A survey of cyber security in the Swedish manufacturing industry

In this paper we explore cyber security practices in Swedish manufacturing firms. Manufacturing is being transformed by new technologies under the label of smart industry or industry 4.0. Most of these technologies are either digital themselves or depend on digital connectivity. Their use is made possible by electronic sensors, actuators, and other devices as well as by data-driven analysis. This technological change entails a fundamental shift in risk and security as devices become interconnected, making information and control transmissible both within and to varying degree outside the firm's organization. These issues must be addressed to prevent both unintentional and intentional security incidents. Thus, there will be no smart industry without cyber security. Based on a sector-wide survey with 649 respondents (17% response rate) carried out in collaboration with the Association of Swedish Engineering Industries, we map risk perception and the controls put in place to address these risks across firms. We present three primary findings: (i) Compared to how firms value further investments in digitalization, risk perception related to cyber security issues is fairly low and business interruption is a greater cause for worry than data breach, (ii) there is a gap between the anticipated impact of digitalization and the perceived need for cyber security measures across business functions within firms, and (iii) the implementation of cyber security measures is still in its infancy with a significant bias towards technological measures, leaving organizational and social cyber security measures underrepresented. The paper is concluded with the identification of a few interesting follow-up questions for future work.

[1]  Jeannette M. Wing,et al.  An Attack Surface Metric , 2011, IEEE Transactions on Software Engineering.

[2]  J. Olsen,et al.  The European Commission , 2020, The European Union.

[3]  Shaun Wang Knowledge Set of Attack Surface and Cybersecurity Rating for Firms in a Supply Chain , 2017 .

[4]  Hannes Holm,et al.  Cyber security for a Smart Grid - What about phishing? , 2013, IEEE PES ISGT Europe 2013.

[5]  Dazhong Wu,et al.  Cybersecurity for digital manufacturing , 2018, Journal of Manufacturing Systems.

[6]  Shaun S. Wang,et al.  Integrated Framework for Information Security Investment and Cyber Insurance , 2017, Pacific-Basin Finance Journal.

[7]  Tyler Moore,et al.  Measuring the Cost of Cybercrime , 2012, WEIS.

[8]  Jules White,et al.  Cyber-physical security challenges in manufacturing systems , 2014 .

[9]  Ulrik Franke,et al.  Optimal IT Service Availability: Shorter Outages, or Fewer? , 2012, IEEE Transactions on Network and Service Management.

[10]  Nicola Loperfido,et al.  Data breaches: Goodness of fit, pricing, and risk measurement , 2017 .

[11]  Angelos P. Markopoulos,et al.  A review on the readiness level and cyber-security challenges in Industry 4.0 , 2017, 2017 South Eastern European Design Automation, Computer Engineering, Computer Networks and Social Media Conference (SEEDA-CECNSM).

[12]  D. Sornette,et al.  Heavy-tailed distribution of cyber-risks , 2008, 0803.2256.

[13]  Benjamin Edwards,et al.  Hype and Heavy Tails: A Closer Look at Data Breaches , 2016, WEIS.

[14]  Shari Lawrence Pfleeger,et al.  Leveraging behavioral science to mitigate cyber security risk , 2012, Comput. Secur..

[15]  Andrea Maria Zanchettin,et al.  An Experimental Security Analysis of an Industrial Robot Controller , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[16]  A. Tiwari,et al.  Review of cybersecurity issues in industrial critical infrastructure: manufacturing in perspective , 2017 .

[17]  Cormac Herley,et al.  Sex, Lies and Cyber-Crime Surveys , 2011, WEIS.

[18]  Hal Berghel,et al.  A Survey of RFID Deployment and Security Issues , 2011, J. Inf. Process. Syst..

[19]  Ulrik Franke,et al.  Demand side expectations of cyber insurance , 2019, 2019 International Conference on Cyber Situational Awareness, Data Analytics And Assessment (Cyber SA).

[20]  Edgar R. Weippl,et al.  Advanced social engineering attacks , 2015, J. Inf. Secur. Appl..

[21]  Rachelle Bosua,et al.  Protecting organizational competitive advantage: A knowledge leakage perspective , 2014, Comput. Secur..

[22]  Henrik Sandberg,et al.  Stealth Attacks and Protection Schemes for State Estimators in Power Systems , 2010, 2010 First IEEE International Conference on Smart Grid Communications.

[23]  Ulrik Franke,et al.  Information Requirements for National Level Cyber Situational Awareness , 2018, 2018 IEEE/ACM International Conference on Advances in Social Networks Analysis and Mining (ASONAM).

[24]  Ulrik Franke,et al.  The cyber insurance market in Sweden , 2017, Comput. Secur..

[25]  Arnd Weber,et al.  Cybersecurity for Industry , 2018 .

[26]  Gunnar Wahlgren,et al.  IT Security Incidents Escalation in the Swedish Financial Sector: A Maturity Model Study , 2016, HAISA.

[27]  Martin Höst,et al.  Sharing of Vulnerability Information Among Companies – A Survey of Swedish Companies , 2019, 2019 45th Euromicro Conference on Software Engineering and Advanced Applications (SEAA).

[28]  Hannah Willén Smart industry – a strategy for new industrialisation for Sweden , 2016 .

[29]  H. Hassel,et al.  Vulnerability analysis of interdependent critical infrastructures: case study of the Swedish railway system , 2011, Int. J. Crit. Infrastructures.