The new cybersecurity imperative

Cybersecurity has tended to be framed as a data-protection issue: safeguarding customer records, preventing identity theft, and avoiding regulatory penalties under GDPR. But there is a broader and more urgent reality: in manufacturing, cyber breaches can paralyse supply chains.

When a supply chain grinds to a halt, the consequences go far beyond reputational harm. Jobs, production and the economic lifeblood of entire regions are put at risk. The recent cyberattack on Jaguar Land Rover (JLR) revealed how fragile – digitally, physically and financially – one of the UK’s most important supply chains really is.

What began as a breach of enterprise IT systems quickly snowballed into something far larger. JLR’s UK factories shut down completely, production at global sites was halted, and disruption rippled through thousands of suppliers and dealers, reaching markets such as France and Germany.

For almost a month, assembly lines sat idle. Tier-1 and tier-2 suppliers faced cash-flow crises as shipments stalled. Dealers were unable to register or deliver vehicles. Analysts estimate that JLR lost nearly £50 million a week during the shutdown. Smaller suppliers struggled to pay staff and keep production going. By late September, Tata Motors, JLR’s parent company, was forced to secure a £2 billion emergency credit line, and the UK government had to guarantee a £1.5 billion loan to stabilise the supply chain. Two months after the attack, JLR reported a 25% revenue drop for the quarter, with an exceptional cost of £196 million related to this incident. Factoring in supply chain cascades and lost output, the broader UK economy impact is estimated at £1.9 billion

Just as the failure of a single bank can cascade through counterparties, the compromise of one manufacturer can cascade through suppliers, logistics providers, and dealers. Both systems are highly interconnected, and both require systemic safeguards.

Cyber risk is also unique in its adversarial nature. Unlike natural disasters or pandemics, cyberattacks occur precisely because attackers see leverage in disruption. The exact motive of the JLR attackers remains unclear, but this incident demonstrates a broader risk. If hackers believe that breaching enterprise software can force a supply chain shutdown, they gain a powerful weapon to inflict outsized harm.

As the stakes rise, more such attempts are inevitable – whether from criminal groups seeking ransom or nation states pursuing strategic advantage.

Designing resilience

Traditionally, firms have drawn a line between information technology (IT)—systems managing data, communication, business processes and operational technology (OT), which controls physical assets like industrial robots or energy grids. Organisations have focused in isolating their OT from their IT to prevent physical shutdown.

But as the JLR incident shows, attackers no longer need to breach OT to paralyse a modern supply chain. Many IT systems, though they don’t directly control machinery, are operationally critical. A parts-sequencing database or a vehicle-registration platform may not be “OT,” but without them, the assembly line grinds to a halt.

This means that what we need is a nuanced, multi-layer classification framework, prioritising mission-critical IT systems according to their cascading impact on the business and the broader supply chain.

Resilience by design principles become essential. The goal is clear: to give business leaders the confidence that not every cyber incident will require an operational shutdown. Modular design, micro-segmentation, and zero-trust architecture can help to ensure that a breach in one system doesn’t paralyse the entire enterprise.

Even with these safeguards in place, shutdowns will sometimes be unavoidable. What can your firm to do ensure minimum disruption?

1. Embed redundancy and flexibility into your processes. In sophisticated, lean supply chains, physical redundancy such as holding excess inventory is costly. Invest in process and system redundancy. Have backup payment processes in place so you can keep your suppliers afloat if your payment system fails. Set up AI-enabled analytics to estimate demand and order parts if and when your routine production planning systems are disrupted and accurate information is unavailable otherwise.

2. Develop organisational agility. Flexible thinking is equally vital. In the 2017 NotPetya attack, Maersk employees improvised with handwritten bills of lading (the legal documents issued by a carrier that serve as a receipt for goods, a contract of carriage, and a document of title) and WhatsApp groups to keep containers moving. Imperfect though it was, that spirit of creativity helped the firm recover. Manufacturers need to plan not only for technical contingencies but also for the ability of people to adapt and keep operations running under stress.

3. Build resilience by extending your defences. The small and medium enterprises (SMEs) that feed your original equipment manufacturers are vulnerable. Smaller firms, often under-resourced in cybersecurity, may become stepping stones for larger attacks, for attackers will always probe the weakest link. The infamous Target breach began with a small heating, ventilation, and air conditioning supplier. The 2020 SolarWinds hack saw attackers infiltrating thousands of organisations through a single software vendor. In manufacturing, a shortage of just one component can halt production lines.

Beyond the firm

Cybersecurity vendors and insurers need to adapt. Technical solutions should prioritise supply-chain continuity, and insurance should expand to cover cascading supply-chain losses, not just direct remediation costs.

Governments have a role to play. Emergency guarantees like the UK’s £1.5 billion lifeline for JLR suppliers may be unavoidable in the short term. But in the longer term, governments should not be the guarantors of first resort. As after the 2008 financial crisis, regulators may need to designate “systemically important manufacturers” and impose stricter resilience standards, including stress tests to evaluate whether manufacturers and their supply chains could survive prolonged disruption.

Just as banks are required to prove they can withstand financial shocks, systemically important manufacturers must prove they can withstand digital ones. JLR’s case shows that major industrial champions can be just as systemically important as banks.

Investing in supply-chain-aware cybersecurity may not come cheap. But these costs are no longer optional. They are the price of doing business in a digital economy. Strong defences also act as deterrents, signalling to attackers that disruption will not yield easy leverage.

As the UK, EU, and US seek to revitalise domestic manufacturing and reduce reliance on fragile global supply chains, they must not overlook digital risk. One attack on a single company can freeze many firms across multiple industries.

The lesson from JLR is simple, and sobering: in today’s economy, supply-chain resilience and cybersecurity are inseparable. It’s time for both business leaders and policymakers to internalise this reality and act accordingly to reduce the chances of chaos.