Severe Disruption at JLR: Lessons for Cyber Resilience

November 2025, Daryl Flack, Partner

Published on: Automation Magazine

Process & Control Magazine

The recent cyberattack on Jaguar Land Rover (JLR) has sent shockwaves through the UK manufacturing sector. Production was forced to a halt across multiple plants, staff were left unable to work, and supply chains suffered serious disruption.

For JLR, the incident was not just an IT problem; it was a full-blown operational crisis. And while the company acted decisively to shut down systems and contain the threat, the event underscores wider lessons for resilience in the sector.

Rapid response as damage control

One of the most important lessons from JLR’s handling of this incident was the speed of its response. The company took the difficult but necessary step of shutting down production systems. While this undoubtedly caused short-term pain, it was a decisive containment measure that prevented further spread and potentially more catastrophic damage.

In any cyber crisis, time is of the essence. Every hour of hesitation gives attackers more opportunity to exfiltrate data, move laterally across networks, and embed themselves deeper into critical infrastructure. By shutting systems down swiftly, JLR demonstrated an understanding that immediate containment is sometimes the only way to preserve long-term operational stability.

Manufacturers must take note. Effective response depends not only on technical safeguards but also on well-rehearsed incident response playbooks. These need to outline who makes the call, what systems can be sacrificed, and how communications with staff and suppliers are handled. Without such preparation, organisations risk paralysis at the very moment decisive action is most needed.

A widening threat landscape

The group linked to the JLR attack has previously claimed responsibility for breaches at other major UK organisations. This continuity of activity highlights a sobering reality: attackers are not only persistent but also increasingly focused on manufacturing and critical infrastructure. Why? Because operational technology (OT) environments are both attractive and vulnerable. Unlike IT systems, which have seen decades of investment in cyber defences, OT environments were often designed primarily for function rather than security. Industrial robots, assembly lines, and process controllers can often run legacy software, rely on proprietary protocols, and cannot easily be patched without halting production.

The attack surface widens further as these systems are connected to IoT devices, remote monitoring tools, and IT networks. Add in the complexity of global supply chains, where third-party access is often required, and attackers are presented with multiple entry points or attack vectors. Manufacturers also hold sensitive intellectual property, from process designs to trade secrets, making them prime targets for ransomware, espionage, and supply chain compromise.

In short, OT is becoming the battlefield of choice for cyber adversaries. As attacks on JLR and others demonstrate, the risks are no longer hypothetical.

Operational continuity is at stake

Perhaps the most serious impact of a cyberattack that affects OT, is the threat to operational continuity. When IT systems are compromised, the disruption is significant, but usually recoverable with backups, redundancy, and recovery tools. When OT systems are hit however, the consequences ripple far beyond the factory floor.

At JLR, the production shutdown immediately stalled output, but the effects extended into logistics and distribution, supplier coordination, and ultimately customer trust.

This is why true resilience demands a holistic approach. Technical firewalls and endpoint protection are essential, but they are not enough. Manufacturers must embed resilience into the fabric of their operations by separating IT and OT environments, practicing joint drills between operational and security teams, and establishing continuity plans that assume disruption will occur at some point.

Building cyber resilience in automotive manufacturing

So how should manufacturers respond? There are three critical layers: technical safeguards, incident response preparedness, and governance.

1. Strengthen technical foundations

Start with visibility. Create a full inventory of OT assets, and ensure patching and updates are applied where possible. Network segmentation is vital, limiting the blast radius of any intrusion and preventing lateral movement. Remote and third-party access should be tightly controlled. Continuous monitoring of OT networks, backed by anomaly detection, enables earlier detection of malicious activity. Backups, stored both offline and in the cloud, are essential for recovery from ransomware. Applying recognised frameworks such as IEC 62443 and NIST 800-82 helps benchmark and guide OT security.

2. Prepare for incidents

Even the most robust systems can be breached. That’s why incident response must be treated as a business-critical function. Manufacturers should create and rehearse plans that define escalation routes, decision-making authority, and communications protocols. Tabletop exercises and red-team simulations can expose weaknesses before a real crisis strikes. Equally important is staff training. Engineers, operators, and other frontline staff are often the first to spot anomalies. Ongoing, role-specific training ensures they can recognise and report threats quickly, reducing dwell time for attackers.

3. Elevate governance

Cyber risk is a board-level issue. For too long, OT security has been seen as a technical concern rather than a strategic priority. Boards must regularly review security investments, audit resilience measures, and hold management accountable for maintaining readiness. Embedding cyber resilience into corporate governance fosters a culture where security is everyone’s responsibility.

Fostering industry-wide preparedness

The disruption at JLR is not an isolated case. It is part of a broader pattern of escalating attacks on manufacturing and critical industries. The lesson is clear: resilience cannot be an afterthought.

Rapid response, recognition of an expanding threat landscape, and protection of operational continuity must be the priorities for every automotive manufacturer. By investing in IT/OT separation, rehearsed incident response, and cross-industry collaboration, we can ensure that when, not if, the next attack comes, the impact on operations, people, and society is minimised.

Preparedness is no longer optional. It is the only way to safeguard the future of automotive manufacturing in an era of escalating cyber threats.