An OT ransomware playbook UK manufacturer is a written, role-based response plan for ransomware that has reached, or threatens to reach, your shop floor and operational technology. For 2026 it needs six phases — prepare, detect, contain, eradicate, recover and learn — with named owners, an isolation switch, and a tested restore for ERP, MES and PLM. The JLR shutdown and the 56% year-on-year rise in manufacturing ransomware make this the single most useful document a UK factory can write this quarter.
TL;DR for busy MDs
- Manufacturing absorbed 56% of global ransomware growth in 2025 — 1,466 incidents per Check Point, with average ransoms now $1.16m.
- JLR’s six-week production halt cost an estimated £1.7–1.9bn — the UK’s costliest cyber incident on record.
- Most OT ransomware does not target OT directly — it pivots from IT through unsecured IT/OT boundaries. Segmentation is your single highest-value control.
- A workable OT ransomware playbook fits in a 20-page printable runbook. If your only copy is on SharePoint, it is useless during an incident.
- Test the playbook before you need it. 68% of industrial operators lack a usable asset inventory — fix that first, then rehearse the rest.
Last updated: 16 June 2026
What an OT ransomware playbook UK manufacturer document actually contains
An OT ransomware playbook is the written, rehearsed answer to the question: “the production line just stopped responding and finance can’t open ERP — what do we do in the next 60 minutes, the next 24 hours, and the next two weeks?” It sits alongside your business continuity plan and your wider IT incident response procedure, but with a sharp focus on operational technology: PLCs, SCADA, HMIs, MES, historians, and the IT/OT boundary that connects them all to the rest of the business.
For a UK manufacturer it is a short, role-based document — typically 15 to 25 printable pages — broken into six phases following the long-standard NIST 800-61 incident response lifecycle, adapted for OT realities. Each phase names a single accountable owner, the decisions they can make without escalating, the decisions they cannot, and the contact details for the people they need to call. The whole pack lives in three places at once: SharePoint, an offline encrypted USB, and a printed copy in a known location on site.
What sets a good OT ransomware playbook UK manufacturer document apart from a generic IT one is the recognition that you cannot simply “reimage the machine”. A PLC can take weeks to replace. Production restart procedures depend on validated states. Pulling the wrong cable can damage a press tool. The NCSC’s general ransomware mitigation guidance is the foundation, but it must be translated into your specific factory before it is useful.
Why every UK manufacturer needs an OT ransomware playbook in 2026
The threat landscape has moved sharply against manufacturers. Five data points should drive the conversation with your board this quarter.
- Manufacturing is the world’s most-targeted ransomware sector for the fourth year running. Check Point recorded 1,466 incidents in 2025, a 56% year-on-year jump.
- Industrial ransomware is rising every quarter. Dragos counted 742 industrial ransomware incidents in Q3 2025 alone, 72% of them in manufacturing, with Europe second only to North America.
- UK manufacturers logged 65 publicly-known ransomware attacks in 2025, but the JLR breach alone caused six-week production halts and around £1.7-1.9bn of economic damage — the costliest cyber incident in UK history.
- Average ransom demands more than doubled in a year, from $523,000 in 2024 to roughly $1.16-1.2m in 2025.
- OT sites with physical-consequence incidents rose 146% year-on-year per Waterfall’s 2025 OT Cyber Threat Report — attackers now aim for production downtime, not just data theft.
- 80% of European manufacturers still run critical OT with known unpatched vulnerabilities, per Check Point’s Manufacturing Threat Landscape 2026 report — making the IT/OT boundary the single most-exploited weak point.
- Cyber insurers and large OEM customers are now asking for the playbook by name, alongside Cyber Essentials Plus, before renewing cover or signing supplier agreements.
The six phases of an OT ransomware playbook UK manufacturer template
A practical OT ransomware playbook UK manufacturer document is organised around six phases. Below is the structure to adapt to your business.
1. Prepare. The pre-incident work that determines whether the rest of the playbook is useful. A current asset inventory of every PLC, SCADA host, historian, HMI and engineering workstation — with firmware versions, network address and physical location. A network diagram showing IT-DMZ-OT zones following IEC 62443. Phishing-resistant MFA on all remote access. Tested offline backups of ERP, MES, PLM, historian and CAD repositories. Pre-drafted holding statements for customers, employees, suppliers and the ICO.
2. Detect. How an incident is recognised. Specific log sources to monitor, SIEM alert thresholds, the named on-call rota for first response, and the escalation path when an alert turns into a confirmed incident. Detection latency in manufacturing is typically a problem of culture, not tooling — staff need a no-blame route to report “this looks wrong”.
3. Contain. The single most consequential phase. Document exactly which switches, accounts, VPN circuits and engineering jump hosts get killed in what order. Specify the OT/IT isolation “kill switch” — the network change that cleanly separates production from corporate — and the named individuals authorised to flip it. Crucially, identify which production processes can be safely halted versus those that need a controlled shutdown to avoid damage.
4. Eradicate. The forensic and clean-up phase. Engage an external incident response firm (have one on retainer, do not search for one mid-incident). Preserve forensic images before reimaging. Reset credentials including service accounts. Patch the exploited vulnerability. Decide — with legal counsel — whether to engage with the threat actor. The NCSC’s 2026 secure connectivity principles for OT is the canonical reference for what good containment architecture looks like.
5. Recover. Restore from immutable, offline backups in priority order: ERP first (so finance and orders can continue), then MES and CAD, then historian. Validate data integrity before reconnecting. Re-energise the OT network zone by zone, with engineering validation at each step. Resist pressure to “just turn it on” — a contaminated restart is worse than a controlled outage.
6. Learn. Within two weeks of all-clear, run a blameless post-incident review. Update the playbook with what worked and what did not. Brief the board with a one-page summary, remaining risks, and budget asks. Re-run the tabletop with the senior team within 60 days.
What good looks like when you exercise your OT ransomware playbook
If a Cyber Essentials Plus assessor, a cyber insurer or a large OEM customer asked you tomorrow to evidence ransomware readiness, the signals they look for are concrete and short.
A current OT asset list dated within the last quarter. Held in a single sheet or asset-management tool, naming every PLC, HMI, SCADA host and historian, with firmware and network address. Red Trident’s 2023 analysis found 68% of industrial operators lack one — this single document materially improves response time.
An OT/IT segmentation diagram. Showing zones and conduits in line with IEC 62443-3-2, the position of any data DMZ, and where unidirectional or push-only data flows enforce one-way movement from OT to IT.
Tested offline backup of ERP, MES and one CAD or historian system in the last six months. A documented restore runbook, an actual successful restore (not a paperwork exercise) and named individuals who can execute it.
A tabletop exercise within the last 12 months. Using the JLR scenario or similar, with the MD, IT Director, Operations Director and Quality Director in the room, debriefed in writing.
External IR firm on retainer. Contact details on the printed playbook page, retainer hours in the budget, relationship established before any incident.
Common mistakes to avoid when writing your OT ransomware playbook
Most first-draft OT ransomware playbooks fail in a small number of consistent ways. Avoiding them costs nothing.
Copying an IT playbook with “OT” pasted on the front. Production technology cannot be reimaged, restarted or patched the way office endpoints can. The playbook must reflect that reality, with input from operations and engineering, not only IT.
Storing the only copy on SharePoint. In a real incident your authenticated SharePoint is precisely what you cannot reach. Print it, hold an offline encrypted USB copy in the operations office, and laminate the first-call phone-tree page.
No named individuals. “The IT team will…” is not a plan. Every action gets one named owner with a deputy and a phone number.
Never tested. An untested playbook is a wish list. Run a tabletop within 60 days of writing the first draft, and again every twelve months.
Buried in jargon. A manufacturing CEO should be able to read the playbook in 20 minutes and know what they need to authorise in the first 60 minutes of an incident.
Frequently Asked Questions
What is the difference between an IT and an OT ransomware playbook?
An IT ransomware playbook focuses on endpoints, email, identity and corporate data. An OT ransomware playbook UK manufacturer document additionally covers PLCs, SCADA, HMIs, historians, the IT/OT boundary, and the operational realities that mean you cannot simply reimage or restart production technology without engineering validation and controlled restart procedures.
How often should a UK manufacturer test its OT ransomware playbook?
A full tabletop exercise at least once a year, with quarterly micro-rehearsals on specific phases such as backup restore or OT isolation. Cyber Essentials Plus and most cyber insurance renewals now expect evidence of testing in the last 12 months.
Should a UK manufacturer ever pay a ransom?
The NCSC’s clear guidance is not to pay. Payment funds further criminality, does not guarantee data return, and may breach UK sanctions rules. The right preparation — immutable backups, tested restore, OT segmentation — is what removes the perceived need to pay in the first place.
Do small UK manufacturers really need a written OT ransomware playbook?
Yes. Smaller manufacturers are increasingly targeted precisely because attackers expect weaker preparation. A 15-page playbook with clear roles, an offline backup, segmented OT, and a tested restore covers 80% of the practical risk and can be drafted in two weeks with the right support.
Take the Next Step
Bailey & Associates is a virtual IT Director service built for UK manufacturers. We will write your OT ransomware playbook, run the first tabletop with your senior team, and put the segmentation, backup and IR retainer in place that boards, insurers and large OEM customers now expect. Fixed monthly pricing from £2,000/month, cancel anytime, with 15+ years of manufacturing IT experience behind every engagement. See how we work on our IT/OT integration and Industry 4.0 readiness page, then contact us to talk it through. Book a free discovery call today.
Related Service: Manufacturing IT Services — Learn how Bailey Associates can help your manufacturing business.
