CSIRO, Google cement CI software security research collaboration

software security

CSIRO and Google have secured their second partnership in a matter of weeks, this time linking up to improve the security of the software powering Australia’s critical infrastructure (CI).

As part of Google’s Digital Future Initiative and CSIRO’s Critical Infrastructure Protection and Resilience developing mission, the research collaboration seeks to develop resources and frameworks for Australia’s CI operators to identify, comprehend and resolve weaknesses in their software supply chains that may be more susceptible to cyber attacks.

The research intends to assist CI operators to meet their obligations contained in the amended Security of Critical Infrastructure (SOCI) Act and Australia’s Cyber Security Strategy.

The research-informed frameworks, which will be made publicly available once completed, will focus on vulnerabilities particularly within open source software that play a key part in the digital transformation of Australia’s CI, including public utilities, hospitals, freight networks and groceries.

“Software developed, procured, commissioned, and maintained within Australia will also be better aligned with local regulations, promoting greater compliance and trustworthiness,” CSIRO’s Project Lead, Dr Ejaz Ahmed, said.

“This partnership builds upon a successful track record of AI-powered innovation, demonstrating the transformative power of Google and CSIRO’s expertise.”

CSIRO and the Google Open Source Security Team (GOSST) will leverage Google Cloud capabilities to develop artificial intelligence (AI)-powered tools such as automated vulnerability scanners and other data processes that can easily and rapidly investigate the impact of open source vulnerabilities on the software supply chains.

CSIRO and Google will also work together to develop a consolidated framework that will guide Australian CI operators on how to meet their current and future requirements, extending the Supply-chain Levels for Software Artifacts (SLSA) framework created by Google and CSIRO’s knowledge of industry practices.

“Software supply chain vulnerabilities are a global issue, and Australia has led the way in legislative measures to control and combat the risks,” Stefan Avgoustakis, Security Practice Lead, Google Cloud, Australia & New Zealand, said.

“The tools and frameworks we’re developing will give Australia’s CI operators a clear and consistent roadmap towards software supply chain maturity, based on the in-depth industry knowledge that CSIRO has built up over years of research.

“Making these resources openly available to CI operators will help establish greater resilience throughout critical infrastructure nationwide, and reflects our longstanding interest in teaming up with industry and academia to enhance the effectiveness of our years of work in open source security.”