Vermont committee hears split over S.213: smart meters, privacy and how to secure small water systems
Get AI-powered insights, summaries, and transcripts
Subscribe
Summary
Lawmakers reviewed S.213, a bill on smart meters and cybersecurity for public water systems. Water managers urged baseline cyber hygiene, funding and tailored guidance for small systems; residents raised privacy concerns about frequent remote reads.
Senator Watson—alled the Natural Resources & Energy committee to consider S.213, a bill that would require cybersecurity protections and address smart‑meter use on public water systems, and invited operators and state agencies to testify.
Joe Duncan, general manager of Champlain Water District, told senators that modern water "smart meters" typically send encrypted, one‑way meter IDs and readings and that the most valuable feature is anomaly detection: "smart meters... have little chips in them that are telling them, is there a usage that's outside the norm," he said, explaining that flags help utilities find leaks before customers face very large bills. Duncan said meter radio reads do not themselves transmit a customer ddress; customer linking occurs later inside a municipality's billing system. He said Champlain already permits opt‑outs and charges a manual‑read fee when customers choose not to accept remote reads, citing staff time and special handling for manual entries.
Liz Royer, executive director of the Vermont Rural Water Association, urged lawmakers to account for the state's small, decentralized systems. "These small rural utilities provide safe drinking water and... are often operated by a part‑time contractor who may or may not be at the system on a daily or even weekly basis," Royer said. She noted many Vermont systems are not metered at all and lack IT staff, so complex national cybersecurity standards can be impractical. Royer recommended simple, Vermont‑specific guidance, hands‑on technical assistance and tabletop exercises to help local officials and operators respond to cyber incidents.
Ben Montrose, drinking water program manager at the Agency of Natural Resources (ANR), described ANR's existing regulatory scope and a tiered approach to risk. He said ANR requires production meters at plants but does not require individual service meters and that federal tools such as EPA checklists and the American Water Infrastructure Act impose resilience requirements only on larger systems. Montrose emphasized operational systems (chemical dosing, pumps and valves) are the highest cyber risk and that attackers often aim at vendor technology: "What the hackers are doing is they're aiming at the tech, not the victim," he said. ANR supports metering for equity and operations but acknowledged the agency lacks capacity to police a fast‑moving cyber threat and favors phased, assistance‑backed requirements rather than an immediate, detailed checklist.
Members pressed whether the committee should require enforceable standards or set a lower, baseline set of hygiene measures. Several senators suggested a short list of low‑cost actions (change default passwords, require multifactor authentication where feasible, and remove shared credentials) that could be mandated or strongly encouraged first, paired with grant support or set‑aside funds for small systems. Montrose and Royer offered to work with committee staff to craft achievable Vermont‑specific requirements.
A Montpelier resident, Thomas Weiss, testified during public comment that two‑way fixed‑network meters raise privacy concerns if frequent reads permit pattern analysis of occupancy: "That's right... they know I'm not home," he said, urging limit on read frequency as an option to reduce privacy risk.
Jim Porter, director for public advocacy at the Vermont Department of Public Service, said his department is "generally supportive of this bill" and called the bill's opt‑out language reasonable, noting the state took a no‑charge opt‑out position during early electric smart‑meter rollouts but that customer costs for paper statements and manual handling are common today.
No formal vote was taken. Committee members directed staff to consider drafting a short list of baseline cyber hygiene measures that are low or no cost for systems to implement, together with options for technical assistance and possible funding mechanisms to help small and volunteer‑run water systems comply. The committee also requested that witnesses share existing templates and training resources to inform next drafts of S.213.
The hearing closed without enactment; S.213 will return to committee drafting and follow‑up outreach.