Florida Senate - 2022 COMMITTEE AMENDMENT Bill No. SB 828 Ì452698^Î452698 LEGISLATIVE ACTION Senate . House . . . . . ————————————————————————————————————————————————————————————————— ————————————————————————————————————————————————————————————————— The Committee on Governmental Oversight and Accountability (Hutson) recommended the following: 1 Senate Amendment (with title amendment) 2 3 Delete everything after the enacting clause 4 and insert: 5 Section 1. Section 282.32, Florida Statutes, is created to 6 read: 7 282.32 Critical infrastructure standards and procedures.— 8 (1) This section may be cited as the “Critical 9 Infrastructure Standards and Procedures Act.” 10 (2) The Legislature finds that standard definitions of the 11 security capabilities of system components are necessary to 12 provide a common language for product suppliers and other 13 control system stakeholders and to simplify the procurement and 14 integration processes for the computers, applications, network 15 equipment, and control devices that make up a control system. 16 The United States National Institute of Standards and Technology 17 Cybersecurity Framework (NIST CSF), which references several 18 relevant cybersecurity standards, including the International 19 Society of Automation ISA 62443 series of standards, is an 20 appropriate resource for use in establishing such standard 21 definitions. 22 (3) As used in this section, the term: 23 (a) “Automation and control system” means the personnel, 24 hardware, software, and policies involved in the operation of 25 critical infrastructure which may affect or influence such 26 critical infrastructure’s safe, secure, and reliable operation. 27 (b) “Automation and control system component” means control 28 systems and complementary hardware and software components that 29 are installed and configured to operate in an automation and 30 control system. For purposes of this section, the term “control 31 systems” includes, but is not limited to: 32 1. Distributed control systems, programmable logic 33 controllers, remote terminal units, intelligent electronic 34 devices, supervisory control and data acquisition, networked 35 electronic sensing and control, monitoring and diagnostic 36 systems, and process control systems, including basic process 37 control system and safety-instrumented system functions, 38 regardless of whether such functions are physically separate or 39 integrated. 40 2. Associated information and analytic systems, including 41 advanced or multivariable control, online optimizers, dedicated 42 equipment monitors, graphical interfaces, process historians, 43 manufacturing execution systems, and plant information 44 management systems. 45 3. Associated internal, human, network, or machine 46 interfaces used to provide control, safety, and manufacturing 47 operations functionality to continuous, batch, discrete, and 48 other processes as defined in the ISA 62443 series of standards 49 as referenced by the NIST CSF. 50 (c) “Critical infrastructure” means infrastructure for 51 which all assets, systems, and networks, regardless of whether 52 physical or virtual, are considered vital and vulnerable to 53 cybersecurity attacks as determined by the Florida Digital 54 Service in consultation with the Florida Cybersecurity Advisory 55 Council. The term includes, but is not limited to, public 56 transportation as defined in s. 163.566(8); water and wastewater 57 treatment facilities; public utilities and services subject to 58 the jurisdiction, supervision, powers, and duties of the Public 59 Service Commission; public buildings, including buildings 60 operated by the state university system; hospitals and public 61 health facilities; and financial services organizations. 62 (d) “Local government asset owner” means the local 63 government owner or entity accountable and responsible for 64 operation of critical infrastructure and its automation and 65 control system. The term includes the operator of the automation 66 and control system and the equipment under control. 67 (e) “Operational technology” means the hardware and 68 software that cause or detect a change through the direct 69 monitoring or control of physical devices, systems, processes, 70 or events in critical infrastructure. 71 (4) Beginning July 1, 2022, a local government asset owner 72 procuring automation and control system components, services, or 73 solutions or entering into a contract for the construction, 74 reconstruction, alteration, or design of a critical 75 infrastructure facility must require that such components, 76 services, and solutions conform to the ISA 62443 series of 77 standards as referenced by the NIST CSF. Such local government 78 asset owner shall ensure that all contracts for the 79 construction, reconstruction, alteration, or design of a 80 critical infrastructure facility require that installed 81 automation and control system components meet the minimum 82 standards for cybersecurity as defined in the ISA 62443 series 83 of standards as referenced by the NIST CSF. 84 Section 2. The Florida Digital Service shall, in 85 consultation with the Florida Cybersecurity Advisory Council, 86 adopt rules to implement this act. 87 Section 3. This act shall take effect July 1, 2022. 88 89 ================= T I T L E A M E N D M E N T ================ 90 And the title is amended as follows: 91 Delete everything before the enacting clause 92 and insert: 93 A bill to be entitled 94 An act relating to critical infrastructure standards 95 and procedures; creating s. 282.32, F.S.; providing a 96 short title; providing legislative findings; providing 97 definitions; requiring a local government asset owner 98 procuring certain components, services, or solutions 99 or entering into certain contracts to require 100 conformance with certain standards, beginning on a 101 specified date; requiring such local government asset 102 owner to ensure that certain contracts require that 103 certain components meet certain minimum standards; 104 requiring the Florida Digital Service, in consultation 105 with the Florida Cybersecurity Advisory Council, to 106 adopt rules; providing an effective date. 107 108 WHEREAS, the operational technologies that automate the 109 critical infrastructure of daily life are experiencing a rapid 110 increase in cybersecurity incidents, and the impact of such 111 incidents affect life, safety, the environment, and economic 112 viability across sectors, and 113 WHEREAS, the recent cybersecurity hacking and shutdown of 114 the Colonial Pipeline by the criminal enterprise DarkSide in 115 2021; the infiltration of the Bowman Avenue Dam in Rye Brook, 116 New York, by Iranian hackers in 2013; and the intrusion of 117 numerous federal agencies by suspected Russian hackers 118 underscore the need to provide the public and private sectors 119 with clarity and support on how to improve the cybersecurity of 120 control systems, NOW, THEREFORE,