Scenario Overview
The Crisis
What began as a series of minor inconsistencies in STS’s digital service alerts soon escalated into widespread contradictions across its PA systems, station screens, mobile apps, announcements, and online service updates, rapidly destabilizing commuter movement during the early-morning rush and triggering a city-wide cascade of confusion and operational paralysis.
Critical Impact
The incident exposes deep vulnerabilities in urban transit communication systems and highlights how rapidly cascading digital inconsistencies can paralyze physical movement across an entire city.

Organization: siberX Transit Systems (STS) - The largest public transit system in North America, recently modernized under a unified communication digital infrastructure.
Framework: NIST 5-Module Incident Response
Scenario Objectives
Coordinate Response
Multi-agency collaboration to stabilize Toronto’s disrupted transit network and restore safe rail and station operations.
Contain Threats
Isolate malicious activity within STS systems, stop misinformation propagation, and prevent further manipulation of public-facing platforms.
Eradicate Compromise
Remove unauthorized access, backdoors, and rogue processes across transit control systems to ensure full operational integrity.
Execute Recovery
Manually restore train movements, re-establish accurate scheduling data, and safely reopen stations while supporting stranded commuters.
Strengthen Resilience
Improve communication pathways, enhance cyber-physical protections, and ensure Toronto can withstand future disruptions to city-wide mobility systems.
Incident Response Framework
Module 1
Detection & Analysis
Module 2
Containment
Module 3
Eradication
Module 4
Recovery
Module 5
Lessons Learned
MODULE 1: DETECTION & ANALYSIS
TIMESTAMP: Early Morning of Incident Day
Conflicting alerts appear across screens, PA systems, and the STS app. The phrase “TAKEOVER LOADING” suddenly flashes across multiple terminals, instantly triggering fears of a terrorism event. Commuters flood social media with videos and speculation, where misinformation spreads even faster than official updates, amplifying panic citywide. Staff report contradictory instructions, and Operations detects unusual message activity but still cannot determine the source.

Critical Actions
  • Understand issue/scope and declare
  • Communications (transit operators, exec, public, media)
  • Discuss priorities and containment next steps
MODULE ROLES:
Ali Abbas Hirji
Chair, Operation Defend the North
Alex Dow
Chaos Engineer, Operation Defend the North
Shrey Raval
SOC Lead, siberx Transit Systems
Ali Shahidi
Incident Commander, siberx Transit Systems
Gurvinder Gill
Third-Party Risk Manager, siberx Transit Systems
Kelley Irwin
Digital Governance Lead, siberx Transit Systems
Shilpa Dahiya
Legal & Compliance Advisor, siberx Transit Systems
Michael Hartrick
Public Safety IT Specialist, siberx Transit Systems
Vivek Khindria
Advisor to the Board, siberx Transit Systems
Amar Soni
Industry Expert, RSM Canada
Hashim Khan
Industry Expert, Zimperium
PROMPTS
Media Report
  • “TAKEOVER LOADING” suddenly reappears across STS screens, PA systems, and emails.
  • Turnstiles freeze, trains stop, and stations quickly overflow.
  • Online rumors of a coordinated attack spread and fuel panic.
  • With no clear information, public trust collapses and the city grinds to a halt.
Technical Prompts
  • Identifies specific stations with loss of connectivity or operational visibility.
  • Illustrates the geographic pattern of emerging disruptions across the network.
Additional Prompts
  • VISUAL: Terminal screens across multiple GTA cities displaying “Takeover Loading.”
  • EMAIL: App-subscribed civilians receive a mass blast email with the same “Takeover Loading” message, written in an oddly cheeky tone.
  • IMAGES: Photos of children, women, and elderly commuters waiting outside in the cold due to station closures.
  • ODTN News Article: Report noting how “Takeover Incoming” briefly flashed on station terminals weeks ago before disappearing.
  • FACEBOOK POST: A student shares that they missed their final exam because of the transit shutdown.
MODULE 2: CONTAINMENT
TIMESTAMP: Afternoon of Incident Day
STS tries isolating affected messaging components, but shutting them down risks platform safety. Internal channels show inconsistencies, and pressure rises as commuter confusion and emergency-service calls surge.

Critical Actions
  • Weigh impacts of containment options (cost/regulations)
  • Attempt to understand root cause
  • Communications (int/ext)
  • Implement containment
  • Plan for eradication
MODULE ROLES:
Ali Abbas Hirji
Chair, Operation Defend the North
Alex Dow
Chaos Engineer, Operation Defend the North
Shrey Raval
SOC Lead, siberx Transit Systems
Dhanush Liyanage
Cyber Threat Analyst, siberx Transit Systems
Kris E
Law Enforcement Representative, siberx Transit Systems
Shakeel Sagarwala
Public Safety Coordinator, siberx Transit Systems
Jassi Kaur
Response Coordinator, siberx Transit Systems
Vivek Khindria
Advisor to the Board, siberx Transit Systems
James Cairns
Data Integrity Lead, siberx Transit Systems
Edgard Rodriguez
Deep Fake Content Analyst, siberx Transit Systems
Rob Cvetkovski
Industry Expert, Darktrace
PROMPTS
Media Report
  • Hours later, the STS app shows conflicting train schedules, causing widespread confusion.
  • Transit control loses visibility, trains stall, and commuters overwhelm rideshares, triggering extreme surge pricing and fights at pickup zones.
  • Roads gridlock, emergency response slows, and schools, hospitals, and businesses experience major disruptions.
  • Online misinformation spreads rapidly, deepening the chaos as Toronto’s transportation system spirals into crisis.
Technical Prompts
  • Map overlay comparing real-time train positions against the incorrect locations being broadcast through PA systems.
  • Operational status report summarizing current system health and active disruptions.
  • Authentication log snapshot showing all active sessions and recent access attempts.
Additional Prompts
  • VISUAL: Terminals display “All Trains Delayed” while the STS app simultaneously shows “Train Arriving.”
  • VISUAL: Station employees message each other about losing communication with authority and feeling unsafe.
  • ODTN NEWS ARTICLE: Prior report on the STS app showing “$0” balances on newly loaded transit cards.
  • VISUAL: Screenshot of RideShare surge pricing paired with social media posts expressing anger and disbelief.
MODULE 3: ERADICATION
TIMESTAMP: Evening of Incident Day
Efforts to remove the malicious configurations uncovered indications of deeper, possibly assisted access and unusual persistence across multiple systems. Attempts to clean or reset the affected components triggered unexpected reappearances of the same changes, raising questions about whether recovery tools, internal processes, or something else entirely is causing the configurations to return.

Critical Actions
  • Ensuring threat is fully contained
  • Starting to eradicate and rebuild the affected systems
  • Challenges with eradication at scale
MODULE ROLES:
Ali Abbas Hirji
Chair, Operation Defend the North
Alex Dow
Chaos Engineer, Operation Defend the North
Shrey Raval
SOC Lead, siberx Transit Systems
Kim Schreader
Communications Officer, siberx Transit Systems
Mirza Baig
CRO, siberx Transit Systems
Nilesh Shastri
Digital Forensics Investigator, siberx Transit Systems
Vivienne Suen
Technical Response Director, siberx Transit Systems
Ferris Adi
CISO, siberx Transit Systems
George Al-Koura
Business Continuity Lead, siberx Transit Systems
Yusuf Patel
COO, siberx Transit Systems
Lucas Silva
Industry Expert, Trend Micro
PROMPTS
Media Report
  • STS declares the “active threat” neutralized, but system instability continues.
  • Crews work manually to restore core functions amid delays and overcrowding.
  • Transit staff hesitate to return due to safety fears and unclear leadership.
  • CEO offers reassurances, but commuters remain skeptical and the city stays tense during slow recovery.
Technical Prompts
  • Audit trail comparison highlighting discrepancies and a list of rogue or unauthorized service accounts.
  • Dump of all cron jobs / scheduled tasks to identify abnormal or unauthorized automated processes.
Additional Prompts
  • VISUAL: User with a spider-themed profile insinuates taking advantage of overwhelmed police to loot stores.
  • VISUAL: Emotional account of a grandfather’s death linked to hospital staff shortages.
  • VISUAL: Station employees express fear as authorities tell them to stay in place during the chaos.
  • AUDIO CLIP: Mayor angrily addresses council members, assigning blame for the unfolding crisis.
MODULE 4: RECOVERY
TIMESTAMP: Night of Incident Day
Teams race to restore trusted communication, but chaos slows progress. Conflicting messages across apps, PA systems, and social media fuel public distrust. Rumours spread faster than facts, leading commuters to ignore instructions and overwhelm staff. Until consistent, verified updates reach the public, recovery efforts face constant resistance.

Critical Actions
  • Restore safe and orderly transit operations while managing crowd flow.
  • Re-establish clear, verified communication with commuters to rebuild trust.
  • Mitigate lingering misinformation and monitor for residual disruptions.
MODULE ROLES:
Ali Abbas Hirji
Chair, Operation Defend the North
Alex Dow
Chaos Engineer, Operation Defend the North
Shrey Raval
SOC Lead, siberx Transit Systems
John Pinard
Financial Systems Recovery Lead, siberx Transit Systems
Taher Afridi
Liaison Officer, siberx Transit Systems
Emerson Rajaram
Operations Lead, siberx Transit Systems
Octavia Howell
CIO, siberx Transit Systems
Jason Leake
Third Party Risk Manager, siberx Transit Systems
Shruti Mukherjee
Strategic Communications Lead, siberx Transit Systems
Daniel Potter
Industry Expert, Immersive
PROMPTS
Media Report
  • Train service resumes slowly under controlled STS recovery, with ongoing safety concerns and manual repairs.
  • Provincial leaders question whether the situation is escalating into a national emergency.
  • Online videos of “TAKEOVER LOADING” appearing at other transport hubs spark fears of a wider threat.
  • Despite partial progress, major disruptions and uncertainty persist, leaving Toronto on edge.
Technical Prompts
  • Incident Response Report summarizing key actions taken and current remediation status.
  • Toronto stabilization map using green/red/amber indicators to show partially restored and still-affected zones.
  • Public sentiment dashboard aggregating social media reactions and complaint data for real-time mood tracking.
Additional Prompts
  • VISUAL: Transit workers express frustration that union priorities don’t reflect their safety concerns during the crisis.
MODULE 5: LESSONS LEARNEDDetection & Analysis
This phase focuses on reflecting on the incident; identifying what worked, what failed, and what must change. Teams analyze decision gaps, communication breakdowns, technical weaknesses, and human-factor challenges to strengthen future resilience and ensure the organization emerges better prepared for the next crisis.

Critical Actions
  • Review communication performance across internal teams and external stakeholders.
  • Evaluate how containment was implemented, including timing, coordination, and gaps.