Bill Text: FL S0828 | 2022 | Regular Session | Introduced
NOTE: There are more recent revisions of this legislation. Read Latest Draft
Bill Title: Critical Infrastructure
Spectrum: Bipartisan Bill
Status: (Failed) 2022-03-14 - Died in Military and Veterans Affairs, Space, and Domestic Security [S0828 Detail]
Download: Florida-2022-S0828-Introduced.html
Bill Title: Critical Infrastructure
Spectrum: Bipartisan Bill
Status: (Failed) 2022-03-14 - Died in Military and Veterans Affairs, Space, and Domestic Security [S0828 Detail]
Download: Florida-2022-S0828-Introduced.html
Florida Senate - 2022 SB 828 By Senator Hutson 7-00350-22 2022828__ 1 A bill to be entitled 2 An act relating to critical infrastructure; providing 3 a short title; creating s. 943.6873, F.S.; providing 4 legislative findings; defining terms; requiring that, 5 beginning on a specified date, asset owners ensure 6 that the operation and maintenance of operational 7 technology comply with specified standards and 8 practices; requiring, beginning on a specified date, 9 asset owners to require that certain components, 10 services, and solutions conform to such standards and 11 practices; requiring that certain contracts for 12 critical infrastructure meet specified minimum 13 standards; providing requirements and procedures 14 relating to civil actions based on cybersecurity 15 breach-related claims; authorizing a court to take 16 specified action upon a showing that a business, a 17 service provider, or another person or entity violates 18 the act; authorizing the Department of Law Enforcement 19 to institute appropriate legal proceedings against a 20 business, a service provider, or another person or 21 entity that violates the act; providing procedures for 22 such legal proceedings; providing for departmental 23 actions; requiring the department to adopt rules; 24 providing an effective date. 25 26 WHEREAS, the operational technologies that automate the 27 critical infrastructure of and commercial facilities in this 28 state are experiencing a rapid increase in cybersecurity 29 incidents, and the impact is serious, affecting daily life, 30 public safety, the environment, and economic viability across 31 sectors, and 32 WHEREAS, the recent cybersecurity intrusion of the public 33 water system in Oldsmar, the hacking and shutdown of the 34 Colonial Pipeline by the criminal enterprise Darkside, the 35 infiltration of the Bowman Dam in Rye Brook, New York, by 36 Iranian hackers in 2013, and the intrusion of numerous federal 37 agencies by suspected Russian hackers underscore the need to 38 provide the public and private sectors with clarity and support 39 in improving control systems cybersecurity, NOW, THEREFORE, 40 41 Be It Enacted by the Legislature of the State of Florida: 42 43 Section 1. This act may be cited as the “Critical 44 Infrastructure Standards and Procedures Act.” 45 Section 2. Section 943.6873, Florida Statutes, is created 46 to read: 47 943.6873 Critical infrastructure standards; civil actions.— 48 (1) The Legislature finds that a standard definition of the 49 security capabilities for system components will provide a 50 common language for product suppliers and all other control 51 system stakeholders, simplifying the procurement and integration 52 processes for the computers, applications, network equipment, 53 and control devices that make up a control system. The United 54 States National Institute of Standards and Technology (NIST) 55 published the NIST Cybersecurity Framework, which references 56 several relevant cybersecurity standards, including the 57 internationally recognized ISA/IEC 62443 series of standards. 58 These standards define a set of measures and benchmarks 59 specifically built to guide organizations through the process of 60 assessing the risk associated with a particular automation and 61 control system and in identifying and applying security 62 countermeasures to reduce that risk. 63 (2) As used in this section, the term: 64 (a) “Asset owner” means the public or private owner of, or 65 the entity accountable and responsible for operation of, the 66 critical infrastructure and the automation and control system. 67 The asset owner is also the operator of the automation and 68 control system components and the equipment under its control. 69 (b) “Automation and control system” means a collection of 70 personnel, hardware, software, and policies associated with the 71 operation of the critical infrastructure which can affect or 72 influence its safe, secure, and reliable operation. 73 (c) “Automation and control system component” means control 74 systems and any complementary hardware and software components 75 installed and configured to operate in an automation and control 76 system. These systems include, but are not limited to: 77 1. Control systems, including distributed control systems, 78 programmable logic controllers, remote terminal units, 79 intelligent electronic devices, supervisory control and data 80 acquisition, networked electronic sensing and control, 81 monitoring and diagnostic systems, and process control systems 82 that include physically separate or integrated basic process 83 control system and safety-instrumented system functions; 84 2. Associated information systems, such as advanced or 85 multivariable control, online optimizers, dedicated equipment 86 monitors, graphical interfaces, process historians, 87 manufacturing execution systems, and plant information 88 management systems; and 89 3. Associated internal, human, network, or machine 90 interfaces used to provide control, safety, and manufacturing 91 operations functionality to continuous, batch, discrete, and 92 other processes as defined by the International Society of 93 Automation ISA/IEC 62443 series of standards as referenced by 94 the NIST Cybersecurity Framework. 95 (d) “Critical infrastructure” means all physical and 96 virtual assets, systems, and networks considered vital and 97 vulnerable to cybersecurity attacks, as determined by the 98 department in consultation with the Florida Digital Service and 99 the Florida Cybersecurity Advisory Council. Critical 100 infrastructure includes, but is not limited to, public 101 transportation as defined in s. 163.566; water and wastewater 102 treatment facilities, public utilities, and public services 103 subject to the jurisdiction, supervision, powers, and duties of 104 the Florida Public Service Commission; public buildings, 105 including those operated by the State University System; 106 hospitals and public health facilities; and financial services 107 organizations regulated by the Department of Financial Services. 108 (e) “Cybersecurity-breach-related claim” means a legal 109 proceeding or civil action against an asset owner for failure to 110 meet the minimum standards required by this section. 111 (f) “Department” means the Department of Law Enforcement. 112 (g) “Operation technology” means the hardware and software 113 that detects or causes a change through the direct monitoring or 114 control of physical devices and systems, processes, and events 115 in the critical infrastructure. 116 (3) Beginning on July 1, 2024, the asset owner shall ensure 117 that the operation and maintenance of operational technology, 118 including critical infrastructure, automation control systems, 119 and automation control system components, are compliant with the 120 standards and practices defined in the ISA/IEC 62443 series of 121 standards as referenced by the NIST Cybersecurity Framework, 122 including annual risk assessments and creation of a mitigation 123 plan. 124 (4) Beginning on July 1, 2026, when procuring automation 125 and control system components, services, or solutions, or when 126 contracting for facility upgrades or the construction of 127 critical infrastructure facilities, an asset owner shall require 128 that those components, services, or solutions conform to the 129 ISA/IEC 62443 series of standards as referenced by the NIST 130 Cybersecurity Framework for defining measures to assure 131 conformance. All contracts awarded for construction, 132 reconstruction, alteration, design, or commissioning of 133 facilities identified as critical infrastructure must require 134 that installed automation and control components meet the 135 minimum standards for cybersecurity as defined by the ISA/IEC 136 62443 series of standards as referenced by the NIST 137 Cybersecurity Framework. 138 (5) In any civil action based on a cybersecurity-breach 139 related claim, including a civil action brought by the 140 department pursuant to subsection (6): 141 (a) A court shall determine as a matter of law whether the 142 defendant made a good faith effort to comply with subsection (3) 143 or subsection (4), as applicable. 144 (b) If the court determines that the defendant made such a 145 good faith effort, the defendant is immune from civil liability. 146 (c) If the court determines that the defendant did not make 147 such a good faith effort, the plaintiff may proceed with the 148 action. 149 (d) The trial court, upon a showing that any business, 150 service provider, or other person or entity is in violation of 151 this section, may take any of the following actions: 152 1. Issue a temporary or permanent injunction. 153 2. Impose a civil penalty of not more than $2,500 for each 154 unintentional violation or $7,500 for each intentional 155 violation. 156 3. Award reasonable costs of enforcement, including 157 reasonable attorney fees and costs. 158 4. Grant any other relief as the court deems appropriate. 159 (6) If the department has reason to believe that any 160 business, service provider, or other person or entity is in 161 violation of this section and that proceedings would be in the 162 public interest, the department may institute an appropriate 163 legal proceeding, which may include a civil action, against such 164 party. 165 (a) After the department has notified a business in writing 166 of an alleged violation, the department may grant the business, 167 service provider, or other person or entity a 30-day period to 168 cure the alleged violation. The department may consider the 169 number of violations, the substantial likelihood of injury to 170 the public, or the safety of persons or property in determining 171 whether to grant the 30-day period to cure an alleged violation. 172 (b) If the business, service provider, or other person or 173 entity cures the alleged violation to the satisfaction of the 174 department and provides proof of such cure to the department, 175 the department may issue a letter of guidance to the business, 176 service provider, or other person or entity which indicates that 177 the business, service provider, or other person or entity will 178 not be offered a 30-day cure period for any future violation. If 179 the business, service provider, or other person or entity fails 180 to cure the violation within 30 days, the department may bring a 181 legal proceeding against the business for the alleged violation. 182 (7) The department shall adopt rules, in consultation with 183 the Florida Digital Service and the Florida Cybersecurity 184 Advisory Council, to implement and administer this section. 185 Section 3. This act shall take effect October 1, 2022.