CSIRO and Google have announced a research partnership aimed at bolstering the security of Australia’s critical infrastructure by addressing vulnerabilities in software supply chains.
The partnership seeks to support critical infrastructure operators in meeting new legislative requirements that mandate the integrity and security of their software supply chains. It will focus on developing tools and frameworks that aid in identifying and rectifying vulnerabilities in open source software components, which have become increasingly integral to Australia’s critical infrastructure. This includes sectors such as public utilities, hospitals, freight networks, and groceries.
All project findings will be made publicly available, ensuring free and easy access for critical infrastructure sectors. “Software developed, procured, commissioned, and maintained within Australia will also be better aligned with local regulations, promoting greater compliance and trustworthiness,” said CSIRO’s Project Lead, Dr. Ejaz Ahmed. “This partnership builds upon a successful track record of AI-powered innovation, demonstrating the transformative power of Google and CSIRO’s expertise.”
As a part of Google’s Digital Future Initiative and CSIRO’s Critical Infrastructure Protection and Resilience mission, the collaboration aims to create new technologies that enhance software security within the scope of Australia’s Cyber Security Strategy. The partnership will involve working with Google’s Open Source Security Team (GOSST) and Google Cloud to develop AI-powered tools for automated vulnerability scanners and data protocols that can swiftly and accurately identify vulnerabilities in Australian critical infrastructure operators’ software supply chains.
The tools will leverage existing resources, including Google’s OSV database, which provides updated intelligence on vulnerabilities. CSIRO’s applied research, including responsible AI usage and software package analysis tools, will ensure that recommendations directly address the local regulatory and operational context of Australian operators.
Additionally, the partnership will focus on designing a secure framework that offers clear guidance to Australian critical infrastructure operators about current and future security requirements. This framework will adapt and extend Google’s Supply-chain Levels for Software Artifacts (SLSA) framework, incorporating insights from CSIRO’s understanding of Australian industry practices. The framework will define multiple levels of software supply chain maturity and outline steps to achieve each level.
Google Cloud’s infrastructure and solutions will play a pivotal role in this partnership, providing secure and scalable resources, including machine learning and Big Data capabilities, as well as domain-specific large language models. These resources will expedite the research process and aid in translating findings into usable tools or as-a-service offerings for critical infrastructure operators.
“Software supply chain vulnerabilities are a global issue, and Australia has led the way in legislative measures to control and combat the risks,” noted Stefan Avgoustakis, Security Practice Lead for Google Cloud in Australia and New Zealand.
“The tools and frameworks we’re developing will give Australia’s CI operators a clear and consistent roadmap towards software supply chain maturity, based on the in-depth industry knowledge that CSIRO has built up over years of research.”
“Making these resources openly available to CI operators will help establish greater resilience throughout critical infrastructure nationwide and reflects our longstanding interest in teaming up with industry and academia to enhance the effectiveness of our years of work in open source security.”