ZAIN: navigating the SBOM to secure industrial cybersecurity

Orbik Cybersecurity has launched ZAIN, a strategic R&D project to tackle one of the key challenges of Industry 4.0: how to identify, prioritise and mitigate vulnerabilities in industrial products and embedded systems using their Software Bill of Materials (SBOM). In a context of growing cyberattacks and the arrival of the Cyber Resilience Act (CRA) and IEC 62443, ZAIN positions the Basque industrial ecosystem at the forefront of product cybersecurity.

A new SBOM-driven approach to industrial cyber risk

ZAIN’s main goal is to protect industrial systems and embedded products by boosting their operational resilience through new SBOM‑based analysis methodologies powered by Machine Learning and Artificial Intelligence. The future platform will enable precise identification, management and prioritisation of vulnerabilities, reducing response times and the reactive costs associated with security incidents.

Technically, the project aims to reach high detection rates for vulnerabilities in embedded and industrial products, increase resilience against emerging threats through automatic ML‑based mitigation recommendations, and track vulnerabilities throughout the entire product lifecycle. To achieve this, ZAIN will explore a new SBOM generation module, a vulnerability analysis framework that correlates SBOM data with major vulnerability databases, specific AI models for risk prioritisation and mitigation, and a secure, scalable cloud architecture for continuous monitoring and real‑time alerts.

ZAIN is part of the Hazitek 2025 programme and aligns with the RIS3 and PCTI 2030 strategies under the Smart Industry priority. Led by Orbik with the technological support of IKERLAN, the project will result in a new industrial cybersecurity platform, automated certification capabilities aligned with CRA and sector standards, and advanced DevSecOps practices for the lifecycle of industrial products. With ZAIN, Orbik reinforces its vision of helping industry move towards intrinsically cybersecure products and operations, ready for a stricter regulatory landscape and an increasingly complex attack surface.