Vitoria-Gasteiz/Munich, 23 May 2023

Alias Robotics, world lead in robot cybersecurity solutions has today stepped up as a CVE Numbering Authority (CNA) to extend it's acting scope to cover Machine Tool Manufacturing equipment. The CNA program is a worldwide initiative leaded by MITRE holding organizations in charge of assigning new vulnerability identificators (CVE - IDs) to novel vulnerability "species". Alias Robotics supports this program since 2020 covering, up to date, vulnerabilities of its own products and robotics equipment not in the scope of any other CNA.

The program is participated by more than 290 organizations worldwide, with several types of players of the security ecosystem. Organization types include:

  • Vendors: An organization that sells products or services for which CVEs are applicable.
  • Researcher orgs.: An organization engaged in research resulting in identifying vulnerabilities for which CVEs are applicable.
  • Open Source organizations: An organization that produces, manages, or maintains products or services having the source code freely available for possible modification and redistribution.
  • CERTs: Computer Emergency Response Teams.
  • Hosted Service: Any cloud-based services, platform as a service, infrastructure as a service, software as a service.
  • Bug Bounty Providers: Organization that acts as an intermediary between vendors and researcher and may reward individuals for discovering and reporting software vulnerabilities.
  • Consortiums: A group of entities that have joined together to work on a particular project.

Most significant players include manufacturing companies such as Airbus, Android, Google and prominent security research teams such as TrendMicro, Rapid7, F-Secure et al. Each organization participating holds its own participating scope. With this change, Alias Robotics reinforces its scope to help out Machine Tool manufacturers that are not yet part of the program. It is expected that Alias Robotics will cover all kinds of connected machine tool, CNC controlled machine tool and other industrial CPS, including turning, sawing, drilling, shaping, planing and grinding machines.

World lead in cyber physical system vulnerability research and management

Alias Robotics, has publicly filed more than 200 vulns at its Robot Vulnerabilty Database appertaining to different robotics vendors and robot technologies, including the Robot Operating System, ROS and its second version ROS2.

Captura-de-pantalla-2023-05-22-a-las-22.03.13

In addition to the public spotlight Alias Robotics holds, to date, more than 1200 vulnerabilities appertaining to robot systems of all kinds in a the private Repository of RVD, known as RVDp.

"Some of the vulnerabilities we've handled as part of the program have been high criticality and high impact to operations" states Endika Gil-Uriarte, CEO at Alias Robotics. "We've managed multiple vulnerabilities and mediated with third party researchers of all round the globe, engaged with guvernmental bodies such as INCIBE, CISA, BSI and CSA, and filed ourselves new vulnerability species not known before in systems such as drones and UAVs, maniputalors and terrestrial vehicles of many kinds" This scope increase is expected to increase Alias Robotics' impact on the CVE and CNA program, with its expertise in CPS vulnerability management and handling.

Expected increase in local cooperation at the Basque level, with a great focus at European Advanced Manufacturing

Out of this announcement, it firstly expected that tighter bonds are to be generated to the AFM ecosystem (Asociación de fabricantes de máquinas-herramienta - Network of Machine Tool providers) and the Gipuzkoan Centre for industrial cybersecurity - ZIUR, but also reinforce existing markets in Central Europe

The global machine tools market size grew from $87.72 billion in 2022 to $93.41 billion in 2023 at a healthy annual growth rate (CAGR) of 6.5%.

Machine tool manufacturers have been challenged with the newly published review of the Machine Directive to test the safety and security intersection of their products. "The norms idea is to ensure that safety shall not be compromised by cybercriminals and connected and intelligent machines, in any case, do not pose a safety risk to the humans operating it or nearby - mapping to Regulation (EU) 2019/881 - also known as Cyber Resilience Act". With this context, Alias Robotics expects to expand its market quota in cyberphysical system security professional services, by leveraging its well known expertise at the safety and security intersection.

For new vulnerability disclosure please use cve@aliasrobotics.com. Feel free to use additional security methods in the mailing thread.