The CSIRO and Google have partnered to help close crucial gaps in how Australia’s critical infrastructure operators find, understand, and fix vulnerabilities in their software supply chains. The partnership will assist critical infrastructure operators in meeting growing legislative obligations to prove the integrity and security of their software supply chains.
The partnership is part of Google’s Digital Future Initiative and CSIRO’s Critical Infrastructure Protection and Resilience developing mission. Under the agreement, Google and CSIRO will develop tools and frameworks that help Australian critical infrastructure operators meet critical obligations around software supply chain security, including those in the amended Security of Critical Infrastructure (SOCI) Act and Australia’s Cyber Security Strategy.
The tools and frameworks will focus on accurately identifying and fixing vulnerabilities in open-source software components that have become an increasingly important part of the digital transformation for Australia’s critical infrastructure, which includes everything from public utilities and hospitals to freight networks and groceries. To maximise the impact of this partnership, all project findings will be publicly available, allowing critical infrastructure sectors free and easy access.
“Software developed, procured, commissioned, and maintained within Australia will also be better aligned with local regulations, promoting greater compliance and trustworthiness,” said CSIRO Project Lead Dr Ejaz Ahmed. “This partnership builds upon a successful track record of AI-powered innovation, demonstrating the transformative power of Google and CSIRO’s expertise.”
The partnership will see CSIRO work with the Google Open Source Security Team and Google Cloud to develop novel AI-powered tools for automated vulnerability scanners and data protocols that can quickly and precisely identify and assess the impact of open source vulnerabilities on Australian CI operators’ software supply chains.
The tools will use existing resources, including Google’s OSV database, for the most up-to-date intelligence on vulnerabilities. CSIRO’s applied research, including methods to test for responsible AI usage and tools for analysing software packages, will help to ensure reports and recommendations directly address the local regulatory and operating context of Australian operators.
Similarly, CSIRO and Google will collaborate on designing a secure framework that gives Australian critical infrastructure operators clear guidance on how to meet current requirements and a baseline for future ones. The framework will adapt and extend the Supply-chain Levels for Software Artifacts (SLSA) framework created by Google, with insight from CSIRO’s Australian industry practices, to define multiple levels of software supply chain maturity and steps to achieve each one.
Google Cloud will provide secure and scalable infrastructure and solutions, including machine learning, big data capabilities, and domain-specific large language models, to accelerate the partnership’s research and translate it into tools or as-a-service offerings for critical infrastructure operators.
“Software supply chain vulnerabilities are a global issue, and Australia has led the way in legislative measures to control and combat the risks,” said Stefan Avgoustakis, ANZ Security Practice Lead at Google Cloud.
“The tools and frameworks we’re developing will give Australia’s critical infrastructure operators a clear and consistent roadmap towards software supply chain maturity, based on the in-depth industry knowledge that CSIRO has built up over years of research,” he added. “Making these resources openly available to critical infrastructure operators will help establish greater resilience throughout critical infrastructure nationwide, and reflects our longstanding interest in teaming up with industry and academia to enhance the effectiveness of our years of work in open source security.”
