Meetings
Transcript: Select text below to play or share a clip
[Anne Watson, Chair (Washington District)]: Online floor posts. Okay, you good? Okay. All right, good morning. This is Senate Natural Resources and Energy, and this is Tuesday, January 20, and we are starting this morning with S213 about smart meters on public water systems as well as cybersecurity issues. And we have a few folks to hear from this morning, so we're going just go right down the list as it appears on my agenda, starting with Mr. Duncan from
[Anne Watson, Chair (Washington District)]: the Champaign Water District. Welcome.
[Joe Duncan, General Manager, Champlain Water District]: Thank you.
[Anne Watson, Chair (Washington District)]: Maybe we can take a second to just introduce ourselves so you know who you're speaking to. Sure. Good morning.
[Senator Ruth Hardy (Addison District)]: Hi, I'm Senator Ruth Hardy from the Addison District.
[Senator Terry Williams, Vice Chair (Rutland District)]: Senator Grant from the Laurel District.
[Anne Watson, Chair (Washington District)]: Anne Watson from the Washington District.
[Joe Duncan, General Manager, Champlain Water District]: As mentioned, Joe Duncan, General Manager of Champlain Water District. We provide wholesale water to Wilson Chitin County, including the Burlington area. So thank you for the opportunity to be here today to speak about this. The concepts of metering and smart metering are obviously very important to not only the water systems but also the customers as well. Keeping customers informed about what is going on and what is happening is definitely very important for floodwater systems to communicate. Piece for this is that I do believe that most of the water systems that we're talking about that implement this and that this would impact our municipal water systems, municipalities that have the ability to create policies, make rules and regulations that would speak to the stuff that you're talking about. And in fact, most of the systems that we serve with the Champaign Water District have policies like this in effect, where they notify people of what changes are in the systems. They also have policies in place where there are people who for a variety of reasons may or may not have a smart meter or a remote meter reading system in their home implementing that. So I'm not really, for me at least, it's a bit of a challenge to understand why the state would step in on something like this. I do understand that the Vermont gas and electric industry have a regulation similar to this. To me it sort of makes sense that that would have that because there's no place for someone to go to a public board locally to say, I want to influence this, and perhaps they have to go to the public service board as compared to say the city of South Burlington, for example. Someone could go to the city council, talk to the city council about putting policies in place that would address certain leaks. And so just sort of that sort of my big picture set of things. From an infrastructure standpoint, water meters are, at the current state, much different than where they are in the world of gas and electric meters. It pretty much is a one way street of information of those meters to the reading system. It's all done over encrypted radio. In fact, we actually have to buy the right equipment from the manufacturer to read that encrypted radio because they don't give it away for turning people to stairs. The other thing is when people go out and read those, when our staff or any water system goes out and reads those, the information they get from a smart meter is the meter ID number, nothing that ties it to the home in any way, shape or form as a piece of data, solo piece of data. They also get the meter reading, and the thing about the smart meters that makes them smart, at least in their current state, is the ability to tell if there is a usage anomaly. So smart meters basically have little chips in them that are telling them, is there a usage that's outside the norm? And the reason for that is so that if someone reads that data and gets that flag, they can take a look and say, oh, this person's had high usage for several days consistently. And the goal there is basically to be able to go back to the user and say, hey, we flagged this, we saw this, we wanted to tell you this, perhaps it's a leaking toilet, perhaps you have a leak in your home, and we'd like you to check that so that we don't give you a $2,000 bill in three months that everyone is surprised by. So to me the term smart is I guess used loosely in my mind. But the big thing is once that data is collected through a radio read, it is then brought back. There's, I'm not aware of any fixed network radio reads. Shelburne's the only one that I'm aware of that's currently in a fixed radio read system that would actually be able to read stuff real time on a daily minute basis. Even then they only plan on reading it monthly just because of bandwidth and capacity but still doing poorly billing just because of bandwidth and capacity. So it isn't like there's something that's there that's talking back and forth on constant daily, minute to minute basis. And so what happens is that data is then collected and brought back to a piece of infrastructure that's on the business side of the house. In the business side of the house it is then correlated, the water meter is then correlated in a system that's within the municipalities network that links that water meter to somebody's home and a bill and address. Typically in some places we do things a little differently, typically it's the same information that's in your tax data, it's the home. There are some variability with that, typically it's the property owner that is the bill payer because that's how leads can be put on properties. But that's the first point in time where somebody's personal information is then linked to that, and that's not done through the radio, it's not done out in the web out there. But what can happen is, at that point in time, once you're inside that piece of infrastructure, that billing stuff can then have a place where information for people's billing, if people want to pay online, they want to pay through ACH transactions, some of that information then may be available within that. At no point in time does that make its way from that in home structure back to that water meter or through rate transfer of data. And there is the world of cybersecurity where I think maybe not necessarily in this particular bill it would be, but somewhere in some sort of regulations where communities who do take any bill of private information from London should have some sort of measures in place that protect that, similar to what's done in hospitals or anywhere we're making online payments or whatnot. So to me, the cybersecurity piece is very important. It's certainly critical in the world that we live in. I don't necessarily see it being critical. Smart meters, probably more on the pay side of things. So that's just sort of the world that I'm used to seeing and is living in different groups. I want to just present that here to give you some perspective of what the lay of land and your power meters in the market is just simply what system.
[Senator Ruth Hardy (Addison District)]: You. You. Wait, so Champlain Water District, which towns do you serve?
[Joe Duncan, General Manager, Champlain Water District]: We serve Shelburne, Shelburne, South Burlington, Winooski, Colchester, Essex Town, Essex Junction, Williston, Milton, and the Village Of Jericho.
[Senator Ruth Hardy (Addison District)]: Okay, so mostly, I mean, Vermont standards kind of suburban towns. Do you have smart meters throughout all those towns?
[Joe Duncan, General Manager, Champlain Water District]: Not all of them, no. I would say half of them have, or some of them are converting, but only half of them actually are fully implemented.
[Senator Ruth Hardy (Addison District)]: Okay, and do you allow customers to opt out if they don't want them? And you mentioned, and do you charge them in face for the cost of that opt out? Yes. So you already do part of what's in this bill. You mentioned about the reading of the smart meters and that the only system that has one where you can read it remotely is Shelburne. So how do you read the other ones?
[Joe Duncan, General Manager, Champlain Water District]: You do read it remotely. A fixed network, so what we do is we have, and there's a couple different ways you can read it, right? There's the old school way of actually back in the day, go in and knock on someone's door open in the basement, or someone would write it on a card and give it to you and accept that. Then we move to touch pads, so there's a little pad outside the door, you'd walk up to it with a wand, touch it with a wand, that would go, that data would be transferred into that. Then we're into drive by radio systems where it's basically just a larger receiver with a stronger signal off of the meters and you can drive around and pick up several 100 in a block, maybe even a thousand block So like
[Senator Ruth Hardy (Addison District)]: the other truck that goes around and that's how you're doing it in most places except for Shelburne?
[Joe Duncan, General Manager, Champlain Water District]: And then Shelburne is actually doing a fixed network where they are putting radio towers at key locations, like they've got nine radio towers that they put in, that will basically read all the radios in lieu of driving around.
[Anne Watson, Chair (Washington District)]: Sophisticated children. Yes. So,
[Senator Ruth Hardy (Addison District)]: I mean, I introduced this bill as a,
[Anne Watson, Chair (Washington District)]: you know, because I had
[Senator Ruth Hardy (Addison District)]: a constituent who was concerned and didn't want a smart meter, and he was like, If I don't have to have it for electric and gas, I shouldn't have to have it for water. And he didn't want to have to pay to not have a smart meter. But in talking to water systems, it sounded like there are costs if somebody doesn't have a smart meter, so I added that in the bill. But there were also concerns about cybersecurity, and you mentioned those, and this has been a thing that's come up a bunch, several times in the media recently about cybersecurity and water systems. And so what's in the bill is just the first crack at trying to get at that basically making sure that water systems have cybersecurity protocols. Then you bring up another one, which is consumer data privacy, you know, because you have a lot of information about somebody, where they live, and, you know, their billing information and all that stuff. And so what protocols does your system use for both those things? They're linked but a little bit different.
[Joe Duncan, General Manager, Champlain Water District]: Yeah, they are. So when it meters comes to in someone's home, there is no link to the business infrastructure from that radio read, from going and reading the meter. There is no link to that when someone's just driving around getting that information and or is fixed now with
[Unidentified/overlap (brief interjections)]: that of a future
[Joe Duncan, General Manager, Champlain Water District]: possibility. There is also no link from that reading that meter to the operations side of things. So for us there's cyber security on the operations side. If you're making water, have things that are treating water, pumping water around, we consider that our operations network. And then obviously the business network is the part of the house where it's our financials, people's financials, building all of this stuff. So those two worlds do exist. It is a whole different dialogue on the operations piece, but the operations piece is the scariest piece because that is where your water is being made and controlled and people can do different things to it if they want to change how chemicals are being introduced and stuff like that. The same time water industry happens to be air gapped, our operations tied to the internet. That said, it's becoming more and more challenging to do that because there's a whole story of what's required for cyber security for operations networks, including stuff like you can we buy monitors now, we have to buy monitors that have no smart chips in them at all. Because if you have a smart chip in there, a lot of them are Wi Fi. If they're Wi Fi, someone can come in, find that, get on it, and then be inside your network. And so air gapping becomes more and more challenging, then there's a whole different world of creating different blocks for accessing operations. One of the challenges for small systems in the operations side of things is that there's a world where getting people to respond at night to go and see things at night, the convenience of remote logins and remote operations is critical for a lot of small infrastructure because sampling orders from staff 20 fourseven, that's something that we're capable of doing, but not everyone's capable of doing that. So to have an operator get a call in the middle of the night, he or she could look up and say, oh that's what's going on there, my urgency level is high, low, whatever it is, we might need to change something while I'm here. How do you manage that risk? And I think that's a big nut that's trying to be cracked. I'm actually the water wastewater representative for the cybersecurity advisory councilman for the government, and that's a major topic that's being talked about right now, is how to deal with that.
[Anne Watson, Chair (Washington District)]: So you don't have to
[Joe Duncan, General Manager, Champlain Water District]: There are ways get there.
[Senator Ruth Hardy (Addison District)]: Are there standard requirements right now?
[Joe Duncan, General Manager, Champlain Water District]: There are not standards right now, and that's one of the things that we're advocating for, our cybersecurity standards on the operations side. There are policies, guidelines that say, CISA's the Cybersecurity Infrastructure Security Agency. They have standards, EPA has standards. There are standards that people should follow. There's nothing driving or requiring people to follow a method.
[Senator Ruth Hardy (Addison District)]: Right, so this bill is a vehicle for that. So do you have recommendations for it? Well one, mean what's in here is the first wrap.
[Joe Duncan, General Manager, Champlain Water District]: My professional opinion is to definitely decouple the meter reading requirements as far as, because I don't see the meter reading in any way of cybersecurity.
[Senator Ruth Hardy (Addison District)]: Yeah, and I hear that, I hear that. But if we were to move forward with the cybersecurity for water systems, what would you recommend?
[Joe Duncan, General Manager, Champlain Water District]: There should be, and I'm not sure if it comes through, this is one of the questions that's sort of been at the Cybersecurity Advisory Council is, does it come from sort of the computer side of things or does it come from the drinking water side of things where there's some basic guidelines and standards that people have to follow? But either way there should be some base level requirements which those base level requirements should be. I mean one of the biggest things is, the simplest thing is, if you don't have multi factor authentication on your stuff, you should have it. I mean that's a base level thing that a lot of
[Senator Ruth Hardy (Addison District)]: people Pretty much everything.
[Joe Duncan, General Manager, Champlain Water District]: Yeah and you'd be surprised how many water systems don't have. So that as a base level requirement isn't very overbearing. Basically what you want to do, and there is a whole guide for setting up base level cyber security measures, and I think there's a bunch of stuff in there password requirements, requirements for timelines for changing your passwords, MFA, those base level things would go a long way with a lot of small players.
[Senator Ruth Hardy (Addison District)]: So if systems aren't doing these things now, us requiring them to do them would potentially be helpful. But are the things, who is making the requirements that we should say you should follow these?
[Joe Duncan, General Manager, Champlain Water District]: You would think that in the water wastewater world that we come from ANR, but there's also sort of a question of, this is what the cybersecurity advisory council is sort of talking about, there global sectors that everyone would have the same requirements on. Health, power, electric, all your critical infrastructure elements,
[Unidentified/overlap (brief interjections)]: do
[Joe Duncan, General Manager, Champlain Water District]: they all fall under the same umbrella? Does that come from some central piece or do you then look at it individually where you say well if electric falls under DPS then do it under public service and if water falls under that do it under ANR. Don't, that answer hasn't quite gotten there, I think someone who might be able to help you out if you come along. But I would definitely say there should be a driver, and again the piece to it is you have to look at how hard of a lift it is to get there. I think what most people think is cybersecurity as some heavy investment of money to get there, when really a lot of it is diligence and practice with a little bit of low level investment in someone to set up those protocols for how to access your information.
[Anne Watson, Chair (Washington District)]: My multi
[Senator Ruth Hardy (Addison District)]: factor idea doesn't cost you anything. If there are water systems out there that are not doing that, then that's
[Joe Duncan, General Manager, Champlain Water District]: Then you should be able to get that. And there are people that can assist with that. And there are, we always advocate to, Champlain Water does is larger than this, but knowing that there's a lot of small systems out there we always advocate for, you know, if there's money that comes in through EPA or other things to do some set asides to that, know, help people understand what it would be write that package of what they need for a service driven policy for practice. Once you do that, it's really not hard. It's just a matter of time. Okay. But it's also interesting too, water systems, some live alone, Champlain Water District is
[Unidentified/overlap (brief interjections)]: only
[Joe Duncan, General Manager, Champlain Water District]: municipality. The village of Jericho, their mission is water only, but you get to some in town of Essex. In the
[Anne Watson, Chair (Washington District)]: town of
[Joe Duncan, General Manager, Champlain Water District]: Essex, they should have communications department or an IT department and it's something that they have to look at globally for how they put that into effect. That's where it sort of, does the regulation come from water? It not come from, does it come from ANR, does it not come from ANR? Because it does cross over a lot of different places where what are municipalities doing for protection of information from what they, you know, if they're collecting taxes or collecting online permanent payments, how is that data and information protected?
[Senator Ruth Hardy (Addison District)]: But the regulator for those things are different. So a lot of times those things have to rest with the regulator and the regulator for water systems is ANR.
[Joe Duncan, General Manager, Champlain Water District]: So that's I think been where the Cybersecurity Advisory Council has sort of kind of crossed over into, is it global, is it sector specific, and that answer has in common, but it probably ends up in where it could influence infection, was probably on a regulatory basis.
[Anne Watson, Chair (Washington District)]: So before we get to Senator Williams, I just as a follow-up, you mentioned that there is a guide on cybersecurity protocols. Then I imagine the guide that you're referring to is for water systems, or is it more general
[Joe Duncan, General Manager, Champlain Water District]: than that? There of are a different ones out there, and I should have been a little bit better prepared to give you these specific resources for them. I can them with you afterwards. That would be great. There are ones that you can walk through a six program module, and it's not system specific, but it has all the stuff. Then there are ones that are water specific or wastewater specific, so that's the realm that the ignores covers.
[Anne Watson, Chair (Washington District)]: So given that there's multiple, I mean we can see, if you're able to send these to us, we'll check them out, that would be amazing. I lack of a better term, like who owns those? Like where do those guys come from?
[Joe Duncan, General Manager, Champlain Water District]: One of them is CISA, which is a government agency that, interestingly enough, has been decoupled completely from regulatory enforcement. So they basically live in a world of coming in, they have no ability. One of the things that come off has challenges, and it's not just come off, heads of being in mind, is if people know that if they tell you something that might lead to them getting either slap on the hand or something else, they don't share that with me. CISA comes in and they have no skin in the game on them to help you with what it is.
[Ben Montrose, Drinking Water Program Manager, Agency of Natural Resources (DEC)]: It's just an advocate and it's not
[Joe Duncan, General Manager, Champlain Water District]: a client that walks you through how to set up a cybersecurity policy.
[Anne Watson, Chair (Washington District)]: And CISA was this it is or was it for the state organization or if that was?
[Joe Duncan, General Manager, Champlain Water District]: No. I think it came through DHS, formal and security rating link.
[Anne Watson, Chair (Washington District)]: And still exists? Yep. Asked that, and the mayor about that?
[Joe Duncan, General Manager, Champlain Water District]: There was a Vermont representative, Anne Gamblyn, who is the assistant of Vermont.
[Anne Watson, Chair (Washington District)]: Okay, and so they're there to assist? Yeah. Okay.
[Joe Duncan, General Manager, Champlain Water District]: And then there's another one, I forget the name of it, a university had put together basically a six piece module walking through that and I can share that with you as well.
[Anne Watson, Chair (Washington District)]: Okay, that's great, thank you. Senator Rutland?
[Senator Terry Williams, Vice Chair (Rutland District)]: So back to the security mindset, lot of people just have a concern about where the status is being used over day. You know, you hear about smart TVs and smart refrigerators, you know, Alexa and Siri, you think that people are suing them. Okay? So where does the data get used just internally by who is a consult consolidated and used by any state agency?
[Joe Duncan, General Manager, Champlain Water District]: Not that I'm aware of. Obviously it does, there is a world of it being sort of I guess public record and we haven't been asked to transmit any of that information, but if we did I think we would kind of get into the question of what would we need to do redacted if they go along with some of that. But for us, it's all internal. There's nothing external, there's nothing that we ship out as a state. There's no reporting that goes back to the state with any
[Unidentified/overlap (brief interjections)]: of that information or any of that.
[Senator Terry Williams, Vice Chair (Rutland District)]: Smart smart meters net meter. When when that first came out, a lot of people opted out because they were concerned about how the data was gonna be used as far as the business was going. And I do remember there was a lawsuit right after because I opted all of it on it except for where where my solar panels are. And somebody used that to compile and made that farm look like they were using way too much energy. I think that was the basis for the solution. So I can see what people would be concerned with. Oh, 100%.
[Joe Duncan, General Manager, Champlain Water District]: And you know, it definitely is. Privacy is important. Right? The crazy thing is is when you make your pick up your cell phone and you make a call, you probably transmitted more information across that and then we ever pick up on radio or meter. But basically that is what it is, it's literally the information that's if someone is concerned about their water meter information getting out there, the only information that there is is how much water they use. And it is a one way street for information and it is encrypted radio, we are the ones that receive it off of there. And if someone is concerned about, hey, you just told me I'm using this much water, can you come and do a physical read? We can go in and physically read it to make sure that what the radio read or told us is actually what's on the ear. So unless someone's been in there, it's a one way street, unless someone's been in their home and not even hiding, there's no other way to monkey around with it too much other than ripping out a fire, which should be obvious if someone did something, that you would have the ability to say someone manipulated my data and gave me a higher bill.
[Anne Watson, Chair (Washington District)]: Just a, oh, I had a follow-up question, now it's gone. That was the best. Yes, go ahead.
[Ben Montrose, Drinking Water Program Manager, Agency of Natural Resources (DEC)]: You can just go
[Senator Terry Williams, Vice Chair (Rutland District)]: to the meters opt out. How about in your district, how many people have opted out of meters now?
[Ben Montrose, Drinking Water Program Manager, Agency of Natural Resources (DEC)]: Are the solutions set for you?
[Joe Duncan, General Manager, Champlain Water District]: So I didn't quite get all the information. So we managed South Bronx, but we own Colchester. We own two systems in Colchester. Of those that we did, we have about 2,000 counts, and we have five people that have opted out. Some of them have opted out, not necessarily, I would say, we have three that have opted out, two we don't have the meters on there because we haven't figured out a way to get into their crawl space to actually achieve those out there putting the meter to basically get to it
[Unidentified/overlap (brief interjections)]: and swap it out. So if you
[Ben Montrose, Drinking Water Program Manager, Agency of Natural Resources (DEC)]: have only like one or
[Senator Terry Williams, Vice Chair (Rutland District)]: two people who are doing this they're gonna pay a lot?
[Joe Duncan, General Manager, Champlain Water District]: So what we do is we charge them $50 a read and they want and they still want and the reason we charge $50 a read is because our person now has to get out of the truck you know whereas everybody else we're just we give ourselves a shot we then have to manually you know manually enter it into the system it doesn't come in with all the other meter read stuff so when it does get back it gets handled by our admin person slightly differently so it's touched by a bunch of different people and so we try to aggregate what about it.
[Ben Montrose, Drinking Water Program Manager, Agency of Natural Resources (DEC)]: If you already show with a more sophisticated system you haven't sent somebody out just
[Joe Duncan, General Manager, Champlain Water District]: the way see it was just somebody driving by.
[Ben Montrose, Drinking Water Program Manager, Agency of Natural Resources (DEC)]: The price would go up.
[Joe Duncan, General Manager, Champlain Water District]: The reading is monthly? For us, we read quarterly. Okay, so then, so quick. And I believe, my understanding, children's system is in, they're going to read monthly just so they can And their goal is to just look at data for basically those anomalies to kind of say, hey somebody and the goal there is to help the user. I mean it's to the water system's advantage to let a leaky toilet leak from a mining perspective, not from a conservation perspective. So you gotta through both lenses.
[Anne Watson, Chair (Washington District)]: Just to follow-up, I do remember my question. None of the municipalities in the Chamberlain Modern District are data brokers. You're not selling data. Correct. I'm just thinking out loud here, but there's nothing that I know of that would prohibit, or is there something that would prohibit a water district from becoming a data broker? I don't know
[Joe Duncan, General Manager, Champlain Water District]: the answer to that one. I can tell you that that would not be a policy that we would want, but I don't really know that wrong enough to say. I would hope that most water systems are within municipalities that have stuff like tax data and finance data, that that would be a policy they have in place if they're not doing that, but can't say.
[Senator Ruth Hardy (Addison District)]: I would rather, I
[Anne Watson, Chair (Washington District)]: can't imagine anyone doing that, but I'm just thinking out loud that there's nothing prohibiting them right now.
[Joe Duncan, General Manager, Champlain Water District]: I mean the stuff that we do with the data is we have residential customers, commercial customers, industrial customers, government customers, and we may take all that data and lump it in and try and analyze what the world is looking like for trends of usage, but we never go and look like kind of curious what Joe Duncan was using except for Arlington and see what his data is specifically and then try and give that to someone out in the world. But we definitely use the data for trending, but it's on a very high level. Sure. I
[Senator Terry Williams, Vice Chair (Rutland District)]: know people that told me that they didn't go and invent meters because they knew the utility person that rent the meters, they were afraid he's going lose his job.
[Anne Watson, Chair (Washington District)]: You know,
[Senator Terry Williams, Vice Chair (Rutland District)]: people get attached to the people that show up every month. Interesting.
[Joe Duncan, General Manager, Champlain Water District]: You certainly don't want to replace people with technology from an employment perspective. I can tell you that from a water system perspective, if you can read the meters quickly, you're not letting people go because those people are going go and do something that's more proactive or maybe positive reactive than walking around or a club. Great.
[Anne Watson, Chair (Washington District)]: Any further questions about us? Okay. Thank you so much.
[Joe Duncan, General Manager, Champlain Water District]: Thank you. I will get that and I will email the information on how to write a policy in the modules or elsewhere for this. And if there's nothing else you need, please feel safe to look me up.
[Anne Watson, Chair (Washington District)]: Super, thanks so much.
[Joe Duncan, General Manager, Champlain Water District]: Thank you.
[Anne Watson, Chair (Washington District)]: You. So next we're going to move to Liz Royer
[Anne Watson, Chair (Washington District)]: from the Florida Law District. Welcome.
[Anne Watson, Chair (Washington District)]: You've heard our introductions earlier? Yes. Yes.
[Anne Watson, Chair (Washington District)]: So hi, my name is Liz Royer. I'm the Executive Director of the Vermont Rural Water Association. We are a non profit organization that supports all public drinking water and wastewater systems through technical assistance, training, advocacy, and outreach. We represent over three twenty system members that protect public health and allow for economic development in our towns and municipalities. These small rural utilities provide safe drinking water and return clean treated wastewater to rivers and lakes throughout the state.
[Liz Royer, Executive Director, Vermont Rural Water Association]: Since 2020, I've also served as the chair of Vermont Water, which is Vermont's mutual aid and emergency response network for water and wastewater systems. Vermont Water has been active in recent years with flood events, contamination incidents, drought, and cybersecurity outreach. So Chair Watson, thank you for having me here today and allowing me to share our thoughts on metering and cybersecurity security on behalf of all of the public drinking water systems in the state. As a reminder, a public system does not mean publicly owned, even for community water systems. So there are just over 400 public community water systems in Vermont. A community system means that there are at least 15 connections, or they serve a residential population of at least 25 people. So less than one quarter of all community water systems in Vermont are owned by a town, village, or city. So when we say municipal, you generally think of town, village, or city. We also have about 72 fire districts, which are officially municipalities, but typically when you think of, they don't have a town government infrastructure, they don't have folks in the town office that are helping them with certain things. Well, in some cases, yes. So the fire districts do use the town offices to do their bailing and other functions, but generally they're completely separate and governed separately. So that means over three quarters of water systems are owned and governed outside of a traditional town municipal structure. So fire districts, homeowner associations, water co ops, manufactured home communities, those make up the majority of community water systems in Vermont. And those systems are often operated by a part time contractor who may or may not be at the system on a daily or even weekly basis. So these are typically not organizations with the capacity to consider building structures, meter upgrades, and cybersecurity threats. And actually many of the small rural systems that we work with are not metered at all due to the expense of installing and maintaining meters. There are some requirements for certain loans and grants that they did have to put in meters, but a lot of times they put them in to meet the requirement, and then they don't have the time or folks available to go and read the meters. So yes, it's a struggle. Vermont has to be unique in many ways, and this is another one of those things. So regarding S213, we appreciate the opportunity, thank you, to review several drafts of this bill and appreciate that our initial concerns have been addressed. In further research on smart meters, it's become apparent that these are not the same level of smart as meters used by the gas and power companies. Water meters, you don't have the ability to shut off service for the water meter as somebody has to physically go there and turn the valve to shut off water in this case. So smart water meter typically radio read and contain very minimal data. It's often just a number that represents the water usage of the household, as Joe mentioned earlier. So this poses a very minimal risk in terms of cybersecurity threats to both the customer and to the system, with very little information actually being shared through this process. Our experience with cybersecurity for water systems began with my role as Vermont Warren Chair in working with partners to identify risks and create classes that would resonate with small water wastewater systems. Most cybersecurity trainings on the national and on state level are tailored to an audience of IT professionals. In Vermont, to my knowledge, only one water system has an IT professional on staff that works in house, that's Shapley Water District, which is the largest water provider in the state. In assisting with cybersecurity evaluations and assessments at small systems, we became aware of other concerns. Even for systems that have an IT consultant or a company that they work with through their town office, those providers are focused on risks through emails, file storage, and they aren't concerned with SCADA and other types of operational technology and controls. The operators we spoke with were frustrated that their managers and other town officials didn't really understand the need to budget for upgrades and improvements to address current and future cyber threats. In October 2024, Vermont Rural Water was selected as one of two states to host a pilot project focusing on cybersecurity at small, municipal drinking water systems. We were trained by DPA headquarters staff, CISA, the agency that Joe talked about earlier, Water ICLAC, which is a group of organizations and agencies that looks at water infrastructure challenges, DC Water, the city of Washington, DC, and other leading agencies and organizations to provide on-site technical assistance for cybersecurity. This experience has expanded our knowledge and awareness of the money threats faced by our small water systems. We learned that the threat actors typically cast a wide net, and while Vermont systems typically wouldn't be specifically targeted, they look for any systems that have an easy path to infiltrate. So regulation enforcement of cybersecurity would be a mistake, in our opinion. Cybersecurity is multifaceted, multilayer, and constantly evolving. Federally, EPA has backed away from mandates and requirements and has focused their programs on outreach. We have seen the need for more on-site technical assistance and accessible funding to maintain equipment, update software, and provide additional training. I did have a thought when we were talking about MFA, multifactor authentication, and that would be a great requirement. We have quite a few systems that have such old and outdated equipment. One of the first things that CISA will recommend when they're at a system is to make sure that you've installed all of your patches, so you've updated all of your software. There's quite a few systems that have such an old operating system that they are not able to do any updates. So even something as basic as adding on that bay might be a challenge because everything on the house is so old. Let's see. The more funding to maintain equipment, update software, and for additional training is needed, not just for the system operators, but also for town officials, engineers who work with these systems and design these systems, and service providers who may be calling on for assistance. An example just from a couple of weeks ago, I was at a brand new wastewater treatment plant, and the system had been designed to have Their HVAC system had remote access enabled. So the HVAC company could remote in and control that system. And again, that's a concern. It could easily access other systems in theory. So luckily the town manager was able to say, No, no, no, no. We're to disable that function. We do not want that. But as technology improves, it's everyone's tendency to get the newest and best. And part of that is the Bluetooth and remote accessibility for all types of equipment. So while many resources already exist, there are very few options for small Vermont systems who want to design practices and procedures that work for the unique needs of their small system operations and management. We view tomboy tabletop exercises as the best way to communicate, plan, and coordinate local resources during a cyber threat. Water and wastewater systems are often left out of local and regional conversations on many topics, including emergency cleaning, hazard mitigation, and cybersecurity. It may not be clear to town officials why the water or wastewater operators should be involved in a town wide tabletop, but the water plan and the water infrastructure are likely to be the number one target for many towns. Multiple incidents have been recorded recently at Vermont water and wastewater facilities, which is likely a fraction of the two total. While the situation's varied, there are some common themes. Vermonters are generally very trusting and very proud of their facility. So if someone calls them up and they say, Oh, I'm gonna come in to your wastewater plant. They're like, Okay, great. Nobody ever wants to visit us. They're excited about that opportunity. So there's often doubt, I think it's human nature that there was an issue. I don't know, was that my fault that I do something, I mess that up, I don't want to get in trouble, I'm just going to let this go. So there's some foreign entities that are known to kind of infiltrate systems and then just hang out and wait for another situation to potentially happen. And then they could potentially lock up water systems across the whole country. So, we may have a lot of cybersecurity concerns at the moment, but we don't really know the true picture. Operators often want to call someone that they know and someone that they trust to discuss these issues. Again, they don't know if something really happened. Is this something, who should I call? I don't know. I'm not going to just call the FBI, right? That's one of the recommendations, but nobody wants to do that. There's often a current or former employee involved with a potential threat. That's something that we've seen quite a few times happen in Vermont. Maybe somebody retires or leaves, and maybe they're not disgruntled at that moment, but later on they become disgruntled and then they still have passwords and access to things. And process and protocols often don't exist. We're working on that and we're trying to help everyone develop some protocols where they may be overmatched. So this, let me provide you with a couple of examples from here in Vermont. In one town, a former administrator gained access to wastewater facilities and equipment after he was no longer employed there, both physical and bottom line. In another example, a Vermont operator noticed unexplained mouse movements on their desktop. While they initially dismissed the movement as IT doing some maintenance on their system, further investigation revealed that there were multiple interconnected systems that ended up being compromised. There was an industrial pretreatment facility. This was in a different town than where the wastewater plant was, but they lost their process control. They were eventually forced to report due to loss of data, but they were not planning to notify the downstream municipal wastewater plant of the potential impacts because they didn't even consider that that could be a risk. And finally, a potential threat actor recently posed as an industry salesperson to gain physical access to a municipal wastewater plant. This person was given a tour and took photographs of the facility and equipment, and then they disappeared and they didn't even provide any contact information. So these are just a few of the many recent examples that we are aware of. So it's the solution. Operators are overwhelmed with the growing number of threats. We suggest that they focus on the basics. MFA, just personal cyber hygiene, being able to recognize a phishing email, that type of thing. Developing protocols and procedures for when employees leave. Password management, there's been quite a few systems that we work with that still have default passwords from the manufacturers of the equipment. There was a big cyber attack recently that that's all they did. They just went around to every water system online and put in the default password for a piece of equipment for a PLC controller. They were able to hack in because so many still have that default password from the manufacturer. Ongoing and training and awareness obviously is very important, especially for these very small systems where they don't have anybody trained or anybody with IT staff. We've explored the best option for building ongoing relationships and sharing resources is again, town wide cybersecurity tabletop, especially with involvement from the local emergency management director, the select board, fire and police, water and wastewater, of course, and other local officials and legislators. We believe that cybersecurity and remote water systems can be improved by partnering with many organizations and agencies that offer training and outreach along with direct technical assistance from a trusted and knowledgeable provider. So I think to share two resources with you, I will put the links in my written testimony. And just remembering, again, Vermont has very unique concerns. There's a lot of resources, protocols, assessments, procedures, all these things available nationally that we have had to spend a lot of time rewriting. And so they're understandable and make sense for Vermont systems that are so small. Again, there's no IT professional there. There's often not an operator there every day, right? So who's the person that's gonna manage this and keep an eye out for potential risks? So we have our cybersecurity page. I think it probably has a couple of the protocols and procedures that Joe mentioned. And then we also have another page that we've developed for local officials, state officials regarding housing and development. So we believe that these two resources can inform many discussions here in the State House. Thank you for allowing me to speak on behalf of our state's drinking water systems. We appreciate this committee's efforts towards improving public health and protecting the environment as we all work together for Vermont's future.
[Anne Watson, Chair (Washington District)]: Thank you. Thank you for the testimony. Yep.
[Senator Terry Williams, Vice Chair (Rutland District)]: So the role of delegation toward the well and waste water system and one of the things that was brought up was the Vermont National Guard was part of their civil defense mission. They actually had twenty years ago, so they have that facility on their their list and they used to go and train in there. And it's like, you did? I mean, why did they do that one? Because they want to disable a city while contaminates the water.
[Unidentified/overlap (brief interjections)]: Yes.
[Senator Terry Williams, Vice Chair (Rutland District)]: And anything for sure. The. So I'm glad to hear that. You guys have got that on the radar.
[Liz Royer, Executive Director, Vermont Rural Water Association]: Yes.
[Senator Terry Williams, Vice Chair (Rutland District)]: Because I don't think it's on the. No.
[Anne Watson, Chair (Washington District)]: Thanks Liz, I appreciate it.
[Senator Ruth Hardy (Addison District)]: And also thank you for your communications while I was developing the bill. I wanna just make sure I understood one of the things you said, and I haven't read your testimony, but it sounded like you said you don't think there should be requirements for cybersecurity and that there should just be training.
[Anne Watson, Chair (Washington District)]: It's gonna be regulation and enforcement because the core of the issue is everybody wants to do better and improve their cybersecurity, but because of the age of their equipment or they're not able to update their software, there's just so many things that come into play. And even, yes, we need more funding to do all these things, but there's just community water systems, there's 400, right? So to be able to go out and assist and help them install whatever it's up just to have a new regulation go into place, it's gonna be too overwhelming for systems. There's not enough folks to go out and help them. There's not the resources available to ANR top of that. They are during the sanitary surveys, which was the inspections that every water system goes through, they do have discussions, and that's required that the inspector has the discussion with the system about cybersecurity and what they're doing and what more they should do. They're always encouraged to do these kind of full assessments. But a lot of these nationwide tools that have been developed and assessments that have been developed are kind of overkill for the systems that we see in Vermont. And like we're saying, they just need to focus the very, very basics. Change your passwords, do the multifactor authentication, know what a efficient email is, take away access when your employees leave, that type of thing. And so officially, what these lists are just way too much. It's like they're not going do anything then, right? If we just start with, here's five simple steps that you can take, we'll eventually get somebody out to help you do these things, then we could actually make some progress, I think.
[Senator Ruth Hardy (Addison District)]: It seems to me though that if things are not required, there's not a push to Because do people are like, Wow, I don't really have to do that. And the bill actually has the secretary, has ANR developing guidelines, actually based on the guidelines that are on yet. So I was looking for something and you had them posted. So based on your guidelines, so they would be Vermont specific and not the overkill of the national seed, and they would be regulatory in that they would live in an ANR that oversees water systems, but it just seems to me that if we want them to happen, we need to say, You've got to do this, because people, yes, get overwhelmed, they get busy, or they think it's not important, and then they don't do it. And so that seems concerning to me. But then the other thing I wanted to
[Ben Montrose, Drinking Water Program Manager, Agency of Natural Resources (DEC)]: ask you
[Senator Ruth Hardy (Addison District)]: is Senator Watson and I worked on big bill a few years ago that required more people being involved in emergency planning at the municipal and the regional level. And I thought that water systems were, I thought that was one of the things we add, but I can double check that or ask the attorneys to look at that for us. But if we didn't add them, that's an easy thing to add to the municipal and regional planning is that when they do planning, they have to include the water, wastewater systems. Yes.
[Anne Watson, Chair (Washington District)]: And my biggest concern is that if working through VLCT or through the regional planning commissions or town the town offices may not even know if there's a fire district or a water co op or another, they don't look at all of the community water systems in their town. They're not gonna look at what's the town Yeah, or
[Senator Ruth Hardy (Addison District)]: I mean, my town is a great example. I live in East Middlebury, and we have our own water system in the East Middlebury and Middlebury, which is the big town has their own water wastewater system. So probably when they do planning, they forget that little East Middlebury has its own little system. We don't have neither the perfect basic system. So I think that's a good example, but just sort of requiring that towns, when they do planning, include all of the water systems in town. I think if that doesn't already exist, add an app would be in Casey. It was certainly Casey and the statute Implementing it would
[Anne Watson, Chair (Washington District)]: be a different thing.
[Anne Watson, Chair (Washington District)]: Right. Yeah. Yes. But again, like you're mentioning, having a bigger kind of a requirement is going to give that extra question on things that actually happen. So I think I just, in terms of cybersecurity and adding regulations, I talked to your Ben's opinion from ANR on that, but also just knowing how challenging it is going out there and talking to the systems. And I think we are making progress in terms of you may not be targeted. You're just a little Vermont system, but they're not looking at what size the system is and where it's located. They're just like, Who has this default password? And they're gonna attack them, right? So I think awareness is definitely improving, especially with the small Vermont systems. They see that there could be a threat. We've done a lot of trainings in the past year where people are like, wow, this is terrifying. Like, yes, that's one. So
[Anne Watson, Chair (Washington District)]: have one issue to carry on. So just to follow-up on that, one of the things that I am having, I guess I still have some questions about, so your guidelines have that people should, these systems should have multi factor authentication, but I'm also hearing from you that there are some systems that are so old that it's not possible to have multi factor authentication. This might be two in the weeds, but for those systems that are that old, are they also internet connected? I mean, they Sometimes yes, sometimes no. Okay, and I guess that to me is kind of an important distinction because if you have a system that is not connected to the internet at all, maybe that's fine, maybe we don't care because it is effectively, by just virtue of being really old, gapped, and that's fine, but there's That's true. Yeah, right, yeah, that's don't know the plan is. Can't hack the analog. But, the, it's that class of technologies that are connected to the internet, that can do multi factor authentication, that I find very concerning. So I guess I can imagine if we're to move forward with some kind of rules around this, that we want to acknowledge that if you're air gapped, know, God bless you, go forward. You know, like whatever it is, right? Like it's, that there may be a distinction to make there, but seems like, it is so terrifying that it feels like it, I just want to
[Anne Watson, Chair (Washington District)]: say it out loud, that
[Anne Watson, Chair (Washington District)]: it feels like it's something that's worth addressing and recognizing that that might be a burden to some systems, but there's when people's health and safety is on the line. Anyway, I realize that I'm getting into discussion or argument here, so I'll pull back from that, but I just wanted to make sure that, like what we were talking about with these, know, the level of technology that we're talking about. Any other questions? Okay. I just want
[Anne Watson, Chair (Washington District)]: to mention real quickly about Ben. I'm not sure he's going to talk about it, but they did a survey two years ago, sorry, to categorize water systems and what the risk level would be. But again, we were hoping a few systems fill out the survey and they weren't even aware of things. And especially if the operators changed over recently, or sometimes we're talking to board members, we're as aware of the operational technology. We were at one system and they said, Oh, we don't have SkiDA. We're not in the high risk category. We're like, clunky eyed mosquito. So it's just to keep all the, if we are in development environments, just keep all those things in mind that you know, it's not, you know, we're not green mountain power, you know, because this is like Bloomfield we're on at the town water system, right? They don't have meters, they do, you know.
[Anne Watson, Chair (Washington District)]: That's fair. Well, you so much. Thank you. Yeah. Okay, all right, so with that we will move on to Mr. Montrose from the Agency of Natural Resources. Welcome. Thank you. Good morning. So
[Ben Montrose, Drinking Water Program Manager, Agency of Natural Resources (DEC)]: yeah, I'm Ben Montrose. I'm the drinking water program manager for the public drinking water program under DEC under the Agency of Natural Resources. My team and I regulate polydrinking water systems. There's been a lot of talk this morning about what exactly that is, so I'm not gonna really drill into that. But, as Liz said, there's right now as of this morning, four zero two community water systems. So they serve either 15 connections or 25 people. That gets them in the door, and again, like this said, we deal with the population as the driver for being public or non public, not the ownership structure. So a bit of programming background, the point of our mission is to ensure the safe provision of public drinking water to public drinking water system needs to make sure that the citizens and the business are protected. We do that under the state water supply rule. We just add a regulatory standards that the water system needs to follow, includes day to day stuff, every little sample they take, all that sort of stuff. It also includes all construction, maintenance, and ongoing operations specifications. We also pull in a lot of the federal rules, so you might be familiar with letting copper rule and things that happened in Flint, Michigan, that was federal rule. We have that in Vermont, we pulled that into our state rule and about a dozen other similar federal rules. So we have the state rule and the federal rule all kind of stacks up to guide how we regulate systems. In terms of our current authority to metering, we have section 2.4 of our, sorry, 2.14 of our rule that says all water systems shall have an acceptable means of metering the finished water. So what that means is Joe Duncan has a big meter of all the water leaving the plant. That's what's required. That's very different than the thousands of users having meters in their basement to know how much water is being used. And those numbers are different, because something might happen along the way that we don't know about. So from the agency perspective, we are very pro metering, we are very pro meters, we are very pro all of that sort of stuff, because as Joe was saying, it's a very important operational tool to use meters. One of the reasons meters are so important and so stressed is that that very hardworking people like Joe and his team and Liz and her team go behind the scenes saying they have to make the water happen. A lot of people pay for granted. They turn on the faucet. They flush the toilet. There's the water. It's not that easy. It's a utility. It's a it's a you know, it takes money to generate water, so therefore, kind of makes sense that you pay for what you get. So that's really important. We've had some initiatives lately for marketing campaigns, and we're very supportive of leader and things like that. So that all said, we don't get into the individual building. Our regulations do not include specifications about needing to install service meters, needing to maintain service meters, needed to do anything about service meters, so we don't have anything about smart meters or not, analog meters or not. We don't have any requirements about billing. We do not see data, we do not receive data, we never ask for data. What we get is what the systems may need and what's going into the system. We'll work with systems that are having leaks. They may say, we know we're having a lot of water use over here, or, you know, things are up high, we're dealing with a specific fire district that knows they have a 30 gallon a minute water demand at 02:00 in the morning. So we can engage with that, because that shouldn't happen. So we work with this, but we don't get that. We don't have that data. We don't harass for it. Based on my experience, I've been with the program for fourteen years. Joe touched upon a lot of this, but I just want to just make sure we're all on the same page and then kind of like start broad and dip into a few very specific details with things. But we have a lot of systems that don't bill for water. We have a lot of systems that charge a water bill as part of a lot rent, such as through a manufactured housing community. We have systems that might bill annually. They might bill every six months. They might bill every quarter. It really depends on those again. Some of those bills are based on the split number of bedrooms you have in your house. It might be just for residential versus commercial. It might be on actual waters, everything in between. Without measured billing, you know, we see measured billing as an equity issue, because you might have an elderly individual living in a home next door to a family of five who leaves the home, goes on after a water balloon fight, and they pay the same, they may pay the same rate without them, without metering them up. So it is important for that. It allows the system to understand what's going on in their system. We're in Vermont, lot of meters are down low. They're below the frost, so they can survive the winter. Because, you know, make sure you've seen and gone to you know warmer locations and you're walking down the sidewalk and you see this little bird cage on the sidewalk and it comes up and down that's a meter people can walk down the sidewalk and read the meter they would freeze in Vermont That's not an option here. So the meters are in basements, are in crawl spaces, and places like that. So the use of smart metering or remote reading or whatever technical term you want to call it is really important because it prevents the need to knock on the door, go to the basement, crawl on the crawl space, read the meter, come back, and repeat going down the street. So as Joe said, reading the meter can be as intensive as doing that or sitting in the office and getting that data in. Realistically, we're more towards the walking around reading a meter or walking up to a house and doing plunk and you receive the meter information or what Joe does with his team in the driveway. That's that's more of what we what we understand is the norm. Obviously, those all have associated pros and cons and associated expenses when doing so. And certainly, doing multiple different things will cost more money than just doing it all the same way, that to me is justified to having the expense of needing to read the meter. So I think broadly the agency supports the use of smart meters where appropriate, where it can be non objectively and anticipate the benefits of not needing to send somebody and read, but that brings up the cybersecurity questions for sure. We don't currently have anything on the books for regulations pertaining to cybersecurity. There are no specific cybersecurity concerns. We probably could enforce against somebody if we had to with some general provisions of our report, but we don't have regulations that say you need to do x, z. There are not currently federal regulations to do that either. So largely we adhere to the EPA standards. You know, EPA has more cloud, more capacity to dig into the details and research all the vendors and manufacturers and do that sort of work, which we don't have the capacity for. In 2023, the EPA started pushing pretty hard on the topic of cyber. They distributed an interpretive memo saying, if states implement this one federal rule, which we do, then we feel that you have the authority to enforce cybersecurity problems. Our council said otherwise, meaning many of the other states councils said otherwise and got into a little bit of push and pull, they then retracted that note. They pivoted at that point to being more supportive and more outreach and more guidance based, which is what we have today, that's what Jill was talking about. EPA specifically has a checklist for public water systems. It's one of the tools we rely on that you go through and it's a vulnerability assessment for water systems. So that's what one of the things we've been on. We have partnerships with CISA and the FBI and rural water and a bunch of other really great groups. We've got really good partnerships. Good benefit of our mom being small is that we get to know everybody, so it's really helpful. Royal Water has done a tremendous job in this space. They had a pilot situation which worked really well when it was happening, really got really good on the ground research and things out there. Some of the resources are national, some of the resources are virtual, some of them are out of state, and like Liz said, they want to call somebody, they want to see if they stay no, they want somebody in their plan that they trust and know, and that's one of the services rural water providers, one of the things we try to do as part of our inspections. So in terms of what is out there for regulations, for cyber security, said there's nothing, there's nothing. So I misspoke earlier. There's the America's Water Infrastructure Act, which passed in 2018, a federal act, that requires public drinking water systems that serve a population of 3,300 or more to generate a risk and resiliency assessment and emergency response plan. Both of those documents include cybersecurity. We do not have anything to do with that process, that because of it's it's a this is this is of cybersecurity, it's physical safety, it's a bunch of things. EPA requires it in their way, and the water system need to certify the EPA that they've done it. If the EPA comes out and does an inspection, which they have done for public water systems that serve over over 10,000 population, EPA will come and do some inspections of those systems. They will call out if systems do not have those plans or if they feel that they're insufficient. So that's good. Downside of that is there's only 34 systems in Vermont that need to have them. Not us. And that's direct implementation from EPA, so it's something we're gonna see. EPA has completed their inspections of water systems over 10,000 in Vermont, only eight. They've done those inspections. They found some issues with cyber at a couple and they flagged that. Right now, at least to my knowledge this year, they don't plan to go back out to any other systems. So I'm not saying we're done with that work, but EPA's the enforceability from EPA's standpoint is probably a couple few years into the future. They're not actively moving. So for the remaining water systems, of which there's multiple, we're working with them on a tiered basis to assess their vulnerabilities. Like Liz said, we developed a survey that we sent out to the contacts of public water systems just to assess the most vulnerable kind of middle vulnerability or analog and offline and not vulnerable. So we called tier one, two, and three. We got hopefully really good information about what the systems have for technology, and sometimes it's all in the question you ask, right? We ask, do you have a computer that you can use to operate your system? Kind of meaning, can you sit here on the computer and something happens over there with a valve? And some operators said, yeah. I I I email you all the time with my computer. She managed to get a little bit of her. So we followed up with a lot of their systems where they're like, oh, yeah. Yeah. We got this. No. I don't think we we do. The good thing. We know a lot of the systems. We already cleared that up. So we have it we have a ranking tier one, two, and three. Tier three is analog offline. A lot of systems are just offline. Tier two means a system that has the ability to receive information. So a good example for this is there's a storage tank up on the hill, and the water system plant is in the valley, and they're making water, and they're pushing water up to the storage tank. There's a little ding at the top of the storage tank when when it's full, and they get a ding on their phone or somewhere on their computer to say, oh, water's full, or the other way is, oh, tank's empty. They'll get a ding or an alarm. So that's a tier two where there's no, they can't manipulate things, but they can get that information to say something's happening. You could hack in and turn that off, and then drive over and do something. So there is vulnerability there still, but it's a little less. So that's what we have with our tier two sites. And then the tier one sites are more what you think of when you're thinking of like, you know, typing here and there's a valve open, or typing here and, you know, the next count over something changes, chemical feed, things like that. Those systems are born for sure, you know, in varying levels and varying degrees. But one of the things that I didn't really take, I didn't really didn't click for me when I was getting into the cyber world is, oh, we're wrong for small home care. There's a little bit of false security with that narrative when it's like, oh, nobody's going to target it. He's not a good one. But what they're targeting is the tech. It's all of these companies around the world that are selling the tech, that are buying the tech. You might have this little touch screen. You might have this little LED touch screen for your pumps that controls the pump rate. That little thing is going to have Wi Fi compatibility. The smallest water system in Vermont could buy that. That's the one of them. They're what what the hackers are are doing is they're they're aiming at the tech, not the victim. They're trying to find all the openings in that tech that they can find. So there are absolutely vulnerabilities in the state that need to be protected. With those tier one sites, we are going through every three years. We do a sanitary survey inspection of those community water systems. We ask them what's going on, what have they done. We're strongly encouraging them to have an in person or virtual cybersecurity assessment to assess their vulnerabilities. We don't want that document. We don't want to put our eggs in one basket and then advertise the baskets over here and come find it, hack into it for us. So we're working with the system to keep that information safe, but we're asking them to do those assessments, address their vulnerabilities where they can. As Liz said, a lot of times it's easier said than done. There's thousands of dollars worth of implementation equipment on their filters that integrates to an old computer that can't be updated. So it's not just as simple as updating that computer, it's every piece and part for multiple thousand dollars between year and year. So it is a big lift. There's a lot of hard earned, know, needs to do this, and it's like, I can't. So there's a lot of friction there. More our concern is that physical control. It is manipulating something, it's cranking up a chemical, it's cranking down a chemical, it's things like that, that's what we're worried about. Like Joe said, usually the metering and the billing and the operations are siloed, they're pretty typically different things. In terms of the bill overall, really supportive of of billing and metering. We're really supportive of cybersecurity protections. As Joe was saying, there's there there's yet to point a finger and say, need to do this. The agency right now does not have the capacity to do this. The little bit of cyber work we do, like I explained with the vulnerabilities and recommending they contact experts, we are expert I like to think we are experts in a lot of things, and computers and specific cybersecurity is not. That is a very technical world. It's a very specific world, and it's a very evolving world. So if we were to just generate an SOP and tap it to the wall, it's out of date as soon as it's printed. Because this world is spinning. This world is fast, and it's faster than than I can be, faster than 19 can be. Not to say it's not important, not to say it doesn't need to be addressed, but, you know, one of the things so I'm I'm a member of the Association of State Drinking Water administrators. One of the conversations we have, and I've been hearing some of my colleagues on that that team in my in my brain where they're like, we're worried about nation state intervention and countries happening. What is Vermont gonna do against massive nation states? It's really and and then further, what is ANR gonna do? Like, potentially, there's a world there for all of a all of state service or for Ottoman state service to to play a role there. So I don't have an answer for you unfortunately. I've got lots of ideas happening in games and conversations, but I feel it's bigger than us, bigger than what we can definitely bigger than what we can handle right now. Yeah, think that's broadly it. I'm happy to attempt to answer questions. I'm sure you have some more for me. I appreciate the opportunity to look at the bill and to engage in the dialogue. I think it's a really useful discussion to have for sure.
[Anne Watson, Chair (Washington District)]: Yes, go ahead. Thanks Ben, that's a lot of really helpful information.
[Senator Ruth Hardy (Addison District)]: And I sense this sort of tension, is, first of all, I hear you don't have the time or necessarily the expertise to do some of the stuff that's asked in here, but this tension, and it's sort of what I asked Liz, where you're saying there are systems out there that are not protected, either because they don't have the ability to do it or they haven't bothered to do it. And there are these threats out there. And I'm also hearing Vermont is not immune because it's about attack, not about the location, but then you ended by saying Vermont's not gonna be able to do anything because it's much bigger than us. And so I think those are all somewhat contradictory. And I just wonder what can we do that would be helpful? And frankly, I mean, as a lawmaker, that's what I do. That's what we all do. Like our tool is to create laws to say, Hey, you gotta do this thing because we're worried about this threat and you're a public, you're providing a public service, whether or not they are publicly owned, they're providing a public service. And somebody like Jeff. Joe. Joe, sorry, Joe, who is a public water system that's a bunch of municipalities, they may have more of a sort of mentality of where a public service, but some of the privately owned ones may not. I don't want to speculate too much, but they're having consistent, like you're providing a public service is like one of the most fundamental basic things to have clean water. And if we're not protecting that and requiring it to be protected, even at the most basic level, then it doesn't feel like we're doing our job. And so I'm kind of searching for what is possible for us to say at the baseline you have to do this.
[Ben Montrose, Drinking Water Program Manager, Agency of Natural Resources (DEC)]: Sure, yeah, and I think that's a great idea. I think starting really broad, like like Joe and Liz were saying, don't put your password on a post it note. Don't let everybody share a password. Like, no matter what tech you have, you can do that. Change your default passwords. I think that there's certain things like that, and that they can rely on. I think starting in the mud, but things like that versus really drilling into you need to do x y z every year, report this. Like, I'm not suggesting that that's proposed, but the other end of that that spectrum is really micro, and I think that there's a lot of problems with the micro approach. But if we started abroad and had money and had grants and we're able to bring people along through a process over a series of years, that could be great.
[Anne Watson, Chair (Washington District)]: Yeah, we're probably not going to have money in France,
[Senator Ruth Hardy (Addison District)]: I mean, we do know that, but like what is the baseline of what you can do and we can say people need to do that, and it doesn't cost money for people. Sure. You can grant for that. I
[Ben Montrose, Drinking Water Program Manager, Agency of Natural Resources (DEC)]: I float around this space. I'm not in the weeds with this space. I I think I would be happy to put my heads together with Liz and Liz's team and other others players to generate something like that. I'd be happy to do that, that would be great. Mean, changing the password and all that sort of stuff is easy. There is the risk, it is you're right now, it's like, what's next or what else, what do we miss? So there's certainly ways to cast a very broad net, and work with our folks and create suggestions for sure. I'm reluctant to do that really now and say these before you I think you're think getting your input from someone like Sean Mailer or some of the other people that are on the advisory council would have been better.
[Anne Watson, Chair (Washington District)]: That's interesting to think that maybe we could create the list of what is the basic level of hygiene, cybersecurity hygiene, we could further monitor. That doesn't cost any money. It's an interesting direction. Other thoughts, questions?
[Ben Montrose, Drinking Water Program Manager, Agency of Natural Resources (DEC)]: Okay.
[Anne Watson, Chair (Washington District)]: Thank you. Yeah, super interesting. All right. At this point, before we move on, I I want to take a break and then we have a couple other people that maybe we can move here. So, let's take
[Unidentified/overlap (brief interjections)]: five on a break.
[Anne Watson, Chair (Washington District)]: Okay. Alright, so this is again, Southern Natural Resources and Energy coming back with a break. We're going to go to someone who's not previous on our schedule, but is interested in his topic. Oh, he is now. Okay, thank you. Recent admission, Mr. Weiss, as a citizen of the Mobilians. Welcome.
[Thomas Weiss, Citizen (Montpelier)]: Thank you and thank you for bringing me into your shift on short notice. Thomas Weiss, president of Montpelier, and I'm concerned about some of the privacy issues for the consumers with two way smart vehicles. I had a wireless meter in my house twenty five years that gets rid for, maybe by the receiver being driven around the city, I've got no problems with that. My concern is with that, with what Shellbrand's doing, having a two way system that can, somebody can push a button in the central office and it reads the meters. I heard Joe Duncan say that one of the uses of that would be to take frequent meter readings so that if the usage gets up abnormally high, they can alert somebody that perhaps there's a water leak. And so and I mean, I heard him say that operations are separate from billing department, but at some point, when the meters are used calculating, the the meter readings and the abnormality gets connected with something with the personal information. And so so, anyway, my concern is that don't under is that I'm concerned with the privacy and it being connected. The billing department, if somewhere there's a connection between personal information and the increased water usage and the usage patterns of that person. And that building department computer, my guess is internet connected. And so that database and information probably internet connected. So my concern is not having it read too often so that patterns can be built up and personal information and personal actions and personal privacy is one of most. So my suggestion is that even if it's a two way meter that can be read from the central office, that can be done no more than one's billing period. We do source problems, but that's basically the thrust of my very short wish to speak to you today. And I did learn a lot about the previous speakers, in short of what I told you. Super, can you speak? Any questions for Mr. So just to
[Ben Montrose, Drinking Water Program Manager, Agency of Natural Resources (DEC)]: make sure I understand
[Senator Terry Williams, Vice Chair (Rutland District)]: the concern, so that the only thing that anybody could pick up would be water usage, right? So I'm curious about what that but I get there's a connection, I guess, between more usage and privacy. Well, it's
[Thomas Weiss, Citizen (Montpelier)]: not something looks like they develop a pattern. And so something somewhere, bought his pagans, I said it was on a chip and my meter down in my cellar, but I'm not sure about that. But I'm concerned about, you know, I'm not there for a long time, okay? Somebody is into the system on the operations side if they're getting that information. They know I'm not home. Okay. That kind of thing, if it's read frequently enough, and so what I'm trying to get at is not to make it frequently, is not to allow it frequently to cause those pattern correlations that if the cybersecurity fails, it leads to problems for the billionaires and occupants.
[Senator Terry Williams, Vice Chair (Rutland District)]: Or if somebody is theoretically then using it to figure out what you're doing. That's
[Ben Montrose, Drinking Water Program Manager, Agency of Natural Resources (DEC)]: right. Okay.
[Thomas Weiss, Citizen (Montpelier)]: One more He hasn't been home for three days, so where was he? Right. Okay. I mean, there is that as well.
[Anne Watson, Chair (Washington District)]: It's helpful to have the example of like what specifically you might be concerned about in that situation.
[Thomas Weiss, Citizen (Montpelier)]: I mean, it's using it to track people's paths. I testified in other rooms in this building on data privacy issues, so that's a big concern. So it's limiting what gives out there. Thank you very much. You're welcome.
[Anne Watson, Chair (Washington District)]: Are you having a problem getting order? No, okay. Just quick in, I I don't know if he's not in the room yet and said he is, but he's not. Okay. All right, but let's take a break. I'll try to get him. Okay, sounds good. Thank you so much. Right, there he is. Okay, super. And we are unmuted. All right, so this is 7F Resources and Energy coming back from a quick break, and we were welcoming mister Porter here from Department of Public Service. So, welcome and thank you so much for being here.
[Jim Porter, Director for Public Advocacy, Vermont Department of Public Service]: Well, I'm I'm glad I finally got here through a link but For the record, thank you. I'm Jim Porter, Director for Public Advocacy with Vermont Department of Public Service.
[Anne Watson, Chair (Washington District)]: Thank you. Oh, go ahead.
[Jim Porter, Director for Public Advocacy, Vermont Department of Public Service]: So, generally, we're, I guess we're talking about S two thirteen. I'm sorry. I've not heard previous testimony. The department is generally supportive of this bill. You know, we've had, I think, a good experience with benefit for the customers and utilities that have implemented the smart meters And I think that your opt out provisions in here are very reasonable and probably meet the kind of the times. I'm one of the people who I think still pays to get paper credit card statements. I did finally give up on the bank statements, but I think it's a fair compromise for the times in which we live. But are there any questions I could answer about the bill?
[Anne Watson, Chair (Washington District)]: Well, oh, yes, go ahead.
[Anne Watson, Chair (Washington District)]: No, if
[Anne Watson, Chair (Washington District)]: you Well, so I would love to know a little bit more about your role in all of this. So you're with the public advocacy. So can you just tell us a little bit more about that?
[Jim Porter, Director for Public Advocacy, Vermont Department of Public Service]: Sure. So I'm the director for public advocacy and which is the legal division at the Department of Public Service and we're statutory parties to all proceedings before the Public Utility Commission. I was I had a role with the smart grid roll out maybe fifteen years ago with the department And at that time, it was really more of a new thing. And I think there was a lot less wireless activity in our homes than maybe we have today. And that was when, I guess, largely Green Mountain Power was installing their smart meters. And it was a fairly, fairly seamless transition. There were some blips in the road that also allowed for an opt out provision. But it was certainly have not heard much about smart meters in any of the utilities that we regulate for quite some time.
[Anne Watson, Chair (Washington District)]: Thanks,
[Senator Ruth Hardy (Addison District)]: James. This is Senator Hardy. I have two questions. One, you mentioned the electric companies and then also gas companies. There is a provision in law that says that people can opt out of having smart meters for them, but they don't charge, or they're not allowed to charge. Is there, do you see a, should they be allowed to, and do you see a difference between water and electric and gas in that area? So that's my first question. The second is before you joined, we had a sort of robust conversation about cybersecurity. And I'm just wondering from your perspective, what are you all seeing with cybersecurity for utilities and what would your recommendations there be?
[Jim Porter, Director for Public Advocacy, Vermont Department of Public Service]: So there was when the the initial smart grid went in with the electric utilities and I believe BGS, there was a proceeding before the Public Utility Commission and there were certain cybersecurity principles that were put in place that the utilities had to abide by. It looks like you've got a certification in your bill where there would have to be a cybersecurity measures and certification to that effect. The one difference, I think, here is the department does not the department and the Public Utility Commission only regulate a relatively small number of water companies. So for instance, we have no regulatory authority over municipal water systems.
[Joe Duncan, General Manager, Champlain Water District]: Okay.
[Jim Porter, Director for Public Advocacy, Vermont Department of Public Service]: But it does look like you've covered that in a way that I think is probably more appropriate for the water companies than the proceeding we had with the electrics years ago.
[Senator Ruth Hardy (Addison District)]: Okay, great. And what about the first question about the smart meter differences between electric and gas versus water in terms of the charging for opting out?
[Jim Porter, Director for Public Advocacy, Vermont Department of Public Service]: So what I can tell you is there were, when we had what I'll call the initial run of the smart meters being installed, the wireless smart meters, there were concerns about privacy, and there were concerns about the RF, the radio frequency emissions. And so we took the position at that time that people should be able to opt out at no cost. Fast forward fifteen years or so, kind of it's what I was addressing with, you know, now you have to pay to get paper statements if you're someone who still wants that or most entities charge that. So I don't really know that there's a that we have a position on whether it should be no charge or a charge. But I do think what you've got in here is reasonable from a customer perspective.
[Anne Watson, Chair (Washington District)]: Great. Thank you.
[Anne Watson, Chair (Washington District)]: It's super interesting. Alright. Any other questions? Okay, well super with that, thank you so much. I appreciate you taking the time.
[Ben Montrose, Drinking Water Program Manager, Agency of Natural Resources (DEC)]: Thank you.
[Anne Watson, Chair (Washington District)]: I think that is the end of
[Senator Ruth Hardy (Addison District)]: all the folks we have lined up for today.