Information security
Initiatives Regarding Product Security
Mitsubishi Electric Mobility Corporation (hereinafter referred to as MELMB) evaluates the risk of infringement of confidentiality, integrity, and availability from cyber-attacks on the information systems (IT) and production/factory equipment (OT) related to the products and services we provide and considers it our responsibility to take appropriate measures to prevent major damage or impact on stakeholders, including customers. MELMB will effectively respond to both normal times (preventing cyber-attacks) and emergencies (minimizing damage from cyber-attacks) by establishing a security system that covers all divisions involved in production activities. Furthermore, MELMB promises to review this security policy itself on a regular basis (once a year, or in the event of a major security incident) and take appropriate measures in response to the latest security situation.
Compliance with laws and regulations
MELMB complies with the laws and regulations of each country regarding information and factory security. In addition, MELMB takes appropriate measures to protect personal information based on our "Personal Information Protection Policy."
Structure
MELMB will establish CSIRT/FSIRT (Computer/Factory Security Incident Response Team) to manage activities related to information and factory security.
Education and training
MELMB adapts to evolving knowledge and technology regarding information and factory security by implementing measures such as education and awareness training for all employees involved in production activities, fostering a culture of thoroughness in these activities.
Preventing cyber-attacks
MELMB has established a system to manage information and factory security risks during normal times and collects and shares information to prevent accidents from occurring. MELMB will also incorporate the requirements of international standards and industry guidelines into our information systems and production/factory equipment.
Response in the event of a problem (emergency)
If a security issue occurs at MELMB, we will investigate the cause, take corrective measures, and strive to prevent recurrence, as well as provide information to the relevant customers. In addition, MELMB will report the issue to the relevant authorities through Mitsubishi Electric, if necessary.
Risk assessment and management
MELMB regularly assesses and manages information and factory security risks. This assessment and management encompass all security elements, including information security, physical security, and personnel security. MELMB adopts a risk-based approach in its assessment and management, evaluating the effectiveness against newly discovered vulnerabilities and emerging threats.
Mitsubishi Electric Mobility Corporation (hereinafter referred to as MELMB) considers that it is our responsibility to ensure security related to the products and services we provide (hereinafter referred to as "product security"), and to take appropriate measures to prevent any significant damage or impact on our customers.
To ensure that our customers can use our products and services with peace of mind, we will thoroughly communicate the importance of product security to all employees involved with our products and services and strive to implement the following initiatives while maintaining and improving security through regular inspections and reviews. Furthermore, MELMB commits to regularly reviewing the product security policy itself (once a year, or in the event of a serious security incident) and taking appropriate measures in response to the latest security situation.
Compliance with laws and regulations
MELMB complies with the laws and regulations of each country regarding product security. In addition, MELMB takes appropriate measures to protect personal information based on our "Personal Information Protection Policy."
Structure
MELMB will establish a PSIRT (Product Security Incident Response Team) to manage activities related to product security.
Education and training
MELMB adapts to evolving knowledge and technology regarding product security by implementing measures such as education and awareness training for all employees involved in products and services, fostering a culture of thoroughness in these activities.
Product development
MELMB will appropriately incorporate the requirements and verification methods of industry-standard specifications and guidelines related to product security into our product development process.
Response in the event of a problem
If a security issue occurs with our products, MELMB will investigate the cause, implement corrective measures, and strive to prevent recurrence, as well as provide information to the relevant customers.
Risk assessment and management
We regularly assess and manage the security risks of our products. This assessment and management cover the entire product life cycle, including design, manufacturing, and operation. We adopt a risk-based approach to assessment and management, evaluating its effectiveness against newly discovered vulnerabilities and emerging threats.
The information, factory, and product security management systems at Mitsubishi Electric and our company are outlined below. Our company has established MELMB-CSIRT, MELMB-FSIRT, and MELMB-PSIRT, and we are working on information, factory, and product security in cooperation with Mitsubishi Electric.
To ensure a high level of product security and protect our customers against cyber-attacks, Mitsubishi Electric Mobility (hereinafter referred to as MELMB) discloses vulnerability information related to our products in accordance with “ISO/IEC 29147” and “Information Security Early Warning Partnership Guideline”*1 (published by IPA).
*1 Information Security Early Warning Partnership Guideline
https://www.ipa.go.jp/security/english/about_partnership.html
Reporting
To enhance the information security of our products, we gather vulnerability information from external security researchers and coordinating bodies (e.g. Computer Emergency Response Team “CERT” both domestically and internationally). If you have information about a potential vulnerability in our products, please contact one of relevant coordinating bodies or contact us directly using the report form at the link below.
Vulnerability report form
https://www.mitsubishielectric.com/en/psirt/contact/index.html
After receiving vulnerability information via the report form, we will respond within 5 business days. Please be aware that our response may be delayed during Japan’s public holidays and Mitsubishi Electric’s own holidays.
MELMB PSIRT (Product Security Incident Response Team) is the department responsible for handling vulnerability information related to MELMB products. Regarding vulnerability information of our website, please contact MELCO-CSIRT*2. Please use the guidelines solely for reporting issues with MELMB products. For products not manufactured by MELMB, please contact the respective product manufacturer directly.
*2 MELCO-CSIRT (in Japanese)
https://www.nca.gr.jp/member/melco-csirt.html
The report form is encrypted using SSL/TLS. After submitting the report form, communication with the reporter will be conducted via e-mail. If the e-mail and/or attachments contain sensitive information about undisclosed vulnerabilities, please use our PGP public key for encryption to prevent unintended disclosure to third parties. We will notify the reporter of the PGP public key individually in response to a submission.
Investigation and Countermeasures
The relevant product design and development department will investigate the vulnerability information provided by the reporter. If the following three conditions are met, the issue will be classified as a new vulnerability, and we will immediately notify the reporter of the investigation results. We may request additional information if necessary.
Vulnerability criteria:
- Identifies a true product security issue.
- The vulnerability is reproducible.
- The vulnerability is undisclosed.
Should a vulnerability be found, we will implement countermeasures and prepare to disclose a new vulnerability. If it is not a new vulnerability, we will close the investigation and notify the reporter of our conclusion.
Publication of Security Advisory
To enable our customers to take appropriate measures against new vulnerabilities in our products, we will prepare a security advisory to publish the vulnerability. Once the advisory is ready, we will coordinate the publication date with the reporter and other stakeholders, assign a CVE number, and publish the advisory on the website at the link below.
Vulnerability Information
https://www.mitsubishielectric.com/en/psirt/vulnerability/index.html
Simultaneously with the publication, we will report the vulnerability to Japan Computer Emergency Response Team Coordination Center (JPCERT/CC) and the CERT of each country as necessary. In accordance with the “Information Security Early Warning Partnership Guideline,” in principle, we will not disclose vulnerability information to third parties other than the reporter, coordinating body, and product developer before the public release.
Acknowledgements to the people who have contributed to the discovery or resolution of the vulnerability in our products will be posted in the security advisory after agreement with those contributors. If multiple individuals or organizations report the same vulnerability, acknowledgments to the first reporter will be posted in the security advisory.