by Forest Anderson
This article was published in the fall 2025 issue of our newsletter.
When Ray Counter, water superintendent for Brandon Fire District #1, reviewed a recent risk assessment, he spotted a critical gap: cybersecurity. Ray had plenty of experience dealing with the usual vulnerabilities like pumps, distribution, chemistry, funding, and regulatory compliance. But protecting SCADA systems from cyber threats? That was uncharted territory.
Rather than ignore this risk, Ray grabbed the bull by the horns. He contacted Vermont Rural Water and the Cybersecurity and Infrastructure Security Agency (CISA). Both organizations conducted free on-site cyber assessments for the fire district. Our findings confirmed Ray’s suspicions: the system needed to shore up some defenses.
Left to right: Ray Counter, Adam Gamelin, and Forest Anderson
Ray then requested something he felt would be even more beneficial—a tabletop exercise for the whole Town of Brandon to practice responding to a cyber emergency. CISA’s Adam Gamelin and Vermont Rural Water worked together to make it happen.
A tabletop exercise is a structured “what-if” discussion where key personnel navigate a hypothetical crisis scenario. Think of it as testing your emergency response plan without actually triggering an emergency. Participants work through their roles and make decisions step-by-step as the facilitator presents an evolving situation.
The scenario practiced in Brandon involved hackers gaining unauthorized access to SCADA systems in the early morning. The simulation escalated quickly to include both the drinking water and wastewater facilities, forcing participants to address critical questions about safety, supply, environmental risk, and public notification. How quickly could they verify the extent of damage? Who needed to be informed? Could they maintain pressure while isolating compromised systems?
Participants in the tabletop exercise included Ray, Bradley Danforth, and prudential committee members from the fire district; wastewater operators Tim Kingston and Ian Buckley; Brandon’s fire chief and town health officer; Adam Gamelin from CISA; and representatives from FBI and Vermont State Police. Guests from VT WARN, DEC, other water and wastewater systems, and other emergency management personnel also attended. Ray provided an excellent BBQ lunch complete with garden salads topped with seasonal strawberries.
Two key insights emerged from the exercise. First, response capacity is limited in a small town like Brandon. Secondly, when cyber incidents strike, the superintendent or chief operator must serve as incident commander. Nobody knows these systems better, not IT specialists, not emergency managers, not federal agents. The super or chief knows their vendors and their obligations, which valve affects each road, which pumps and valves have peculiar personalities, and exactly how long the system can function without backup power. This institutional knowledge, accumulated over years, is essential during a crisis.
Implementing cybersecurity doesn’t require becoming an IT wizard overnight. Start with the basics: change default passwords, run software updates, train staff to recognize phishing emails, and develop procedures for backing up devices and data. While the upfront investment in robust intrusion detection systems or monitoring might seem steep, consider that the average cyber incident costs water utilities hundreds of thousands of dollars in recovery. Basic security measures cost a fraction of that.
There are also several free cybersecurity resources available to water and wastewater systems. Vermont Rural Water currently has a Cybersecurity Circuit Rider to bring specialized expertise directly to your facility, but the pilot program ends in October. CISA offers vulnerability alerts, assessments and scanning. The FBI provides alerts and investigative support when incidents occur. The State Police and Vermont Intelligence Center maintains threat intelligence specifically for water and wastewater systems.
As water and wastewater systems increasingly rely on remote monitoring and automated controls, cybersecurity becomes just as essential as maintaining proper chlorine residuals. Ray’s proactive approach of recognizing vulnerability, seeking expert assistance, and bringing stakeholders together provides a model for other utilities. Acknowledging gaps and requesting help demonstrates strength, not weakness, especially when protecting the critical infrastructure our communities depend on.