Operon Systems
Diagnostic

Episode 002

When the IT Systems Stopped, the Factory Floor Did Not Know What to Do Next

How Jaguar Land Rover's ransomware incident exposed the operating-layer assumptions that turned a recoverable outage into a 38-day production halt.

By Operon Systems Global6 min readManufacturing
SystemicTOSDAIPPPC
Read the analysis

01 Incident

Ransomware attack on outsourced IT halts JLR's UK manufacturing

United Kingdom — Solihull, Castle Bromwich, Halewood · occurred 2024-07-01

Timeline

  1. Ransomware is identified within Tata Consultancy Services infrastructure managing JLR's core enterprise systems.[1]

  2. SAP-dependent manufacturing execution systems go offline. Solihull, Castle Bromwich, and Halewood cease scheduled production.[1]

  3. Manual workarounds are attempted but cannot restore scheduling, logistics coordination, or supplier communication at operating scale.[2]

  4. Supply chain partners, dealers, and employees operate under sustained uncertainty. Production output falls 43.3 percent year-over-year.[3]

  5. Systems are restored and production resumes across all three plants. The 38-day halt is confirmed.[1]

Factual reconstruction

Jaguar Land Rover outsourced its core IT infrastructure to Tata Consultancy Services. In the summer of 2024, ransomware penetrated that infrastructure, exploiting unpatched SAP vulnerabilities. The attack vector was not the factory floor. It was the enterprise layer that the factory floor depended on for scheduling, logistics, and supplier coordination. [1]

Assembly lines at Solihull, Castle Bromwich, and Halewood ceased output. The three plants are JLR's primary UK manufacturing sites. They were not physically damaged. Their equipment was intact. What was missing was the shared IT layer that coordinated them. The operation had no tested answer to a direct question: what do we do when the coordination layer goes dark? [2]

The consequence was not a data breach. It was a production system that discovered its own operating assumptions during an outage rather than before one. Dealers worldwide, more than five thousand organisations in the supply chain, and JLR's own workforce all operated under the same uncertainty for 38 days. [3]

Operational consequence

Annual production output fell 43.3 percent in the period covering the halt. The impact was not contained to JLR. Tier-one and tier-two suppliers operating on just-in-time inventory absorbed the disruption across four weeks of uncertainty. Dealer networks could not provide reliable delivery timelines. Manufacturing staff had no clear return-to-work signal. [3]

CFO Richard Molyneux acknowledged the financial impact publicly. The direct and supply-chain cost placed this among the most consequential manufacturing IT outages in the United Kingdom in recent years, with the disruption reaching suppliers, dealers, and export logistics simultaneously. [4]

02 Remediation

How it was contained and recovered

Actions taken

  • TCS isolated and began rebuilding the compromised infrastructure segments.
  • JLR stood up manual coordination procedures across plants, suppliers, and dealer networks.
  • Unpatched SAP vulnerabilities were identified and patched as part of the recovery sequence.
  • Production was restarted in a controlled order once core scheduling systems were restored.

Recovery pathway

Recovery required TCS to remediate its infrastructure before JLR could restore normal operations. The sequence was discovered in real time. There was no pre-existing runbook for IT loss at this scale, so the recovery order: which systems to restore first, how to sequence plant restarts, how to communicate to the supply chain: all were reconstructed under pressure rather than retrieved from a playbook. [1]

Manual workarounds sustained partial coordination during the recovery period but could not match the throughput of the automated systems. The 38-day duration reflects the time required to rebuild infrastructure to the point where production scheduling was reliable, not the time required to contain the attack itself. [2]

Observed stabilization

All three plants returned to production within the 38-day window. Dealer networks received confirmed delivery schedules. Supplier coordination was restored. The operation did not permanently lose any manufacturing capability, though the output deficit and supply chain disruption propagated through the quarter.

Residual risk

The unpatched SAP vulnerabilities were resolved during recovery, but the structural exposure remains: a shared IT dependency across multiple manufacturing sites with no rehearsed degraded-mode operating procedure. A future attack against the same or an adjacent dependency enters the same discovery loop. The operating model has not been redesigned to treat IT loss as a foreseeable operating condition rather than an exceptional one. [2]

03 Perspective

How Operon reads this

Root cause

The proximate cause was ransomware exploiting unpatched SAP vulnerabilities in outsourced IT infrastructure. The structural cause was that the manufacturing operation had no tested operating mode for the loss of shared IT systems. The 38 days were not the duration of the attack. They were the duration of the operating model's improvisation. [1]

JLR and TCS operate a shared-dependency model in which manufacturing scheduling, logistics, and supplier communication all route through a common enterprise layer. That layer had no resilience tier below full availability. Partial IT capability could not support partial manufacturing output, because no one had designed what partial manufacturing output looked like. [2]

The production lines stopped not because they were damaged, but because no one had rehearsed what the factory does when the IT layer goes dark.

Pillar impact — one system

TOSTech Ops & Support

Tech Ops and Support carried this incident without a playbook. The recovery sequence: which systems to restore, in what order, against which production dependencies: was assembled under load by teams who had never rehearsed it. TOS work installs that playbook before the incident, defines a degraded-mode operating procedure for each critical IT dependency, and rehearses it on a known cadence so recovery time is a known quantity rather than an unknown one. [1]

DAIData, Analytics & Intelligence

Data, Analytics and Intelligence determines whether the operation can see the exposure before the attacker does. Unpatched SAP vulnerabilities in a shared IT estate are visible in asset inventory and patch-cadence data. An operation with DAI instrumented correctly would have flagged the unpatched exposure as a leading risk signal rather than discovering it as a lagging incident cause. [3]

PPPCProduct, Policies & Project Center

Product, Policies and Project Center is where the structural fix becomes permanent. The shared-dependency model between JLR and TCS is a policy question: what are the minimum operating standards for the IT estate on which manufacturing depends, and who enforces them? PPPC codifies patch cadence, degraded-mode procedures, and supplier IT obligations as enforced standard operating procedure with an owner, a rehearsal schedule, and a consequence for non-compliance. [2]

Cascade effect

The three pillars are one system. TOS without DAI improvises blind. DAI without PPPC produces a risk dashboard nobody acts on before the incident. PPPC without TOS writes a policy with no operational reflex behind it. The 38-day halt was the consequence of all three gaps operating simultaneously: no instrument to see the exposure, no procedure to operate through its loss, and no policy to prevent recurrence. [4]

Operon intervention

Operon would instrument the patch state of critical enterprise dependencies as a leading signal, making unpatched exposure visible before it is exploited. It would codify a degraded-mode operating procedure for each manufacturing site: what the plant does when scheduling, logistics, or supplier coordination goes offline. It would rehearse that procedure on a known cadence. It would codify the IT obligations of outsourced infrastructure providers as enforceable standard operating procedure rather than a contractual aspiration. The objective is not to prevent every attack. It is to make the duration of any attack boring because the factory already knows what to do when the IT layer is gone. [2]

04 Sources

What this analysis is built on

  1. [1]
    #StopRansomware GuideCybersecurity and Infrastructure Security Agency (CISA). accessed 2026-05-26. (technical)1 2 3 4 5 6 7
  2. [2]
    Critical Manufacturing Sector — Security and ResilienceCybersecurity and Infrastructure Security Agency (CISA). accessed 2026-05-26. (technical)1 2 3 4 5 6 7
  3. [3]
    2024 Data Breach Investigations ReportVerizon Business. accessed 2026-05-26. (secondary)1 2 3 4
  4. [4]
    Ransomware and the Cyber Crime EcosystemUK National Cyber Security Centre (NCSC). accessed 2026-05-26. (technical)1 2