators’ software supply chains.
The tools will tap on existing resources including Google’s OSV database for the most up-to-date intelligence on vulnerabilities.
CSIRO’s applied research, including methods to test for responsible AI usage and tools for analysing software packages, will help to ensure reports and recommendations directly address the local regulatory and operating context of Australian operators.
Designing a secure framework
Similarly, CSIRO and Google will collaborate on designing a secure framework that gives Australian CI operators clear guidance on how to meet current requirements and a baseline for future ones.
The framework will also adapt and extend the Supply-chain Levels for Software Artifacts (SLSA) framework created by Google, with insight from CSIRO’s Australian industry practices, to define multiple levels of software supply chain maturity as well as steps to achieve each one.
Google Cloud will provide secure and scalable infrastructure and solutions, including machine learning and Big Data capabilities as well as domain specific large language models, to accelerate the partnership’s research and translate it into tools or as-a-service offerings for CI operators.
“Software supply chain vulnerabilities are a global issue, and Australia has led the way in legislative measures to control and combat the risks,” said Stefan Avgoustakis, Security Practice Lead, Google Cloud, Australia & New Zealand.
“The tools and frameworks we’re developing will give Australia’s CI operators a clear and consistent roadmap towards software supply chain maturity, based on the in-depth industry knowledge that CSIRO has built up over years of research,”
“Making these resources openly available to CI operators will help establish greater resilience throughout critical infrastructure nationwide, and reflects our longstanding interest in teaming up with industry and academia to enhance the effectiveness of our years of work in open source security.”
Recent research from BlackBerry shows that 75% of software supply chains have faced cyberattacks in the past year. When compared to a similar study from 2022, the findings highlight both advancements and ongoing challenges in securing these critical systems.
The survey also found that while 78% of companies track the impact of supply chain attacks, only 65 percent inform their customers about these incidents.
The partnership between CSIRO and Google represents a significant step forward in safeguarding Australia’s critical infrastructure against the growing risks associated with vulnerable software components. By leveraging the expertise and resources of both organisations
Earlier this year Google and the CSIRO also came together to collaborate with X (not Twitter, another X), on a new project called Tapestry, to upgrade Australia’s shift to renewables.
“We’re sitting on a goldmine of renewable energy,” CSIRO’s smart energy lead Dr Stephen Craig said. “Yet much of it is unused due to our inability to harness it effectively.”
