Capula warns UK infrastructure operators to act now as cyber threats escalate in OT systems

JLR cyber hack highlights the urgent need for greater resilience across the UK’s operational technology environments    

The UK’s critical national infrastructure (CNI) faces a growing and increasingly tangible cyber threat. Awareness of cyber risk has increased significantly over recent years. Still, many infrastructure operators remain dangerously exposed, particularly in operational technology (OT) environments, where legacy systems, limited visibility, and sprawling vendor ecosystems are still the norm.

Capula, a specialist in national infrastructure, industrial automation, control systems, and cyber-resilience, works across sectors including nuclear, power, water, transportation, and manufacturing. Its experience shows a clear trend: threats are growing, yet many organisations still lack the visibility and control needed to defend themselves effectively.

“We are already in a grey-zone cyber conflict,” says Steven Lane, Industrial Cybersecurity Lead at Capula. “The UK’s essential services are being probed continuously. Threat actors are not waiting for organisations to be ready. The question isn’t if attackers are trying to access operational networks, but how well operators can detect, contain, and recover when it happens.”

JLR: A warning for every operator    

The recent cyber-attack incident at Jaguar Land Rover (JLR) in August and September 2025 serves as a warning across all infrastructure sectors. The automaker was forced to halt production at its UK factories after a breach shut down internal systems, disrupting global operations and triggering widespread supply-chain impacts. Production ground to a halt in September.

Analysts estimate that the event cost the UK economy around £1.9 billion and affected more than 5,000 downstream firms. The incident was categorised by the Cyber Monitoring Centre (CMC) as a Category 3 systemic event, meaning significant disruption to industrial output with broad financial consequences.

“For operators of critical infrastructure systems, the parallels are clear,” adds Lane. “Industrial platforms were once seen as isolated and immune to cyber threats. That perception is gone. Today, these systems are fully exposed, and the IT–OT boundary has effectively disappeared.”

Why the maturity gap persists    

The cyber-resilience gap across infrastructure environments is rarely due to neglect. Operators understand the high stakes surrounding public safety, service continuity, and national resilience. The issue lies in how infrastructure systems evolve gradually under operational pressure over decades.

New vendors, remote maintenance, and digital monitoring are frequently added to legacy equipment that was never designed with networked exposure.

Lane explains: “As a result, many organisations manage complex estates where asset inventories are incomplete or outdated, legacy controllers remain undocumented, and remote-access routes vary in control and oversight. Security monitoring often focuses more on IT than OT. Day-to-day continuity tends to take priority over cyber-hardening, allowing vulnerabilities to grow quietly over time.”

In Capula’s engagements, fewer than 30% of operators maintain a complete and accurate OT asset inventory, a critical baseline for any meaningful resilience.

Converting complexity to clarity

The first step in Capula’s industrial cybersecurity process centres on visibility and stratification, not wholesale replacement.

“Modern resilience starts with understanding the real operating environment,” says Lane. “That means knowing what assets are live, how they communicate, where remote access is permitted, and which systems are critical to operations. Once that baseline exists, organisations can prioritise the areas where resilience uplift will have the most impact.”

Capula applies frameworks such as the Purdue Enterprise Reference Architecture (PERA) to define zones of network segmentation, contain lateral movement, and regulate vendor or remote access pathways. In environments still reliant on USB drives for file transfer, Capula replaces these with secure, monitored, and auditable workflows, ensuring both operational continuity and compliance with regulatory requirements.

The emphasis is on practical resilience, not theoretical compliance.

Incident response must reflect operational reality. The JLR attack was an operational halt event: production lines, logistics, and plant systems all ceased operation. For infrastructure operators, the equivalent would be a power distribution line, water treatment site, or railway signalling system going offline.

Traditional IT incident-response models do not translate directly into OT environments, where shutting down or isolating a controller can trigger cascading business, regulatory, or safety impacts. Capula helps organisations design and rehearse operationally realistic response procedures that enable safe system isolation while keeping essential services running. This aligns decision-making and communication across operations, IT, and cybersecurity teams, defines clear roles and escalation pathways, and restores service securely without reintroducing risk.

Cultural change remains the missing link in resilience      

Technology alone won’t close the resilience gap. The JLR incident demonstrates that cyber disruption can impact employment, supply chains, export markets, and economic output. Infrastructure organisations must embed cyber into operations, not treat it as a bolt-on.

“There is a cultural barrier to overcome,” notes Lane. “Engineers are trained to keep systems running; security teams are trained to minimise risk. Those priorities can feel in conflict, the key is alignment, not competition.”

Capula helps clients build shared playbooks, cross-train teams and embed security awareness into routine operational processes, bridging the gap between engineering, operations and cyber disciplines.

A tightening regulatory landscape    

With legislation such as the Cybersecurity and Resilience Bill, alignment with EU NIS2 standards, and HSE’s move from OG86 to 62443 in April 2026, the regulatory expectations are increasing. Audits will be tougher, enforcement stricter, and accountability more explicit.

Operators will need to demonstrate defined ownership of cyber risk across IT and OT, complete visibility of assets and network dependencies, evidence of measurable resilience improvements, and incident-response plans aligned with operational realities.

“Cybersecurity is now an operational duty of care and safety issue,” Lane emphasises. “The systems we are defending are not just abstract networks; they are the systems that ensure water safety, keep power supplies running, and facilitate transportation. This isn’t about avoiding fines; it’s about protecting vital services in a time of increasing threat.”

A clear and achievable path

For many organisations, the scale of the challenge can feel overwhelming, but resilience does not require wholesale transformation. The most effective progress begins with visibility: knowing what exists, prioritising critical systems, standardising what can be controlled, practising realistic incident-response procedures, and developing capability consistently over time.

As JLR illustrated, one moment of disruption can ripple through supply chains, regional economies, and national resilience.

In today’s environment, resilience is no longer optional—it is essential.