CSIRO, Australia's national science agency, and tech giant Google have entered a research partnership aimed at securing Australia's critical infrastructure (CI) from risky software components.

The collaboration is part of Google's Digital Future Initiative and CSIRO's Critical Infrastructure Protection and Resilience mission. The partnership will focus on developing tools and frameworks to help Australian CI operators meet obligations around software supply chain security, including those in the amended Security of Critical Infrastructure (SOCI) Act and Australia's Cyber Security Strategy.

The tools and frameworks will focus on identifying and fixing vulnerabilities in open source software components, which are increasingly important in the digital transformation of Australia's critical infrastructure. All project findings will be made publicly available, providing critical infrastructure sectors with free and easy access.

CSIRO will work with the Google Open Source Security Team (GOSST) and Google Cloud to develop AI-powered tools for automated vulnerability scanners and data protocols. The tools will utilise resources including Google's OSV database for the most up-to-date intelligence on vulnerabilities. CSIRO's applied research will help ensure reports and recommendations directly address the local regulatory and operating context of Australian operators.

CSIRO and Google will also design a secure framework to guide Australian CI operators on how to meet current requirements and prepare for future ones. The framework will adapt and extend the Supply-chain Levels for Software Artifacts (SLSA) framework created by Google, with insight from CSIRO's in-depth industry knowledge.

"Software developed, procured, commissioned, and maintained within Australia will also be better aligned with local regulations, promoting greater compliance and trustworthiness. This partnership builds upon a successful track record of AI-powered innovation, demonstrating the transformative power of Google and CSIRO's expertise," said CSIRO Project Lead, Dr Ejaz Ahmed.

Google Cloud will provide secure and scalable infrastructure and solutions, including machine learning and Big Data capabilities, to accelerate the partnership's research.

Security Practice Lead, Google Cloud, Australia & New Zealand, Stefan Avgoustakis, said: "Software supply chain vulnerabilities are a global issue, and Australia has led the way in legislative measures to control and combat the risks. The tools and frameworks we're developing will give Australia's CI operators a clear and consistent roadmap towards software supply chain maturity, based on the in-depth industry knowledge that CSIRO has built up over years of research. Making these resources openly available to CI operators will help establish greater resilience throughout critical infrastructure nationwide, and reflects our longstanding interest in teaming up with industry and academia to enhance the effectiveness of our years of work in open source security."