All of them, unfortunately, are susceptible. All of them contain legacy IT systems that are not protected and have open-source software that could contain back doors. They depend on supply chains where they are trusting those suppliers, those vendors to implement secure practices, but they perhaps do not verify them.
All of them are susceptible. That's why we need to move quickly to get these critical infrastructure operators, transit operators, to take action to report cyber incidents, to develop cyber incident response plans and to undergo cybersecurity vulnerability assessments. Finally, it's not just about having a plan on paper. We need to verify that they put that in place.