Updated – 30th September 2025
JLR has confirmed a phased restart of manufacturing in the coming days, beginning with the Wolverhampton engine facility on 6th October, followed by a staged return across other plants. Some IT systems were restored on 25th September to clear supplier payment backlogs and support service parts logistics. The UK government is backing a £1.5 billion loan guarantee to protect the supply chain and JLR has secured a further £2 billion credit line as a liquidity backstop. Industry reports (source: The Insurer) also indicate JLR did not have live cyber insurance at the time of the attack. It will still take weeks to reach normal run rate.It will still take weeks to reach the normal run rate.
The Evolving Timeline
- 31 Aug–1 Sept: Attack forces shut down across production and sales operations.
- Early to mid–September: Disruption is expected to extend and continue into October.
- 25 September: Partial IT recovery enables invoicing, supplier payments and parts logistics.
- From 6 October: Phased restart, beginning with Wolverhampton; staged ramp across other plants; full capacity expected to take weeks.
A month after the attack that halted production and sales systems worldwide, JLR is transitioning from containment to controlled recovery. The story has become a national industrial risk issue, not just an IT outage. For boards across manufacturing, the lesson is clear: resilience is a business capability that spans cyber, operations and finance.
The Daisy Chain Reality
Recent high-profile incidents in manufacturing show a critical truth: attackers don’t necessarily need to tamper with robots or PLCs to bring production to a halt. Disruption often stems from business-critical IT systems being taken offline. The applications that connect the plant floor to customers, suppliers and partners.
When these “glue systems” are unavailable, operations can stall even if the production floor itself remains technically functional.
Commonly Overlooked Risks
- Timing: Attacks launched over weekends or holidays are harder to contain and controlled restarts of intertwined IT/OT systems typically take days, not hours.
- Preparedness: Many organisations plan for incident response, but far fewer invest in the ability to perform staged restarts across plants and partner networks.
Why Manufacturers Are Prime Targets
Manufacturing remains one of the most attractive sectors for cyber attackers. Size offers little protection. The same automated ransomware and phishing campaigns that target global corporations also affect smaller suppliers.
What makes the industry especially vulnerable is the financial pressure of downtime. Unlike some sectors, manufacturers have almost no tolerance for extended disruption. Every day offline means:
- Revenue lost from halted output.
- Labour costs are mounting as employees sit idle or shifts run into overtime.
- Potential penalties and reputational damage from missed delivery deadlines
This combination makes manufacturing a sector where even a brief outage can rapidly escalate into major financial and operational loss.
The AI Acceleration Problem
Yesterday’s attackers spent days escalating privileges, mapping networks and manually turning off security tools.
Today’s AI-accelerated attackers compress this into minutes:
- Credential cracking at scale with AI-assisted spraying
- Adaptive phishing with supplier-style emails indistinguishable from legitimate ones
- Polymorphic ransomware that mutates to evade antivirus software
- Automated orchestration of backup deletion and EDR tampering
This shift has collapsed the timeline, leaving traditional, human-centred detection models unable to keep pace.
“Cyber threats are evolving at an unprecedented pace. What used to take days can now escalate from an initial breach to a full-scale compromise in under an hour. For organisations, the real measure of resilience is how well you can contain the blast radius and keep the business running when an attack hits.”
— Dominic List, CEO of CyberOne
What Boards Should Take From This
- Cyber risk is not just for enterprises: The first-order losses are obvious; the second-order impacts include supplier distress, customer delays and reputational hits. Treat it like any other threat to revenue and cash.
- Recovery priorities matter: Restoring the systems that unblock payments, shipments and service work buys you time and goodwill.
- Suppliers are part of your blast radius: Contracts must establish minimum control baselines, provide continuous assurance and include pre-agreed contingencies for “keep shipping” scenarios.
- Finance belongs in the war room: Liquidity planning, covenant awareness and playbooks with your lenders are as critical as backups and EDR.
- Insurance is risk transfer, not a strategy: Reports indicated JLR lacked live cyber insurance when the attack hit. However, even with cover exclusions and sub‑limits apply, ensur controls athat keep you insurable and practise operating without a payout.
“Too many manufacturers still believe network segregation or antivirus software will save them. In reality, attackers target the identity layer and the business systems that hold everything together. If you can’t detect and contain that quickly, production stops. No matter how well-protected your plant floor looks.”
— Lewis Pack, Head of Cyber Threat Defence, CyberOne
What Good Looks Like
Microsoft Security
Identity & Access
- Phishing‑resistant MFA for all, especially OT and privileged roles
- Just‑in‑time admin with Privileged Identity Management (PIM)
- Conditional Access by user, device health and geolocation
Mapped to: Microsoft Entra ID, Entra ID Protection, Entra PIM
Endpoint & Workload Hardening
- Defender XDR across endpoints, servers and cloud workloads
- Application control on build servers and engineering workstations
- Rapid containment and isolation at IT/OT boundaries
Mapped to: Microsoft Defender for Endpoint, Defender for Cloud
OT/IoT Segmentation & Access Brokering
- Layered network zones for production cells and test benches
- Brokered, monitored access with full session recording
- Asset discovery and anomaly detection on industrial protocols
Mapped to: Microsoft Defender for IoT, Entra ID
Rapid Restore at Scale
- Keep locked offline backups of your business systems and identity.
- Clean‑room rebuild capability with scripted Gold Builds
- Regular, timed recovery drills measured in hours, not days
Mapped to: Azure Backup, Azure Site Recovery
Threat Detection, Automation & Response
- Centralised log collection and detections with MITRE ATT&CK coverage
- Playbooks for supplier‑related alerts and suspicious remote access
- Human‑led threat hunting amplified by AI Augmentation
Mapped to: Microsoft Sentinel
Third‑Party & Supply Chain Risk
- Control baselines in contracts (MFA, EDR, patch SLAs, logging)
- Continuous assurance for critical suppliers
- Alternate sourcing and pre‑approved “pay and ship” contingencies
Mapped to: Defender for Cloud (secure score for multi‑cloud), Sentinel and Purview
Finance & Communications
- Have a pre-approved credit line with room to grow and agree on how you’d use it
- Supplier payment fallbacks and customer communication templates
- Decision rights are defined between IT, operations, finance and legal
The Resilience ROI Framework
Resilience ROI isn’t measured in blocked attacks. It’s quantified through downtime avoided. A 500-person automotive supplier, losing £1.2m per day, faces a potential £25m impact over three weeks offline. With performance-led security (golden images, vaulted identities and tested restart procedures), recovery can be reduced to 3–5 days. That’s £20m in avoided downtime.
Leading indicators help prove ongoing value:
- Mean time to detect anomalous logins
- Percentage of vaulted critical accounts
- Number of successful phishing attempts
- Recovery drill times
Your competitive edge isn’t prevention. It’s proving you can absorb impact and restart faster than competitors. OEMs are auditing supply chain resilience and manufacturers who can demonstrate measurable recovery readiness win contracts over those with only prevention on paper.
The Jaguar Land Rover lesson isn’t about enterprise scale. It’s about recognising that your business runs on interconnected systems where the weakest link defines survival. Attackers don’t need your robots. They need to snap one link in your chain.
How CyberOne Can Support You
1. Cyber Incident Tabletop Exercising
Cyber Incident Tabletop Exercising, a fast, executive‑ready rehearsal of your worst day. We simulate a manufacturing-grade ransomware or third-party compromise and walk leaders through decisions on shutdowns, supplier communications, regulatory notifications and financing levers. You leave with a prioritised gap list and a 60‑day action plan.
2. AssureMAP – Cyber Maturity Assessment Resilience Assessment
CyberOne’s AssureMAP is a structured framework that helps organisations understand their current security state, benchmark maturity and identify the most critical gaps before attackers exploit them.