Jaguar Land Rover Cyberattack: Lessons for Manufacturing CISOs

We unpack how the JLR cyberattack exposed a critical blind spot in modern manufacturing when there is a fragile intersection of IT and OT systems. Also, why traditional continuity plans fall short, what real resilience looks like on the factory floor, and how leaders can audit their cybersecurity exposure to keep production running 

In September 2025, Jaguar Land Rover (JLR) stopped production across multiple UK plants after a major cyberattack. UK car output for the month dropped to roughly 51,100 units, with a broader economic impact of nearly £1.9 billion. Production only resumed in phases back in early October.

For boards and operations leaders, the incident is a reminder that a single cyber event can halt production lines and reverberate through your suppliers and customers for months.  

That's what the JLR cyber-attack shows, that a combined OT/IT event can stop the production line and halt deliveries.   

Here's the core message. Traditional IT-centric continuity measures are not enough for Industry 4.0 operations. Therefore, plan accordingly. 

Manufacturing Cases

• Legacy Active Directory Secured in 8 Weeks | Heavy Equipment Manufacturer 

• IT Integration After M&A: A Manufacturer’s Microsoft 365 Journey  

Three Factors that Increase Blind Spots on the Factory Floor  

1. IT/OT Convergence  

Manufacturing has evolved a lot, especially auto manufacturing. Modern plants run on hybrid stacks. PLCs and safety controllers, as well as Windows servers, MES, and ERP systems linked to cloud services, with APIs connecting across suppliers.   

That interdependence multiplies the number of “failure paths” and raises the odds that one compromised system can halt upstream machining and downstream shipping at once. The JLR disruption, which escalated from business systems to production schedules and suppliers, is exactly this pattern.  

2. Safety adds constraints that attackers exploit  

You can’t “patch during heat-treat.” OT maintenance windows are infrequent; changes require safety validation; and many assets run unsupported firmware. Defenders face narrow change windows; attackers don’t.  

3. Suppliers extend your attack surface  

Tier-1 and Tier-2 partners often hold networked access for quality data, ticketing, or logistics. That’s convenient for throughput, but it widens the blast radius when one vendor is compromised.  

Blurred Lines Between IT & OT  

The clear demarcation between IT and OT systems will continue to blur. For example, even if your CNCs never touch the internet, your planning, quality, and shipping systems likely do.

You should harden cloud tenants so a business-system compromise can’t cascade or move laterally into operations. 

Factory environments increasingly rely on cloud-based tools for scheduling, quality control, and supplier coordination. But many of these tenants, whether for email, identity, or infrastructure- are under-hardened. Weak access controls, exposed storage, and permissive network configurations can allow attackers to move laterally from cloud to plant. 

Resilience demands more than endpoint protection alone. It requires identity discipline, segmented access, and telemetry that’s both visible and immutable. Without these guardrails, a compromise in planning or procurement can quickly become a production crisis. 

What resilience means in a Mixed OT/IT Environment  

In factory operations, resilience is the ability to continue safe, acceptable production under stress, not just restore servers. Achieving this capability requires:  

• Clear dependency maps from order entry to shipping, including which OT cells can run in isolation and which require IT data.  

• Identity-centric control so a stolen account cannot jump from email to engineering workstations to line controllers.  

• Pre-approved degraded modes (manual labeling, offline quality checks, local recipes) let you operate for days, not hours.  

• Incident Response (IR) playbooks that are OT-aware: cordon contaminated domains without breaking safety-critical comms, and restart in the right sequence to avoid scraping.  

Five Steps to Prevent a Production-stopping Cyber Event  

You can take several measures to prevent a JLR-like situation in which production stopped due to the severity of the attack and its spread from business systems (IT) to production systems (OT).    

1) Map and protect production paths  

Before you can defend your factory’s operations, you should put on paper which parts of your production environment simply cannot afford to go down.  

Build a living diagram from inbound ASN (Advanced Shipping Notice) to outbound bill of lading. The diagram will help you determine which workflow steps should stay online to ship finished goods. Then put compensating controls around those systems. For example:   

• Separate identity boundaries.  

• Strict allow lists. (Refer to “Access Control List”)  

• Unidirectional data paths for critical telemetry.   

This will be the backbone of your OT/IT resilience program.  

2) Enforce least privilege with a Zero Trust roadmap  

Once attackers get inside your network, they move sideways, hopping from one system to another, until they reach high-value targets like industrial control systems (ICS) or production machinery. In cybersecurity, we call it lateral movement, particularly dangerous in factories where a single compromised device can disrupt entire operations.  

You can reduce lateral movement with staged Zero Trust adoption: stronger MFA and Conditional Access, segmentation for OT cells, hardened device posture, and continuous monitoring tied to incident workflows.   

A structured gap assessment aligned to NIST 800-207, CISA, and Microsoft’s model gives you a practical, sequenced plan with quick wins first and platform changes later.  

3) Close identity and AD escalation paths  

Most OT compromises begin with an identity foothold, then pivot into on-prem Active Directory (AD).   

Your team should often audit privileged groups, shadow admins, stale service accounts, and Group Policy Object (GPO) drift. Tighten Tier-0 boundaries and rationalize delegation. Combined, all of this reduces the likelihood that a phished account results in domain control and plant downtime.  

4) Verify your Endpoint Detection and Response (EDR) effectiveness  

If EDR can’t detect it, it can’t stop it.   

Review policy coverage and telemetry for systems that connect to production, such as engineering laptops, line PCs, quality lab machines, and jump hosts. You can tune containment and isolation actions, and test alert routing to your Security Operations Center (SOC).   

The overarching aim should be to prioritize signal over noise for responders to move quickly when there’s a real threat.  

5) Reduce exposed attack surface

Two parallel efforts help here.  

First, assess external exposure. Inventory internet-facing assets (VPNs, supplier portals, admin consoles), validate TLS, and remove orphaned services.   

Second, assess internal exposure. Run authenticated scans on OT-adjacent Windows hosts and infrastructure, verify patch baselines, and kill legacy protocols that enable lateral movement. Both efforts should end with a business-prioritized remediation plan.  

Bonus for regulated/large estates  

Apply CIS Level 2 hardening to servers/workstations that bridge OT and IT. It enforces granular auditing, service restrictions, and role separation, exactly the friction attackers hate (and often exploit the absence of).  

Refer to “CIS Level 2 Server & Workstation Hardening Assessment” for details of coverage. 

What about your Supply Chain Exposure?  

As reported in the JLR cyberattack and discussed in one of our earlier articles on Fourth-Party IT Risks, your supply chain partners (as well as your perimeter) are as big a risk to your cybersecurity as your internal systems.   

JLR’s 2023 agreement with TCS (Tata Consulting Services) placed significant portions of JLR’s networks, data connections, and cybersecurity under a unified managed model. That kind of consolidation can reduce cost and complexity. But it can also create shared fate.  

Before the JLR incident, UK retailers M&S and Co-op also suffered major attacks in April 2025. M&S publicly stated its attackers came via a third-party contractor. Reports at the time noted M&S’s relationship with TCS but did not confirm that TCS was the compromised party.   

Hence, even outsourcing should be done correctly.  

Ungoverned connectivity can become a problem. When your provider runs identity, network, help desk, and cybersecurity, the following become board-level risks and must be contract- and architecture-level controls:  

• Hard separation of duties and identity boundaries. Your MSP should use dedicated identities (per-tenant, least-privileged), Conditional Access, device health checks, and just-in-time elevation. No shared “break-glass” accounts living forever.  

  
  

• Provider access segmentation can be removed in seconds. Access from the provider lands in a separate zone (PAM/jump tier) and is brokered—not direct to Tier-0, engineering workstations, or MES. You can revoke those paths in a single playbook step.  

  
  

• Third-party incident co-response is drilled quarterly. Simulate a provider credential theft: who detects, who isolates, and how do you continue safe, degraded operations while the MSP re-keys and proves containment?  

  
  

• Telemetry ownership. You retain immutable logs for all provider actions and admin APIs. Your SOC (in-house or co-managed) sees the same truth the provider sees.

    

• Enforceable Supply-chain attestations. Require providers to attest to their own EDR, identity hygiene, and secure help-desk protocols (e.g., no password resets without out-of-band, recorded verification). Tie SLA credits to failure here.  

  
  

• Exit ramps. Pre-approved procedures to replace a compromised provider account, rotate secrets, and move critical services to an alternate control plane if needed.  

What Resilience Metrics CISOs and COOs Should Track?  

To lead effectively in Industry 4.0, CISOs must move beyond traditional IT-centric KPIs. Operational resilience demands hybrid metrics that reflect both cybersecurity posture and production continuity.   

The goal isn’t just to detect threats, but to sustain safe, uninterrupted output even under pressure. These are the measures that both a COO and CISO can stand behind:  

• Mean Time to Safe Operation (MTTSO)  

• Identity Containment Time  

• EDR Coverage on OT-Adjacent Assets  

• Critical Path Resilience Score  

• Supplier Notification SLA Adherence  

These metrics will shift your cybersecurity investments toward what matters most, i.e., keeping production lines running safely, even in the face of disruption.  

How X-Centric helps achieve operational resilience (and prove it to the board)  

At X-Centric, we work with manufacturers who often come to us seeking audit readiness but stay for operational clarity.   

Our layered assessment model is designed to give both CISOs and COOs confidence. Confidence that their security posture supports uptime, and that their resilience strategy can be communicated clearly to the board.   

Customers get a sequenced, actionable roadmap, one that aligns with real-world production constraints and delivers measurable progress.  

• Zero Trust Architecture Gap Assessment: To sequence identity, segmentation, and monitoring improvements without a major overhaul.  

• Incident Response Readiness Assessment: It can help your team to pressure-test roles, comms, and degraded-mode operations with plant leadership, not just IT.  

• Active Directory Security & Privileged Access Audit: Auditing your AD forests helps cut escalation paths and harden Tier-0, often the fastest way to shrink blast radius.  

• EDR Effectiveness Review focused on engineering workstations and shared plant PCs, improving detection and isolation where it matters.  

• External and Internal Vulnerability Assessments: This 360-degree assessment ends with prioritized fixes, not raw to-dos, so teams can execute.  

• M365 and Cloud Security Audits: This one helps to close the business-system holes that often start factory incidents. No new licenses are required.  

Next step: Have your critical production dependencies, identify the top three blind spots likely to pause output, and get a sequenced plan your team can execute.  

Executive Takeaway  

The JLR cyberattack is now a canonical example of how an IT-rooted incident becomes an OT crisis that idles plants and impacts suppliers.   

If you outsource key IT or security functions, assume attackers will first traverse provider access points. So, keep your identity boundary sovereign, make provider access tightly scoped and kill-switchable, drill “third-party compromise” scenarios, and design for safe degraded operations.