CSIRO and Google are embarking on a new research partnership to tackle vulnerabilities in Australia’s critical infrastructure operators’ supply chains.
Digital transformation continues to reshape every corner of Australia’s critical infrastructure (CI), from utilities and hospitals to roads and railway systems. As part of this shift, many systems have become reliant on open source software, which introduces significant security challenges.
In August 2024, CSIRO and Google announced a new collaboration focused on helping Australian CI operators meet critical obligations around software supply chain security, including those in the amended Security of Critical Infrastructure (SOCI) Act and the 2023 — 2030 Australian Cyber Security Strategy.
The partnership forms part of Google’s Digital Future Initiative and CSRIO’s Critical Infrastructure Protection and Resilience mission. Launched in 2021, Google’s Digital Future Initiative is $1 billion investment in Australian infrastructure, research and partnerships to build a stronger digital future for Australia.
Google Cloud Security Practice Lead, Stefan Avgoustakis, said given their shared focus, partnering with CSIRO was an obvious fit.
“As a company, Google has always been very focused on open source software. It’s built into our DNA.
“What we see more and more is that open source software is pervasive across all sectors, and we’re really looking at how we can support that. How can we secure that supply chain of software into those organisations?
“We’re seeing a lot of activity around critical infrastructure operators needing to meet critical obligations around software and supply chain security.”
CSIRO Project Lead, Dr Ejaz Ahmed, said vulnerabilities related to open source software are a major problem currently facing Australia’s CI operators.
“Open source software has many vulnerabilities that can be exploited,” Dr Ahmed said.
“This presents a bigger challenge for how we can use existing data on those vulnerabilities to strengthen the security of CI to ensure operational and control environments do not contain any open source vulnerabilities.”
Emerging risks
While open source is transforming the way companies build and deploy technology, it also introduces new cybersecurity challenges.
“As open source software becomes more pervasive, there’s this cascading effect where potential vulnerabilities become increasingly important,” Mr Avgoustakis said.
Exploitation of vulnerabilities in CI can have dangerous consequences. For example, if attackers were to exploit rail signalling systems, it could cause major disruptions. There’s also the potential for an attacker to divert a train from one track to another, which could result in a fatal accident.
CSIRO and Google’s partnership aims to provide CI organisations, such as transport operators, with a clearer understanding of their security posture to address these risks.
Key objectives
CSIRO is working with the Google Open Source Security Team and Google Cloud to create AI-powered tools for automated vulnerability scanning and data protocols. These tools will be able to quickly identify and assess the impact of open source vulnerabilities on Australian CI operators’ software supply chains. Using existing resources including Google’s OSV database, they will harness the latest intelligence on vulnerabilities. CSIRO’s applied research, including methods to test for responsible AI usage and tools for analysing software packages, will help to ensure recommendations directly address Australia’s local regulatory and operating context.
“When we were designing this project, we came up with three main objectives,” Dr Ahmed said.
“The first is to develop AI-based technologies to enhance vulnerability information so stakeholders can act effectively and make informed decisions.
“For that purpose, we are using AI, and Google has provided good infrastructure for us to use.
“The second deliverable is how we prioritise vulnerabilities. If there are hundreds of vulnerabilities emerging, how do you identify the one that poses the biggest threat.
“The third is the development of a reference architecture and checklist specifically for CI operators in Australia to help them better understand their security posture and how any problems can be addressed.”
CSIRO and Google will design a secure framework that gives Australian CI operators clear guidance on how to meet current requirements, as well as establishing a baseline for future standards. The framework will build upon Google’s Supply-chain Levels for Software Artifacts framework, with insight from CSIRO’s Australian industry practices.
“There’s very little information out there that tells organisations why they need to implement the right practices,” Mr Avgoustakis said.
“We want to bring together a set of good practices from across the industry and government, both in Australia and overseas.
“We have a set of tools that exist, but we want to make them better.
“At the end of the day, from a Google perspective, we want to make an impact. We want to create a safer, more resilient, digital future for Australia.”
To help ensure the partnership has an impact on critical infrastructure sectors, all project findings will be made publicly available.