siberX Transit Systems Incident Response Playbook
A comprehensive guide for recognizing, managing, and resolving critical incidents across operations, communications, cyber, and security domains.
Step 1: Recognize and Declare the Incident
Every incident begins with recognition. Each team must ask four critical questions to determine if an incident declaration is necessary. If two or more answers are "yes," you must immediately declare an incident and activate the response process.
1
Unexpected or Unsafe Events
Is something happening that is unexpected or unsafe?
2
Unexplained Behavior
Are systems, people, or processes behaving in a way that staff cannot explain?
3
Communication Failure
Is normal communication failing or unreliable?
4
Information Gaps
Do you need more information than you currently have to confirm safety?

Critical Decision Point: If two or more questions are answered "yes," immediately declare "We have an incident" and proceed to contact protocols.
Immediate Contact Protocols
Once an incident is declared, specific team leads must immediately contact designated personnel. Speed and clarity in these initial communications are essential to effective incident response.
Operations Lead
Contacts all operational supervisors
Communications Lead
Contacts the Executive Duty Officer
Cyber Lead
Contacts IT on-call or technical support
Security Lead
Contacts security dispatch or local emergency partners
Incident Commander
Alerts all team leads and activates the response process
Step 2: Stabilize People First
Before addressing technical or operational problems, the absolute priority is ensuring people are safe. Each team has specific responsibilities to protect staff, passengers, and stakeholders during the critical early moments of an incident.
Operations Team
  • Direct staff to manage crowds or workflows manually
  • Slow, pause, or adjust operations if safety is uncertain
  • Provide situational updates to the Incident Commander
Communications Team
  • Establish one verified internal communication channel
  • Instruct all staff to ignore unverified or automated messages
  • Prepare a simple holding statement (not yet for public release)
Cyber Team
  • Confirm if systems are stable or degraded
  • Identify if critical services are failing or unresponsive
Security Team
  • Assess immediate safety or security risks
  • Prepare to support operational or city partners if needed

Proceed to Step 3 only when: People are stable and communication is controlled.
Step 3: Contain the Problem
With people stabilized, teams now act decisively to stop the issue from spreading. Containment prevents escalation and creates the conditions necessary for safe restoration of normal operations.
Operations Team Actions
  • Shift to manual oversight where needed
  • Suspend unnecessary or automated processes
  • Maintain a clear operational picture for the Incident Commander
Communications Team Actions
  • Provide one consistent internal message to all staff
  • Ensure all teams are aligned on what to say and what not to say
Cyber Team Actions
  • Limit system access if required
  • Disable suspicious accounts or processes
  • Isolate affected systems or networks if safe to do so
Security Team Actions
  • Monitor for signs of insider behaviour or external interference
  • Coordinate with emergency services if needed

Critical Checkpoint: Move to Step 4 only when the incident is controlled and not escalating.
Step 4: Restore Normal Operations
Restoration focuses on bringing systems, people, and communication back online slowly and safely. Rushing this phase can trigger new problems or reintroduce vulnerabilities. Each team follows a methodical approach to ensure stability.
01
Operations Team
Confirm the accuracy of operational information before resuming normal workflows. Gradually restore paused services and report any abnormalities immediately.
02
Communications Team
Release a clear, approved public message once the Incident Commander authorizes it. Resume normal communication channels cautiously and track public or media reactions.
03
Cyber Team
Validate system integrity and ensure no unauthorized access or lingering issues. Restore automated functions one at a time.
04
Security Team
Document evidence relevant to the incident and continue monitoring until operations are fully stable.
Step 5: Post-Incident Review
Once operations are restored, the Incident Commander leads a structured review to capture lessons learned and identify improvements. This critical phase transforms experience into organizational knowledge and strengthens future response capabilities.
1
First Sign Recognition
What was the first sign something was wrong?
2
Effective Actions
What actions worked well?
3
Delays and Confusion
What created delays or confusion?
4
Resource Gaps
What resources or information were missing?
5
Future Improvements
What improvements should be made for next time?
Each team lead—Operations, Communications, Cyber, and Security—provides a summary to the Incident Commander. The Communications Lead then prepares a short after-action summary for leadership.
Incident Commander: Central Coordination
The Incident Commander serves as the central authority throughout the response process, coordinating all teams and making critical decisions that affect safety, operations, and public communication.
Team Activation
Alerts all teams at incident declaration and ensures coordinated response across all domains.
Containment Approval
Approves containment and restoration steps, ensuring actions align with overall incident strategy.
Public Messaging
Authorizes any public messaging to ensure consistency and accuracy in external communications.
Team Lead Contact Paths
Each team lead maintains specific contact paths and focuses on distinct aspects of incident response. Clear delineation of responsibilities ensures comprehensive coverage without duplication of effort.
Operations Lead
Contact: Station managers, supervisors, dispatchers
Focus: Safety, crowd/manual control, service continuity
Communications Lead
Contact: Executives, city partners, media (when approved)
Focus: Consistent internal and external messaging
Cyber Lead
Contact: IT support, vendor support, system administrators
Focus: System integrity, technical containment
Security Lead
Contact: Transit security, police liaison, emergency partners
Focus: Physical safety, access issues, investigative support
Response Framework Summary
The STS Incident Response Playbook provides a structured, five-step approach to managing critical incidents. From initial recognition through post-incident review, each phase builds on the previous one to ensure comprehensive incident management.
1
Step 1
Recognize and Declare
2
Step 2
Stabilize People First
3
Step 3
Contain the Problem
4
Step 4
Restore Operations
5
Step 5
Post-Incident Review
Remember: Effective incident response prioritizes people first, contains problems systematically, and learns from every experience to strengthen future capabilities.