Key points
- With essential service organisations facing more software security breaches, there's a growing need to elevate industry security standards, but collaboration is essential.
- Australian critical infrastructure software supply chains face rising vulnerabilities, prompting a partnership with Google to enhance detection and management.
- The partnership will introduce new methodologies, data, systems, and frameworks to help critical infrastructure operators meet regulations and better identify software risks.
Did you or someone you know have your data comprised in April of 2024 in the MediSecure data hack? This hack hit approximately half of Australia's population. That's around a whopping 12.9 million people.
Those responsible obtained 6.5 terabytes of private information through a ransomware attack. This included people's names, dates of birth, personal addresses, medical information and more. This information was made available for sale on the dark web. The 'dark web' refers to hidden websites you won't stumble across in everyday browsing. They're available only through specialised internet browsers that allow for anonymous browsing.
While it’s one of the largest cyberattacks to hit Australia, the MediSecure hack wasn’t the first. And it certainly won’t be the last. Insurance companies, government departments, universities, hospitals and more have all fallen victim. As technology becomes an increasingly integral part of our lives, so too does the risk of cyber breaches. The reality is that we need elevated industry standards for software security and this change can't happen alone.
So, we’re partnering with Google to take on this challenge. Our specific focus is on improving detection and management of vulnerabilities in Australian critical infrastructure software supply chains. With a focus on Critical Infrastructure Protection and Resilience (CIPR), we are keen to share our expertise in data science and research, Australian industry practices, and relevant key networks.
Preventing cyberattacks on critical infrastructure
Critical infrastructure (CI) is exactly that, critical. It’s the facilities and systems which provide services essential for everyday life such as electricity, food, water and transportation. These systems are complex and interconnected. This means a cyberattack on one could lead to widespread disruptions to many other services. This can result in significant financial costs and serious negative consequences to people’s lives.
Headlines around the world were abuzz with the outage of IT system, CrowdStrike, in July 2024. This highlighted the cascading effect outages of IT systems have on CI industries. CrowdStrike’s outage affected many systems on a global scale, including airlines, banks, medical systems and grocery checkouts.
With Google, our aim is to provide new methods and technologies to help CI operators improve software security. The project focus is on evaluating and maintaining security, especially when using third-party software.
By sharing knowledge, resources and decision framework with organisations, the project will help close the gap between differing industry standards. It will produce a consistent approach to identifying software risks that citizens can rely on and trust.
A roadmap to a more secure future
Software vulnerabilities are one simple way hackers can get inside the system. Identifying, understanding and managing these vulnerabilities are a massive challenge organisations face.
A good example is software supply chains. These operate at a mass scale with much of the software not owned or created by the organisations using it.
An organisation's supply chain can contain hundreds and thousands of 'open-sourced' software packages. This means they're created and managed by a third party. Sharing knowledge and resources is integral to advancing technologies and society. However, many open-source software packages have unknown vulnerabilities. This makes it very difficult to maintain a consistent standard of quality.
To address these challenges, the project team aim to provide three main deliverables.
The first deliverable is to provide the CI industry with detailed data and methods. These will help determine if an open-source software vulnerability may affect an organisation. The basis of this is the context of their activities within the software. The second deliverable is to provide efficient and automated systems. These will be used to manage and prioritise vulnerabilities based on their potential impact. The final deliverable is a comprehensive, universal framework for CI software security. This will provide guidelines that are easy for organisations to adopt on their own.
All project findings will be available to the public. This will help maximise the impact of this collaboration. In doing so, it will allow free and easy access for critical infrastructure sectors.
Enhancing software supply chain security
Stefan Avgoustakis is Security Practice Lead, Google Cloud, Australia & New Zealand. He said software supply chain vulnerabilities are a global issue, and Australia has led the way in legislative measures to control and combat the risks.
“The tools and frameworks we’re developing will give Australia’s CI operators a clear and consistent roadmap towards software supply chain maturity, based on the in-depth industry knowledge that CSIRO has built up over years of research," Stefan said.
"Making these resources openly available to CI operators will help establish greater resilience throughout critical infrastructure nationwide and reflects our longstanding interest in teaming up with industry and academia to enhance the effectiveness of our years of work in open-source security.”
Dr Ejaz Ahmed, our Project Lead, sees the value in collaboration.
“Software developed, procured, commissioned, and maintained within Australia will also be better aligned with local regulations, promoting greater compliance and trustworthiness,” Ejaz said.
Protecting our critical infrastructure
Our Critical Infrastructure Protection and Resilience (CIPR) initiative has led to this partnership. The goal is to foster an integrated national approach to Australian CI protection and resilience building that will address the nation's converging infrastructure vulnerabilities by the year 2030. In setting this goal, we recognise the current inadequacies of our approach to CI hazards.
The CIPR team is building future solutions together with government and private sector stakeholders. They’re leveraging leading-edge science, technology and global expertise. Contact us if you wish to be involved.