by Liz Royer
This article was published in the spring 2026 issue of our newsletter.
I recently testified to the Vermont Senate Natural Resources Committee regarding smart meters and cybersecurity. I thought it would be important to share some of my testimony as it is relevant for many in our industry:
Recent Incidents
Multiple security incidents have been reported recently at Vermont water and wastewater facilities, and there are likely many more that we haven’t heard about.
In one town, a former administrator gained access to wastewater facilities and equipment —both physically and online—after he was no longer employed there.
In another example, an operator noticed unexplained mouse movements on their computer. While they initially dismissed the movement as IT maintenance, an investigation revealed multiple interconnected systems were compromised.
An industrial pretreatment facility lost process control due to a cyber attack. They were eventually forced to report loss of data. But, they were not planning to notify the downstream municipal wastewater plant of the potential impacts because they did not realize the threat could be compounded.
Finally, a potential threat actor posed as an industry salesperson to gain physical access to a municipal wastewater plant. This person was given a tour and took photographs of facilities and equipment, then disappeared without providing any contact information.
The Town of Brandon held a tabletop exercise to practice responding to a cyber attack.
Small System Troubles
Vermont Rural Water began working on cybersecurity a few years ago by partnering with experts and hosting classes that would resonate with small water and wastewater systems. Most cybersecurity trainings are tailored to an audience of IT professionals. In Vermont, most water systems do not have an IT professional.
In assisting with cybersecurity evaluations and assessments at small systems, we became aware of other concerns. Even for systems that have an IT consultant or company through their town office, those providers are focused on emails and file storage, not SCADA and other operational technology and controls. The operators we spoke with were frustrated that their town managers and other system officials didn’t understand the need to budget for upgrades and improvements to address current and future cyber threats.
In October 2024, Vermont Rural Water was selected as one of two states to host a pilot project focusing on cybersecurity at small, municipal drinking water systems. We were trained by EPA headquarters staff, CISA, Water ISAC, and other leading agencies and organizations to provide on-site technical assistance for cybersecurity. This experience has expanded our knowledge and awareness of the many threats faced by small water systems. We learned that the threat actors cast a wide net, and while Vermont systems may not be specifically targeted, cyber criminals look for anyone that has an easy path to infiltrate.
Next Steps
Regulation and enforcement of cybersecurity would be a mistake, in our opinion. Cybersecurity is multi-faceted, multi-layered, and constantly evolving. Federally, EPA has backed away from mandates and requirements and has focused their programs on outreach.
We have seen the need for more on-site technical assistance and accessible funding to maintain equipment, update software, and provide additional training. Training is needed not just for the system operators, but also for town officials, engineers, and service providers who may be called on for assistance.
While many resources already exist, there are very few options for small Vermont systems who want to design practices and procedures that work for the unique needs of their operations and management.
We view townwide tabletop exercises as the best way to communicate, plan, and coordinate local resources during a cyber threat. Water and wastewater systems are often left out of local and regional conversations on many topics, including emergency planning, hazard mitigation and cybersecurity. It may not be clear to town officials why the water or wastewater operators should be involved, but the water or wastewater plant and infrastructure are likely the number one target in many towns.
So what is the solution? Operators are overwhelmed with a growing number of threats. We suggest that they focus on the basics: personal cyber hygiene, developing protocols for when an employee departs, password management, and ongoing training and awareness for very small systems.
Moving forward, the best option for building ongoing relationships and sharing resources is a townwide cybersecurity tabletop with involvement from the local emergency management director (EMD), selectboard, fire, police, water, wastewater, and other local officials and legislators.
We believe cybersecurity at Vermont water systems can be improved by partnering with the many organizations and agencies offering training and outreach, along with direct technical assistance from a trusted and knowledgeable provider.