Mitsubishi Electric strengthens global cybersecurity with the YubiKey
Mitsubishi Electric is a global leader in product innovation and the manufacturer of electrical and electronic products and systems, for consumers, businesses and a wide range of critical infrastructure including energy, transportation and information and communication systems. Established in 1921, Mitsubishi Electric is headquartered in Tokyo, Japan and globally active in over 120 countries
Key results:
At a glance
- 150k global employees
- 339 third-party affiliates
- ¥5.00 trillion revenue (2023)
Yubico solutions deployed
- YubiKey 5 NFC
“Our vision with the YubiKey is to fundamentally solve the issue of passwords and to realize passwordless authentication for all users in the future”
Across the globe, critical infrastructure remains a prime target for statesponsored threat groups. As a key supplier of electrical and electronics products and solutions to critical infrastructure sectors worldwide, and a major supplier of Japan’s defense systems, it is paramount for Mitsubishi Electric to guard against persistent cyber attacks.
In response to past cybersecurity incidents, Mitsubishi Electric launched a security enhancement project to promote cybersecurity measures.
“We know that the security incidents we experienced were caused by credential misuse. Therefore, our first priority was to strengthen our authentication infrastructure with strong multi-factor authentication (MFA). For the implementation of our MFA, the decision was made to use the YubiKey, a hardware security key that also supports Smart Card, FIDO2 (passkeys) and the U2F protocols. Scalability was another consideration, as well. Yubico is a major provider in the authentication token market,” notes Mr. Okamoto. “Several colleagues already knew about YubiKeys and how they work.”
“We know that our security incidents were caused by stolen credentials, so strengthening our authentication infrastructure was a top priority. The YubiKey enables us to strengthen multifactor authentication.”
The journey to strong, phishing-resistant MFA
Mitsubishi Electric operates globally, and the IT Platform division monitors authentication infrastructure used by over 150,000 staff, spread across an estimated 200 Mitsubishi Electric group locations.
In order to guarantee that their investment in MFA was well suited, Mitsubishi Electric wanted to ensure that the solution met the standards set by the National Institute of Standards and Technology (NIST) Digital Identity Guidelines and the Authenticator Assurance Level (AAL), which are recognized worldwide as equitable standards for identity management. “We were conscious of phishingresistant MFA while planning,” notes Mr. Okamoto. “As we strive to guard against even the most sophisticated cyberattacks, it didn’t make sense to implement MFA without protection against adversary-in-the-middle (AITM) attack vectors.“
Implementing modern phishing-resistant MFA throughout an organization is a journey. Mitsubishi Electric is currently deploying enhanced MFA by utilizing either company-owned devices or YubiKeys, paving the way for a fully-passwordless future. For affiliates that do not provide company-owned devices, the YubiKey has become an option.
“Our aim was to eliminate account takeovers by adopting stronger MFA. Adopting YubiKeys has made it easy for us to continuously move our authentication strategy forward. Our goal is to enable passwordless authentication for all users in the future.”
Securing mobile-restricted environments
While implementing MFA at various divisions and affiliates, Mitsubishi Electric faced a variety of challenges including, frequently, mobile-restricted scenarios, as most production facilities limit the usage of any mobile devices.
The YubiKey emerged as an optimal solution for both IT and Operational Technology (OT), including access to industrial control systems (ICS), requiring no additional hardware, software, external power, batteries or network connections. A single YubiKey can secure hundreds of products, services and applications, including leading identity and access management (IAM) platforms, privileged access management (PAM) solutions and cloud services, with the secrets never shared between services.
“When considering MFA, it was clear that procuring and distributing mobile phones for every user would be an extraordinary cost and that it would not address the challenges in mobile-restricted environments. The YubiKey solved these challenges.”
Managing global distribution at scale
To date, Mitsubishi Electric Japan has deployed thousands of YubiKeys to support mobile-restricted environments or situations where corporate-owned devices are not an option. As Mitsubishi Electric’s infrastructure evolves, the utilization of the YubiKey will likely extend to more use cases, including research facilities, with the ultimate goal of transitioning toward a phishing-resistant and passwordless future for all employees.
Following best practices, Mitsubishi Electric instituted clear onboarding and lost key policies to protect privacy and mitigate risks, such as masking account information during set-up. To further support implementation, manuals were created and distributed to each affiliate receiving a YubiKey shipment. With the ecosystem’s maturity and the availability of comprehensive documentation, onsite or face-to-face support has proven unnecessary. Global subsidiaries and affiliates without YubiKeys have been encouraged to procure them.
The YubiKey offers users ease of use: to generate a two-factor authentication (2FA) code, a user simply inserts the YubiKey into their computer and taps their smartphone. As Mitsubishi Electric transitions to FIDO authentication, the need to enter codes is eliminated. “Some users do not possess strong IT literacy,” says Mr. Okamoto. “This is another reason why we rated the YubiKey highly.”
“We have rolled out several thousand keys so far, but have not run into any problems, which has been great.”
Creating new value through continuous innovation
Mitsubishi Electric is steadfast in its pursuit of becoming a “Circular Digital Engineering company” driven by its commitment to continuous innovation and transformation throughout the organization.
Embracing Yubico solutions, such as the YubiKey, significantly raises the bar for security and establishes a robust foundation for Mitsubishi Electric to facilitate and safeguard its digital transformation by paving a path to secure authentication that does not require passwords.