Mitsubishi Logisnext enhances the cybersecurity of its automation systems

This project was delivered by Nixu, a DNV company. DNV, Nixu and Applied Risk joined forces to form DNV Cyber in 2024, creating one of Europe’s fastest growing cybersecurity services businesses.

Legislation governing the cybersecurity of IoT devices is placing new demands on device manufacturers. Hence, Mitsubishi Logisnext has also had to ascertain the current status of cybersecurity in its automated forklifts. A gap analysis provided by DNV Cyber has helped the company to improve the cybersecurity of its devices in line with stricter requirements. As part of this ongoing cooperation, DNV Cyber is now helping Mitsubishi Logisnext to ensure its products meet the IEC 62443 cybersecurity standards.  

Mitsubishi Logisnext Europe Oy designs, manufactures, and supplies high-tech logistics solutions. The company is part of the Mitsubishi Logisnext Group, which employs about 12,000 people worldwide. Around 450 of these employees work in Finland. The company’s goal is to be a forerunner in the cybersecurity of automation systems for AGVs, i.e., automated forklifts, and to respond proactively to upcoming legislative amendments, global uncertainty, and customers’ growing expectations. 

“We started working towards IEC 62443 certification back in 2021 without realizing how prescient this was,” says Jani Åström, DevSecOps Manager, Software Development at Mitsubishi Logisnext Europe Oy. IEC 62443 is an international series of standards for cybersecurity in automation and control systems throughout their entire lifecycles. It is the predominant cybersecurity standard used by shipping companies, autonomous vehicle manufacturers, and companies that supply hoists, elevators, and other handling apparatus. 

At Mitsubishi Logisnext, meeting cybersecurity requirements is a condition for staying in the market. A global company needs to take upcoming amendments to IoT cybersecurity legislation into account worldwide. Risk management is also extremely important, that is, ensuring that no cybersecurity problems arise in devices and systems. “Information security is paramount, especially when dealing with new customers,” says Åström. “Put simply, neither we nor our customers can afford to ignore cybersecurity in these systems.” 

A comprehensive picture of the current and future status of IoT cybersecurity 

Mitsubishi Logisnext chose DNV Cyber as its IoT cybersecurity partner based on an internal analysis and competitive tendering. “DNV Cyber has lived up to its good reputation. They’ve been professional, cooperative, and flexible. Things have progressed well, and we’ve been very satisfied,” says Åström. 

In the first phase of the cooperation, the main objective was to conduct a risk assessment and create a threat model for AGV systems. A DNV Cyber team familiar with automation systems and the legislation governing them was involved in the analysis. The currently ongoing second phase focuses on documentation and creating a standard-compliant cybersecurity plan for AGV systems. 

One valuable outcome of the collaboration is a well-founded situational picture, which arose through a combination of DNV Cyber’s knowledgeable and challenging questions and the efforts and ideas of Mitsubishi Logisnext’s professionals. “I believed that our information security issues were already in good shape, and this was confirmed,” says Åström and continues: “It gives me confidence in the future that our current status is good and the measures we have taken are correct.” 

Jukka Leskio, DNV Cyber’s Head of IoT & Product Security, agrees with Åström: “In many areas, Mitsubishi Logisnext already had a realistic idea of what works and what the company needs to learn more about when it comes to, in our opinion, tried-and-tested, standard-compliant practices. Together, we were able to create clear steps for achieving the set goals.” 

It gives me confidence in the future that our current status is good and the measures we have taken are correct.

  • Jani Åström, DevSecOps Manager, Mitsubishi Logisnext Europe Oy

Cybersecurity perspective included from the outset 

At Mitsubishi Logisnext, the cybersecurity perspective is taken into account from the outset in all system development. Åström urges his partners in the manufacturing industry to consider this perspective sooner rather than later. It is worthwhile to benefit from external experts when you are just starting to learn about these things. In issues involving cybersecurity and privacy, it is much easier to be proactive than to try to patch up potential problems afterwards. 

And one shouldn’t be afraid of the process. “Although cybersecurity itself may be difficult to understand, the actions you need to take are relatively simple when carried out in cooperation with an expert,” says Åström. “The important thing is to get the right people on board immediately.” 

Mitsubishi Logisnext’s collaboration with DNV Cyber is still ongoing. A status report on the company’s extensive product portfolio has now been completed, and the next step is to ensure compliance in both processes and documentation. The aim is to be compliant with the EU’s cybersecurity regulation in good time before the stricter cybersecurity legislation comes into force.