On Sept. 1, England’s largest auto manufacturer Jaguar Land Rover (JLR) disclosed that it had been hit by a cyberattack. Soon after disclosure, the company was forced to halt production across several factories worldwide as the damage began to ripple into every part of its operations.
Stalled production was only the start of the fallout. While the exact numbers aren’t clear, experts have speculated that JLR has lost as much as 50 million pounds per week as they attempt to get production back online, with 33,000 jobs and a deeply stretched supply chain hanging in the balance. This led to delayed paychecks, empty order books, canceled shifts, and more.
The severity and scale of this attack serve as stark warnings to enterprises that operational resilience is like a chain, and it’s only as strong as its weakest link.
Details of the Jaguar Land Rover Cyberattack
The threat group known as Scattered Lapsus$ Hunters claimed responsibility for the incident. It’s believed that this group meticulously studied plant workers for months, using social media profiles and professional networks to craft highly personalized spear phishing emails. Once an employee clicked one link, it set off a disastrous chain of events that wasn’t discovered until it was far too late, including bypassed multi-factor authentication, stolen credentials, and exploited misconfigurations. When production grinded to a halt, ransom demands were issued by the threat group.
Perhaps the most disturbing detail about this incident is how the attackers were able to silently breach JLR’s enterprise network and remain unnoticed for so long. By using a series of tactics, techniques, and procedures (TTPs) that enabled them to explore the network from a seemingly legitimate position, they evaded traditional IT-centric security measures and observed the network for weeks.
JLR has since started to slowly resume limited operations in some factories. Now that more details of the attack have been made available, there are some clear takeaways that cybersecurity leaders can use when implementing their own security strategies.
Expand Asset Visibility to the Production Floor
If an organization can’t see—let alone understand—the routine behavior of every programmable logic controller (PLC), human-machine interface (HMI), and other cyber-physical systems (CPS), they won’t be able to protect them. In some cases, those devices might run on outdated software or not have been patched for long periods of time. That’s why it’s important to implement a solution that’s tailor-made for operational technology (OT) environments, and ideally, features monitoring that can automatically flag anomalous network activity before it becomes a threat.
Enforce Strict Network Segmentation
In the JLR attack, the attackers were able to breach the network and move laterally across it, causing more damage to individual layers. By segmenting the network into isolated zones, system administrators can limit the extent of potential damage by containing breaches more effectively. An even more ideal way to do this is using a solution that can automatically recommend network zones based on your organization’s existing security infrastructure.
Secure Third-Party Access to the OT Network
With a supply chain as vast and complex as JLR’s, the ripple effects of the breach may have also affected third parties who had access to JLR’s network, such as vendors and contractors. With the right secure remote access solution, organizations can isolate vendor connections, enforce a least privilege access policy, and strengthen multi-factor authentication (MFA) for any external party trying to access the network.
Adopt Zero Trust, Assume Breach is Inevitable
For OT networks, it’s long past time to move beyond traditional perimeter security. The basis of a zero-trust architecture requires each user to independently verify their identity with each login attempt, and operates under the assumption that an attacker is already inside the network. Implementing zero trust should be the very backbone of a robust cybersecurity strategy, especially as OT and IT become increasingly interconnected.
Resilience is Measured in Mean-Time-to-Repair
When it comes to recovering from a cyberattack, a good metric to keep in mind is mean-time-to-repair (MTTR). This is the average amount of time it takes to complete a repair or other maintenance on a cyber-physical system, from the moment the engineer connects to it, to the moment the repair is finalized and the engineer disconnects. MTTR is a key metric to measure resilience, and reinforces the need for defined and rehearsed incident response plans. Conduct regular exercises that simulate an attack that causes a full production halt, and ensure the restoration process is documented and easy to reference in the event of an actual security incident.
What the JLR Attack Means for Cybersecurity in Manufacturing
Make no mistake—the cyberthreats faced by the industrial sector are just as unpredictable as they are unprecedented. When a single point of failure can result in the loss of billions in revenue, there’s no room for being unprepared.
Though the blast radius of the JLR incident reached far and wide, it’s not a fate that every organization is doomed to repeat. Keeping robust measures in place to proactively detect, respond to, and mitigate threats is all but crucial to protecting critical infrastructure—not to mention limiting the potential fallout that could await the general public.
