Meetings
Transcript: Select text below to play or share a clip
[Rep. Christopher Howland (Member)]: Alright.
[Rep. Kathleen James (Chair)]: Welcome back everybody to House Energy and Digital Infrastructure. It is Thursday, March 26, and, we are learning about 13 and acts relating to the use of advanced metering infrastructure devices. And today, we're here with secretary Riley Hughes from ADS. I'm Kathleen James from Manchester.
[Rep. R. Scott Campbell (Vice Chair)]: Scott Campbell from Saint John Fern. Michael Southworth, Aledonia two. Christopher Howland, Rutland four. Dara Torre, Washington two.
[Rep. Bram Kleppner (Member)]: Bram Kleppner, tit 13 Burlington.
[Rep. Kathleen James (Chair)]: And joining us in the room,
[Liz Royer (Executive Director, Vermont Rural Water Association)]: I'm Isabelle Walker, and tonight for senator Michael White. Great. Lisa Rutland, our executive director of Mott Rural Water Association. Super.
[Brian Redmond (Agency of Natural Resources)]: Brian Redman, agency of natural resources.
[Rep. Kathleen James (Chair)]: Great.
[John Kelly (Chief of Staff, Agency of Digital Services)]: John Kelly, chief staff, ADS.
[Denise Reilly-Hughes (Secretary, VT Agency of Digital Services; State CIO; Chair, Cybersecurity Advisory Council)]: Super. Alright. For the record. For the record, Denise Riley Hughes, secretary for the agency of digital services and the state chief information officer. Good morning. And I guess for this testimony, I can also say I am the chair for the cyber advisory council.
[Rep. Kathleen James (Chair)]: Yes. Good thought. Yes. That's relevant. Okay. So s two thirteen, thoughts?
[Denise Reilly-Hughes (Secretary, VT Agency of Digital Services; State CIO; Chair, Cybersecurity Advisory Council)]: It's a very loaded question. And I was hoping there was an opportunity, madam chair, to share maybe this committee's interest in this bill and what you are looking for me to focus my testimony on? Because I I can talk about a lot of it. It may not be relevant to what you're interested in.
[Rep. Kathleen James (Chair)]: That is a timely question. So I think what we are trying to figure out so we started by simply just inviting everybody who testified on the status side. So welcome. That is why you're here. So, the part of the bill, I guess, that would be relevant to you is, I assume, and I am not looking at the language right now.
[Denise Reilly-Hughes (Secretary, VT Agency of Digital Services; State CIO; Chair, Cybersecurity Advisory Council)]: Is the Maybe I can help because I I I believe I may have been one of the last witnesses that that I've had requested in. And
[Rep. Kathleen James (Chair)]: That's great. And then we can add then we can we're happy to discuss the broader context. Perfect.
[Denise Reilly-Hughes (Secretary, VT Agency of Digital Services; State CIO; Chair, Cybersecurity Advisory Council)]: My testimony with with the senate committee was specific to the cybersecurity language and the Right. About the meters. Consistency of that language, correct, when it came to other utility operators and other existing law. And so as you have witnesses come in and testify from the utility space, there is a current law. I believe it was last modified in 2016 where Right. Electric operators and gas operators have a meter policy when it comes to consumer consumer protection or consumer rights. I'm way out of my swim lane, and so I'm not talking legalities. I'm not a lawyer, but, we at ADS look at it and at the advisory council are looking at how different critical infrastructure areas are enabling and allowing for consistency when it comes to cybersecurity. And so as the bill had originally been written, there were significant inconsistency with what was being proposed in 02/13 compared to what was already in law today with the other let me go ahead. It's Department of Public Service Yeah. Public Service Department language. So that being said, asking the committee at that time what the intent of this bill was, and if it is purely about opt out, then cybersecurity seems to be an odd component to be included in a permitting bill. So we recommended, and I recommended, and the language was accepted by the committee around moving that into the authority of the Secretary of the agency of natural resources in order to engage with the cyber advisory council and how the cyber advisory council include in the reporting recommendations around what cyber standards and cyber controls would look like in these spaces, which they're doing today. But this would specifically ask them to call that out for water operators. Descending water operators are also participating members of the council and some of the subcommittee work that's happening in council. My testimony advised against is adding cybersecurity language to a permitting law given that those individuals are engineers that are cert you know, specialized in water permitting and in including cybersecurity as part of the permit process specifically, is a little disjointed to how operations of state government works. So when the Agency of Natural Resources has cybersecurity requirements, The agency of digital services is the entity that supports them. So they don't have their own cybersecurity arm or division. And I would assume that the same would exist for water operators where, Brian has shared that over 90% of them are municipal owned. So where we are looking to support and bring community resourcing together for Vermont, a whole of state approach around critical infrastructure, The way that this bill is written confuses us a little bit because it contradicts and counteracts the work that's been happening within Cyber Advisor Council. You talk so,
[Liz Royer (Executive Director, Vermont Rural Water Association)]: Doug, it's been a
[Rep. Kathleen James (Chair)]: while since we've taken any testimony in the cybersecurity advisory council. Like, I'm having early last year.
[Denise Reilly-Hughes (Secretary, VT Agency of Digital Services; State CIO; Chair, Cybersecurity Advisory Council)]: Have submitted reports annually that provide recommendations and, requests of legislature to take action in certain spaces, and we have not seen that take place yet. This includes membership the the construct of the membership, making more visibility to all interested parties. I think having a legislator on the makes a lot of sense. We've been working with both the FBI and CISA, who's part of Homeland Security, work in conjunction with the these critical infrastructure areas so that we have a consistent approach. We are leveraging the it's called SLCDP, but state local government cyber security program, which is DHS funding that would be available to state local government, municipal government when it comes to ensuring optimal cybersecurity standards based on the way that the program is written. So taking something like this would would impact the work of the council and also impact the work of being able to get funding out to municipalities to go and do that. What I've learned in the process, which has been fantastic, and I really feel bad to put his name out there, Rick Chambers is a town manager who I know very well, but prior to that, he was the water operator for the town of Springfield. He's very well connected among that community, and I believe Joe Duncan, has been an active participant in the cyber advisory council, was on the agenda this week to testify, but I think he was removed. He is somebody who has been working diligently to ensure optimal cybersecurity standards are in place.
[Rep. Kathleen James (Chair)]: Now something to think It wasn't removed on I'm not sure what happened, but it's not like it removed him. Maybe he said he couldn't come. Right? Sure. Maybe his assistant could anyway, just I don't know. I just I
[Denise Reilly-Hughes (Secretary, VT Agency of Digital Services; State CIO; Chair, Cybersecurity Advisory Council)]: think it was I saw him on the agenda, but I didn't see them on the agenda. So not not the intent of this Yeah. Yeah. But it was I didn't see him anymore. So depending on what this committee is looking to do, having some discussion from the water operators, I think, would be highly valuable when looking to make a decision around the intent of these leaders. What we're doing in EDS is looking at the process, and the process is sometimes dictated by policy. The process is also an operational process. So when you look at permitting, where the Agency of Natural Resources is involved in the process and where they're not involved in the process, but also the relationship between a water operator and their user base, and what happens in that process and where technology comes into play. If we get very prescriptive in law around technology terms, tomorrow they will change. And your your the law will no longer meet where technology is at. And the rate at which that is happening is much quicker than it ever has been before. We're looking at six month life cycles in some areas. So the minute something goes into law when you create specificity around advanced or simple or wireless or wired, it doesn't matter because the next iteration or generation of those devices will not align to those terms anymore. So when we look at why a meter is there, what's the cybersecurity risk of that meter, it today, and in talking to the water operators who are implementing replacement meters, there is a cycle that they have to go through, which is about every twenty years meters get replaced. What meters are available on the market today and which ones are not available on the market today, and what those meters are supposed to do and not supposed to do. I believe most towns from what we have spoken to are far beyond those twenty years. And so the infrastructure is pretty degraded in that space. So they're at a they're at a point, and Rick can speak in more detail to that, where they have to replace those meters no matter what. And I think that you will find them the operators also telling you that they can't touch a house without engaging with a homeowner. And if the pipes are not in a quality of use, and this is, again, this is the operator, not the agency of natural resources, but they that is on the homeowner. So there are requirements all the way around. So when you look at the technology, it is looking at the meter out, not the meter in. So the meter's not calling back to a person's home router if they have Internet in their home. It's not connecting to their let's say they have a a, you know, a smart heating device. It is purely measuring the water flow coming from the pipe through the meter. And and that's a question that I have is, what is the concern from a cybersecurity standpoint to a consumer before we start creating a lot of complexity and language that then becomes obsolete because the technology becomes far more advanced than what's what's being indicated.
[Rep. Kathleen James (Chair)]: I have a couple questions. I think that we will maybe have senator come in and talk to us a little bit about this bill. But the okay. So I'm just looking at the bill right now. It looks like under the section of statute that talks about the authority of ANR, it is specifically adding language saying that the ANR secretary can request that the Cybersecurity Advisory Council develop non binding guidance for public water systems around cybersecurity, including info relevant to metering systems and customer data. So, it sounds like the original concern was having to do with our public water systems safe from cyber, you know, from cyber attacks. And what about these meters? Could the meters be prone to attacks? And I'm looking at the enabling so if that if assuming that was the concern, I'm looking at the enabling legislation for the cybersecurity advisory council and seeing a water district on that membership and Vermont Gas, which I know we're not talking about today, and all the relevant state agencies. And so I'm wondering why couldn't you couldn't the council do that right now if they wanted
[Denise Reilly-Hughes (Secretary, VT Agency of Digital Services; State CIO; Chair, Cybersecurity Advisory Council)]: to? So the council is doing that right now, and the language that you just shared is a little bit of a caveat from what was recommended by ADS because the language that you just shared does not include the cyber advisory council's work and the participation and membership of those critical infrastructure areas. So Well, it
[Rep. Kathleen James (Chair)]: says on its own motion, the cybersecurity advisory council may at any time issue guidance for public water systems. I'm wondering, can't you do that now? Why do
[Denise Reilly-Hughes (Secretary, VT Agency of Digital Services; State CIO; Chair, Cybersecurity Advisory Council)]: you Yes, need we do that now. We don't need that.
[Rep. Kathleen James (Chair)]: Okay.
[Denise Reilly-Hughes (Secretary, VT Agency of Digital Services; State CIO; Chair, Cybersecurity Advisory Council)]: Think we are And
[Rep. Kathleen James (Chair)]: you could also put that in your annual report. I assume you could do that now. Correct.
[Denise Reilly-Hughes (Secretary, VT Agency of Digital Services; State CIO; Chair, Cybersecurity Advisory Council)]: The reason why, if I can recall, is that we moved that language out of the law that is specific to permitting. And so we took the language around cybersecurity and made a recommendation that it move into the authority language if it needed to stand. But you are correct that this is already occurring with the Cyber Advisory Council. This is work that is already happening with the participants across the state. Yeah.
[Liz Royer (Executive Director, Vermont Rural Water Association)]: So
[Rep. Christopher Howland (Member)]: that whole language in total isn't really necessary in that bill. Correct?
[Denise Reilly-Hughes (Secretary, VT Agency of Digital Services; State CIO; Chair, Cybersecurity Advisory Council)]: I don't believe so.
[Rep. Christopher Howland (Member)]: Charting in practice. Charting being found by the council. Section two. Correct. This is yeah. Section two h. Section two The new language. The eleventh through thirteenth. Yeah. Yeah. Yeah. This is not I Right.
[Rep. Kathleen James (Chair)]: Madam Chair. All of section two. Yeah.
[Brian Redmond (Agency of Natural Resources)]: Yes. Sorry. For the record, Brian Redmond. The piece that was added on the senate side that may be slightly different than what was recommended is that on the request of the secretary of ANR, we can request nonbinding guidance from the CAC. And I would like to think that exists today. We have a very active group of of of of folks, but that that seems to be a a notable addition
[Rep. Christopher Howland (Member)]: to what we're Do we know why that is? Alright. That that was the question in my head when I saw that. Why why is the secretary of the NRA requesting the cybersecurity council? Within
[Brian Redmond (Agency of Natural Resources)]: our industry, we see sector alerts. We get different alerts through our national networks specific to water supply or wastewater system operations. Okay. So that could be a reason if we're seeing something through our network to go to the CAC because we're not the experts the matter and consult with the CAC. So, I think that's why that is the very.
[Rep. Kathleen James (Chair)]: And when you submit your written testimony, could you just include ANR's recommendation on whether this language, whether section two is needed?
[Rep. Christopher Howland (Member)]: Sure.
[Denise Reilly-Hughes (Secretary, VT Agency of Digital Services; State CIO; Chair, Cybersecurity Advisory Council)]: Yeah. On that, it also sounds like you need a recommendation on what statute the other parts of the bill should read again because you mentioned that it's not.
[Rep. Kathleen James (Chair)]: But I think she was talking
[Denise Reilly-Hughes (Secretary, VT Agency of Digital Services; State CIO; Chair, Cybersecurity Advisory Council)]: about I'm talking about cybersecurity regulating cybersecurity under a a permit an existing permitting law would not be advised. Well, it's not under the Correct, that's why it was moved. That's why you're seeing it under the
[Rep. Kathleen James (Chair)]: authority of under the authority of ANR. Would be super curious to hear from We've heard from you about this work you're doing. I'd very curious to hear from ANR about whether you feel like you need statutory language in order to ask the cybersecurity council to do something.
[Brian Redmond (Agency of Natural Resources)]: I'll I'll take a closer look if that's actually needed and included in my Okay. Yeah. My testimony.
[Denise Reilly-Hughes (Secretary, VT Agency of Digital Services; State CIO; Chair, Cybersecurity Advisory Council)]: Great. Thank you. And I do wanna note too, I had an opportunity to speak with the FBI FBI liaison for the state of Vermont. This individual works both with my office and the Department of Public Safety when it comes to cybersecurity risks given whether or not they're public safety or whether or not they're government operations because government is also another critical infrastructure area. And I specifically asked whether or not the FBI has concerns or is seeing anything across the industry around leaders themselves being imposing a public safety risk. And the answer was no. The answer was what they are most concerned of is the operating environment and the risks to the operating environment, which the meters do not connect to. So the meters are connecting to just visibility on flow, and it's a separate system, and that system is not directly touching the operating environment of the water system itself. And so that's what we look at from a cybersecurity oversight lens is we would highly advise against that, but advising against something that's not happening anyways that folks are very smart about how to connect things in and not connect them in.
[Rep. Kathleen James (Chair)]: Perfect. Yeah, well as in, Howland.
[Rep. Christopher Howland (Member)]: So, are the meters that are communicating with, wirelessly somehow, how are they communicating wirelessly? Are they using WiFi and
[Denise Reilly-Hughes (Secretary, VT Agency of Digital Services; State CIO; Chair, Cybersecurity Advisory Council)]: some? Is that another? They're not. No. There's a number of different technologies out there that they are using. I think that you may hear AMI is one. I think there's AMR is another. So there's some that are radiofrequency, some that are Bluetooth. What are they connecting to? They're connecting to either a device, like a a tablet device.
[Rep. Christopher Howland (Member)]: So that a a meter reader would be would have in his or her hand called as a drive by or Correct. Correct.
[Denise Reilly-Hughes (Secretary, VT Agency of Digital Services; State CIO; Chair, Cybersecurity Advisory Council)]: When the when they're within vicinity of whatever that transmit protocol is. Right. It would note a number. That's it. Mhmm. And it would tell them the number. Right. And they would be able to deliver, either deliver bills or have information on access flow. This is also a really great system to use for, identification of leaks. And so that was something that came up in senate testimony as well as these devices can also read vibrations within the the municipal water pipes as well to be able to identify and isolate where a leak could potentially be happening. That doesn't happen with non smart meters. And I think that's one of the risks right now from a from an infrastructure standpoint that go beyond the technology, but having technology to be able to alert to that makes diagnosing, resolving, and getting water back on for consumers much faster.
[Rep. Christopher Howland (Member)]: What I'm trying to get at is the communicate. Are are these are these devices communicating through a network of some sort? So the one one way that they could be communicating is is, I guess, via Bluetooth or something when a meter reader isn't within the vicinity of of of the meter. Our but that's probably not how they most of them are connecting. That's not how electric electric utility meters work as I understand it. They they connect through a network, and I don't know whether that's my Wi Fi network and all or or have it or or through a satellite or what. I'm gonna
[Denise Reilly-Hughes (Secretary, VT Agency of Digital Services; State CIO; Chair, Cybersecurity Advisory Council)]: This is where it's interesting that that the industry terminology and the words that we use mean different things to different people. And when they say a network in that particular sense, I I'm gonna I'm gonna look at it very similarly, where when you say the network, it means it is that particular group of points that will read into that particular system. And so you might have a couple of different, tablet devices that will go around, or you could have radio towers. I'm I'm not involved in the installation, so I don't know what towns across Vermont are looking at. But it's avoiding having to walk up to a house or go up to a house to be able to see it, and you will be able to transmit it. I'm only transmitting to when you say the network, we're a network right now. Right? So so we're we would be an intended network. And I think what you're asking for is we use the word network in many different ways. This is not connecting to your home WiFi network. That is a totally different protocol. The protocol that these meters are using would be specific to the meter environment and network ecosystem of that particular operator device system and platform.
[Rep. Christopher Howland (Member)]: Well, so the concern, from a cybersecurity point of view, was even need to be if a device is connected to a network of some kind, then what are the how do we defend against the possibility that a hacker, a person with the ill intent could use that use the the relatively dumb device, that is the device that's metering water K. To access other nodes on the network and perhaps thereby access, I don't know, the nuclear bomber or something. What I you know, maybe
[Denise Reilly-Hughes (Secretary, VT Agency of Digital Services; State CIO; Chair, Cybersecurity Advisory Council)]: you Yes. I do. So so I guess what I will say is the meter environments. Let's say we have 50 homes that are being served are measuring the water flow No. No. I understand. From the Yep. So if if your water operator goes by, they're not reading your electric device that has a meter too. So they're not reading your home network. They're they're isolated, independent networks that are specific to those Yep. Devices. So when you say the hackability piece, I'm gonna go back to what I shared with the FBI. The security risk to Vermonters does not exist within the meter implementation to be able to measure flow into an your home. Right. What it is doing that what where the security risk is in the actual in infrastructure and operating environment of the water facility. So I think we're shifting the risk and concern to something that we are not experiencing in Vermont today. Right. That when we look at the experts in cybersecurity and whole of state risks are not seeing that these are those are edge edge cases of what if Mhmm. What could. And and it's it's kind of a risky conversation to have because your home networks pose a far greater risk to you as a consumer Mhmm. Than putting a device in place to make sure that you get water flow and, god forbid, you have a leak outside in your yard that your town is gonna be able to identify it.
[Rep. Christopher Howland (Member)]: Yeah. No. I and and to be clear, I'm not worried about about about these meters or even necessarily about a meter being connected to to a network in order to avoid having a meter meter go out and and and be in the vicinity of a meter in order to obtain the the information off of that meter. I'm trying to anticipate, and I think that's what we're trying to do here, is anticipate what are the possibilities.
[Denise Reilly-Hughes (Secretary, VT Agency of Digital Services; State CIO; Chair, Cybersecurity Advisory Council)]: So right yeah. Right now from the systems that we're well, I can't predict the future.
[Rep. Christopher Howland (Member)]: Yes.
[Denise Reilly-Hughes (Secretary, VT Agency of Digital Services; State CIO; Chair, Cybersecurity Advisory Council)]: It's but for right now, the systems that the water operators who are engaged with the cyber advisory council have shared and are talking about is the risk would be that somebody who could tap into the frequency of the meter may be able to find out where the leak is in the town before the town would. So the meters are not
[Rep. Christopher Howland (Member)]: They're just they
[Denise Reilly-Hughes (Secretary, VT Agency of Digital Services; State CIO; Chair, Cybersecurity Advisory Council)]: They're not talking to other devices. They're not
[Rep. Christopher Howland (Member)]: they're not somehow communicating with Correct. The pumping station. Mhmm. That is that is that is Correct.
[Denise Reilly-Hughes (Secretary, VT Agency of Digital Services; State CIO; Chair, Cybersecurity Advisory Council)]: That's the operating environment. It is not Yeah. Even they're two completely disparate environments.
[Rep. Christopher Howland (Member)]: Mhmm.
[Denise Reilly-Hughes (Secretary, VT Agency of Digital Services; State CIO; Chair, Cybersecurity Advisory Council)]: The town manager wants to know what the number is between last month and this month so that they know what to bill. Right. The town manager or town clerk doesn't talk the operating environment. Don't How do not care.
[Liz Royer (Executive Director, Vermont Rural Water Association)]: It is not connected.
[Rep. Christopher Howland (Member)]: Well, so that would seem to be a good design for for cybersecurity. So, again, I think that it is I think that's what we're trying to trying to get at here is is how do we design systems that are as as secure as possible. And and so one way is to is to is to island
[Denise Reilly-Hughes (Secretary, VT Agency of Digital Services; State CIO; Chair, Cybersecurity Advisory Council)]: And and meters are island.
[Rep. Christopher Howland (Member)]: That that do things that we need to be done, but don't connect to other parts that they don't connect to. Anyway okay. That's I think was ahead of me in the line. Okay. Okay. So
[Rep. R. Scott Campbell (Vice Chair)]: the the production meter has nothing to do with what is before the production meter in controlling anything from inputs of of chlorination or Correct. Not even Totally not connected. Right. And the production meter may or may not be automatic reporting to any place other than controls within the production facility. And
[Rep. Bram Kleppner (Member)]: If some bad guy hacked into a network of service meters, those meters don't control flow, they couldn't shut off the water to your house or do anything like that. The worst they could do is figure out your water usage.
[Rep. R. Scott Campbell (Vice Chair)]: Does that accurate?
[Denise Reilly-Hughes (Secretary, VT Agency of Digital Services; State CIO; Chair, Cybersecurity Advisory Council)]: That is the figures that Vermont operators are putting in place today. Correct. There are other countries that I'm sure have levels of advancement far beyond that, but those are not the meters that are aligned with what Vermont is implementing.
[Rep. Bram Kleppner (Member)]: So even if they're set up so that someone sitting in an office can get all that data, it's still only
[Rep. Kathleen James (Chair)]: It's only Well, volumetric
[Rep. Bram Kleppner (Member)]: data and no control and
[Rep. Christopher Howland (Member)]: no Yes.
[Denise Reilly-Hughes (Secretary, VT Agency of Digital Services; State CIO; Chair, Cybersecurity Advisory Council)]: And I would love for you to hear that from the operators who are also very eager. I understand I know, know, I'll bring up Rick Chambers in Cavendish because as he and I spoke, what he talked about was the the the significant aging infrastructure that they have right now that was that they don't have smart meters. It's gonna take them two and a half years to put that into just a handful of homes. It's a very small town. So this is this is a significant amount of effort, but once once it's in place, the visibility that towns will have in regards to the the integrity of the underlying pipes that are running through the town is pretty significant. I know that that's one of the benefits for Cavendish. The other one is, as I said, that they're replacing them every twenty years. Most are almost double that for replacement, and that aging infrastructure has a greater risk to consumers right now in not giving them access to water than putting a smart meter in to be able to read how much they're using. And
[Rep. R. Scott Campbell (Vice Chair)]: I'm sorry. Just in terms
[Rep. Bram Kleppner (Member)]: of helping a town identify a broken pipe, that only helps behind the meter broken pipes. Is that accurate?
[Denise Reilly-Hughes (Secretary, VT Agency of Digital Services; State CIO; Chair, Cybersecurity Advisory Council)]: No. I'm talking about town I'm talking about the town pipes that are servicing the water to all of the homes. So I
[Rep. Bram Kleppner (Member)]: just don't understand how that would show up within data.
[Denise Reilly-Hughes (Secretary, VT Agency of Digital Services; State CIO; Chair, Cybersecurity Advisory Council)]: Because the the cert I so I don't wanna get too technical, and I don't wanna steal a walk water operator's thunder here, but they it can listen for vibration. So it can provide indicators on vibrations to know when something's in
[Rep. Christopher Howland (Member)]: the box. When?
[Rep. Bram Kleppner (Member)]: So smart meters can do that.
[Denise Reilly-Hughes (Secretary, VT Agency of Digital Services; State CIO; Chair, Cybersecurity Advisory Council)]: Smart meters can do that if they're if they're used.
[Rep. Bram Kleppner (Member)]: Yeah. So if a bad guy hacks in, they can get both volume and vibration data.
[Denise Reilly-Hughes (Secretary, VT Agency of Digital Services; State CIO; Chair, Cybersecurity Advisory Council)]: And they can come fix our pipes. Yes.
[Rep. Christopher Howland (Member)]: That would be exactly my point.
[Denise Reilly-Hughes (Secretary, VT Agency of Digital Services; State CIO; Chair, Cybersecurity Advisory Council)]: Would be need to see can get that. Think there was another concern that was raised kinda I'm gonna call them edge use cases where somebody said, well, I don't want anybody to know if I'm home or not. I don't know about you, but I do not run my water all the time. And whether or not my number changes from 05:00 in the morning until 05:00 at night is not an indicator from home. And so I think it's a it's a it's a unrealistic expectation that that is an indicator of someone's availability in their home. But
[Rep. Bram Kleppner (Member)]: I I would say my my experience is that if there's something valuable, can be bad guys. We'll sit there and spend weeks and weeks and months and months and figure out the patterns, but there's nothing valuable for them to get here. So
[Denise Reilly-Hughes (Secretary, VT Agency of Digital Services; State CIO; Chair, Cybersecurity Advisory Council)]: Not in the meter. No. And if they're not doing it today with the electric meters, I would again, when you look at where the cyber risk is, that's I don't believe that you're gonna hear that that's an indication from the current electric meter system.
[Rep. R. Scott Campbell (Vice Chair)]: When you measure it by cubic meter and not by a gap.
[Rep. Kathleen James (Chair)]: Rabbit hole. Rabbit hole. Ruttory? Just to go a little deeper in
[Denise Reilly-Hughes (Secretary, VT Agency of Digital Services; State CIO; Chair, Cybersecurity Advisory Council)]: the rabbit hole.
[Rep. Kathleen James (Chair)]: Witness fairies. Raise the flag.
[Denise Reilly-Hughes (Secretary, VT Agency of Digital Services; State CIO; Chair, Cybersecurity Advisory Council)]: Is there any risk of data corruption? In whether your number is a five instead of a 10? Whether it's an incorrect number. Like, you can change the data. I think the likelihood of that is low. When you look at why cybercriminals are looking for information, that is not an area that you will see come up. Are are technology systems flawed? Sometimes, do mistakes happen? Sure. Is it a cybersecurity risk? No. I would I would think that we would have more issue on human error than we likely could today than we would with what you described. Thank you. Thank you. I will drive Mr. Chambers up here if you are interested in hearing from him, but I do think hearing from the operators, if this is something the committee is is interested in pursuing further, can We
[Rep. Kathleen James (Chair)]: will. We've got Joe Duncan at Champlain Water District, Megan Lawyer at the City of Burlington and Rick Chambers at Cavendish. Perfect. Alright. Thank you so much. And we can just roll forward, I think, into our next testimony. Thanks. Thanks for coming. Thank you. Yeah? So,
[Liz Royer (Executive Director, Vermont Rural Water Association)]: hello. Hello. My name is Liz Royer, I'm the executive director of the Vermont Rural Water Association. Vermont Rural Water is a non profit organization that supports all public drinking water and wastewater systems through technical assistance, training, advocacy, and outreach. We represent over three twenty system members that protect public health and allow for economic development in our towns and municipalities. These small rural utilities provide safe drinking water and return clean treated wastewater to rivers and lakes throughout the state. Since 2020, I've also served as the chair of BT WARN, which is Vermont's mutual aid and emergency response network for water and wastewater systems. VT WARN has been active in recent years with flood events, contamination incidents, drought, and cybersecurity outreach. Chair James, thank you for having me here today and allowing me to share our thoughts on metering and cybersecurity on behalf of all of the public drinking water systems in the state. We do not believe that water meters pose a risk to cybersecurity, and this is not operational technology as it might be for other industries, which you just heard from two other testimonies. In addition, we feel that the section on electric meters should be decoupled from S-two 13. First, let me provide some background on the universe of the 400 plus public community drinking water systems in Vermont. As Brian Redmond mentioned, the community water system has at least 15 connections or serves a residential population of at least 25 people. Less than one quarter of all of the community water systems in Vermont are owned by a town, village, or city. Over three quarters are owned and governed outside of a traditional town municipal infrastructure, such as fire districts, homeowner associations, water co ops, and other types of water systems. The majority of community water systems are managed by volunteer boards. Many of the small rural systems that we typically support are not metered, This is due to the expense of installation and maintenance of those meters. In addition, only 3% of these 400 community drinking water systems are regulated by the Public Utilities Commission. The PUC regulates private companies such as ski resorts and water corporations. As provided in statute, the PUC and the Department of Public Service have general jurisdiction over water utilities that are not owned by users, municipalities, fire districts. Regarding S213, we appreciate that our initial concerns regarding cybersecurity regulation have been addressed. We are supportive of the Vermont Cybersecurity Advisory Council providing non binding guidance to public drinking water systems on these issues. However, in further research on advanced metering infrastructure, or AMI, it has become apparent that these are not the same type of meters that are used by power companies. Advanced water meters are typically encrypted, radio read, and contain very minimal data, often just one or two numbers. One being gallons that represents the water usage of the household, and the other being the meter ID number. This is typically one way communication. This poses basically no risk in terms of cybersecurity threats to both the customer and to the system with very little information being shared. There is no connection between the meter and the operation of water production or delivery of water temples. There is no existing technology that allows water to be shut off remotely or through the meter. In October 2024, Vermont Rural Water was selected as one of two states to host a pilot project focused on cybersecurity and small municipal drinking water systems. We were trained by EPA headquarters staff, CISA, FBI, Water ISAC, DC Water, and other leading agencies and organizations to provide on-site technical assistance for cybersecurity. This experience has expanded our knowledge and awareness of the many threats faced by our small water systems. We learned that the threat actors cast a wide net, and while Vermont systems wouldn't necessarily be specifically targeted, they look for any systems that have an easy path to infiltrate. Water meters have never been mentioned in any cybersecurity trainings or meetings as a vector since they are not connected to any operational technology or equipment. What is the solution? We suggest that best management practices for both meters and cybersecurity occur at the local level, either in the municipality or through the systems. We encourage operators to focus on the basics: personal cyber hygiene, developing protocols for former employees, password management, and ongoing training awareness for small systems. Moving forward, the best option for building ongoing relationships and sharing resources, we believe, as a town wide cybersecurity tabletop. This needs to have involvement from the local emergency management director, the select board, fire and police, water and wastewater operators, and other local officials and legislators. We believe cybersecurity of Vermont Water Systems can be improved by partnering with the many organizations and agencies offering training and outreach along with direct technical assistance from a trusted and knowledgeable provider. Encourage you to invite water system managers and operators to testify on this bill. They have the direct experience with installation and maintenance of meters and have spoken with customers about their concerns. We believe you will learn that water AMI is not a threat to cybersecurity. Thank you for allowing me to speak on behalf of our state's drinking water systems. We appreciate this committee's efforts towards improving public health and protecting the environment as we all work together for Vermont's future.
[Rep. R. Scott Campbell (Vice Chair)]: How many of your drinking water systems also provide fire protection?
[Liz Royer (Executive Director, Vermont Rural Water Association)]: Most of them. It's there's there's regulations with fire protection, Brian can speak to, but yes. Yes.
[Rep. Christopher Howland (Member)]: That's a So heavy hit.
[Rep. R. Scott Campbell (Vice Chair)]: Fires, the flow goes up. Yeah.
[Rep. Kathleen James (Chair)]: Setting aside the cybersecurity conversation, do you have a sense of why folks would not want one installed at their house?
[Liz Royer (Executive Director, Vermont Rural Water Association)]: When I testified in the Senate Committee, person who originally requested this bill be drafted was supposed to testify and didn't show up. I don't know. I know it was a Tri Town Water District customer in Addison County, but I don't know what the initial concern was.
[Rep. Kathleen James (Chair)]: Okay. Who didn't want the meter? Correct.
[Liz Royer (Executive Director, Vermont Rural Water Association)]: The the option to opt out of having a smart at that point, they were calling it smart meters. Could
[Rep. R. Scott Campbell (Vice Chair)]: you share with us this Tri County organization? How many customers do you think they may have?
[Liz Royer (Executive Director, Vermont Rural Water Association)]: I it's the it's Tri County Water District serves three towns in Addison County. I don't Brian, do
[Rep. Christopher Howland (Member)]: you know? Yeah. But can put it in my follow-up. Okay.
[Rep. Kathleen James (Chair)]: Thank you. We can sorry. I mean sorry. But you can, but I always like to hear from folks directly if we're gonna get tested. Yes.
[Liz Royer (Executive Director, Vermont Rural Water Association)]: They they are typically, like I've mentioned, it's the medium to larger size systems that install meters in Vermont because of the efficiency allowed by this radio read technology. They don't have to enter every common business to get the number. Smaller systems typically don't eater, customers at least, and they just charge on usually a quarterly flat fee type of basis. Okay.
[Rep. Kathleen James (Chair)]: Questions? Well, I
[Rep. Christopher Howland (Member)]: guess I'm going back to my what I was asking secretary about, so he may not be the person who talked about this, but I'm I'm trying to imagine a vector for accessing information in IT systems that that that we're not thinking of. Mhmm. Is there is there a way in in which a threat actor could
[Denise Reilly-Hughes (Secretary, VT Agency of Digital Services; State CIO; Chair, Cybersecurity Advisory Council)]: It'd be free.
[Rep. Christopher Howland (Member)]: Access a water meter water meter being fairly devices, fairly rudimentary devices, and and and you and use that as a way to to send a piece of code or something to where wherever that information is being sent to. So I I'm I'm sure there are there are people who think about this and are trying to defend against that. When when they're designing the protocols that make these meters make these meters communicate with wherever they're communicating, like the sabotage or or whatever it is. But that's what I'm trying to trying to imagine. I mean, people people would probably do the same thing with your refrigerator or your whatever. But but that's this this is the the the the the criteria of of like, of what we can possibly imagine could be done. And not not necessarily to No. No. That that pain, you know, a ransom or something like that. It might be just pure sabotage. Yeah. I mean, who knows? Right? So that might be and I don't think that's what my my guess is. I don't know. But I I don't I imagine that that is what the person who prompted the senator to to introduce this bill was concerned about. They're probably concerned about other other But but in terms of cybersecurity, that's what seems like the the the thing that we're that we that we can't imagine now that we are are wondering is it is there are we thinking about it? Are we is it is it is there somebody who's paying attention to that? I don't know if you know anything to say to in the thoughts of that.
[Liz Royer (Executive Director, Vermont Rural Water Association)]: It it for what exists currently in Vermont for theaters, which is what my knowledge is. Mhmm. The the most advanced type of meter, which would be something like Champlain Water District would use, which I I am on the board for Champlain Water District, so have some knowledge of that system as well. They have a device, so this is not going to a satellite, it's not going through the internet, it's not going it's a radio read, there's an encrypted radio signal as they're driving around that comes to this specific device that is encrypted. They then go back to the office and then they have to have this very expensive software because the vendor makes sure that they have to buy this actual software every year to read that encrypted radio signal and then download it, that information, which is just again a list of numbers of the gallons used and the meter number. And that's it. So there's not currently an opportunity for a hacker to access. It's just one way communication through a radio signal. Yep. And, I mean, I'm I'm not a hacker. If I was, there are thousands of other easier ways if you want to hack a water system. This is not even a consideration.
[Rep. Christopher Howland (Member)]: Yeah. I guess I'm imagining that a water system is probably not something that a lot of people think about. They might think about lifering systems as, oh, wait a can't we have to defend against cyber attacks on on the on the power grid. That seems pretty obvious. But water systems might be not the first thing that comes to mind, to think about critical infrastructure and how do we ensure that we don't have vulnerable devices that provide access for a piece of code or something to be to be to piggyback on the information and and infection systems upstream. So that's that's what I'm trying to imagine out of let's hope it's way out in the future, and it's not something you have to worry about.
[Liz Royer (Executive Director, Vermont Rural Water Association)]: I in in in our industry, we use the term air gap. So that's what we use to prevent backflow contamination. That's why you don't put a hose into your swimming pool, into the water of the swimming pool when you're filling it, you need to have that air gap so the water doesn't come back in. We consider these meter systems as being air gapped. There's no connection to any type of system or network where information could be shared.
[Rep. Christopher Howland (Member)]: Where there could be a backflow effect. Yes. That's a good analogy. Let's hope that that is truly
[Rep. Kathleen James (Chair)]: Sorry. Rutland? Do you
[Rep. R. Scott Campbell (Vice Chair)]: have any idea of what the power is of these radio systems? Like, you hear WABC out in New York at 50,000 watts, and you can sometimes pick it up in Vermont, but, I mean, the local radio station you can't pick up from Rutland, can't get it in Middlebury, the AM stations. Yes. It is very, very low.
[Liz Royer (Executive Director, Vermont Rural Water Association)]: Very, very local. In some cases, you can't even just drive by on the road. You actually have to walk up to be closer to meter of the specific device to be able to
[Rep. R. Scott Campbell (Vice Chair)]: have So that video it may not even so you may not be able to pick up across the street, standing by across the street's meter, you can't pick up the person on the opposite side of the street 150, 200 feet away.
[Liz Royer (Executive Director, Vermont Rural Water Association)]: Correct. At this point, I believe that there are a few water systems that are looking at something that would be slightly more centralized, but that doesn't exist. Right? And I don't know if
[Rep. R. Scott Campbell (Vice Chair)]: you were in earlier. Do you know where these meters get their power to make
[Liz Royer (Executive Director, Vermont Rural Water Association)]: their radio? I was wondering.
[Rep. R. Scott Campbell (Vice Chair)]: The battery that has to be replaced every five I'm not a meter specialist.
[Rep. Christopher Howland (Member)]: So just to clarify, so so you're saying that there aren't any these meters don't communicate to a a satellite or a cloud or something somehow? No. The meter meter has to have to be at the vicinity of the meter in order to read it. Yes. And that's what exists currently in the That's that's interesting. Anyway, thank you.
[Rep. R. Scott Campbell (Vice Chair)]: So there are some systems that are using this already?
[Liz Royer (Executive Director, Vermont Rural Water Association)]: So the definitions of advanced metering infrastructure, it it's it's not something that we typically discuss in our industry. And, you know, I did speak with one of the vendors in Vermont who sells meters to many of the systems. There's generalized terms, but it's hard to be very specific. It's not AMI or even smart meters don't mean the same thing to different sized water systems. They don't mean the same thing to different industries. So that's why I'm saying you can't compare what the power companies use because they are able to shut off power through the meter. That's not something that we can currently do in Vermont. So,
[Rep. R. Scott Campbell (Vice Chair)]: to your knowledge, do exist meters exist now that can be read manually, but may be able to take advantage of advanced meter reading in the future, automated meter reading in the future?
[Liz Royer (Executive Director, Vermont Rural Water Association)]: Advanced metering infrastructure exists currently in Vermont, but it's, I don't I don't know where the future is going to lead us, But I
[Rep. R. Scott Campbell (Vice Chair)]: presently, you could go to your electric meter, and if you wait long enough and do what you were doing, you could read the eight registers as they flash through. So you might be able to presently go to the side of the house and read a meter. Yes. And that side of the house may also have something in it that can then broadcast. Maybe, it doesn't matter. It's time for it.
[Liz Royer (Executive Director, Vermont Rural Water Association)]: Okay. Yes. In theory, it could, but typically, you know, there's no reason that anybody would want to access that information even if it was available, they had the right type of device to read the radio signal. Great.
[Rep. Kathleen James (Chair)]: Thank you
[Rep. Christopher Howland (Member)]: for