STATE OF NEW YORK
        ________________________________________________________________________

                                          1345

                               2023-2024 Regular Sessions

                    IN SENATE

                                    January 11, 2023
                                       ___________

        Introduced  by  Sen.  PARKER -- read twice and ordered printed, and when
          printed to be committed to the Committee on Rules

        AN ACT to amend the energy law, the executive law and the public service
          law, in  relation  to  critical  energy  infrastructure  security  and
          responsibility;  and  to  amend a chapter of the laws of 2022 amending
          the energy law, the executive law and the public service law  relating
          to  critical  energy  infrastructure  security  and responsibility, as
          proposed in legislative bills numbers S.  5579-A  and  A.  3904-B,  in
          relation to the effectiveness thereof

          The  People of the State of New York, represented in Senate and Assem-
        bly, do enact as follows:

     1    Section 1. Subdivisions 14 and 15 of section 1-103 of the energy  law,
     2  as  added  by a chapter of the laws of 2022 amending the energy law, the
     3  executive law and the public service law  relating  to  critical  energy
     4  infrastructure  security  and responsibility, as proposed in legislative
     5  bills numbers S. 5579-A and A. 3904-B, are amended to read as follows:
     6    14. "Critical energy infrastructure" means systems,  including  indus-
     7  trial  control  systems,  [customer electrical or gas consumption data,]
     8  assets, places or things, whether physical or virtual, so vital  to  the
     9  state  that  the  disruption,  incapacitation  or  destruction  of  such
    10  systems, including industrial control systems, [customer  electrical  or
    11  gas  consumption  data,]  assets,  places or things could jeopardize the
    12  health, safety, welfare, energy distribution, transmission, reliability,
    13  or security of the state, its residents or its economy.
    14    15. "Industrial control  systems"  means  [a  combination  of  control
    15  components  that  support  operational  functions  in gas, distribution,
    16  transmission, and advanced metering infrastructure control centers,  and
    17  act together to achieve an industrial objective, including controls that
    18  are fully automated or that include a human-machine interface] an infor-
    19  mation  system  used  to  monitor  and/or  control industrial processes,
    20  including supervisory control and data acquisition systems used to moni-

         EXPLANATION--Matter in italics (underscored) is new; matter in brackets
                              [ ] is old law to be omitted.
                                                                   LBD04193-01-3
        S. 1345                             2

     1  tor and/or control geographically dispersed assets, distributed  control
     2  systems,  human-machine  interfaces,  and programmable logic controllers
     3  that control localized processes.
     4    §  2.  Paragraph  (j) of subdivision 2 of section 709 of the executive
     5  law, as amended by a chapter of the laws of  2022  amending  the  energy
     6  law,  the  executive law and the public service law relating to critical
     7  energy infrastructure security and responsibility, as proposed in legis-
     8  lative bills numbers S. 5579-A and A. 3904-B,  is  amended  to  read  as
     9  follows:
    10    (j)  work  with local, state and federal agencies and private entities
    11  to conduct assessments of the vulnerability of  critical  infrastructure
    12  to terrorist attack, cyber attack, and other natural and man-made disas-
    13  ters,  including,  but not limited to, nuclear facilities, power plants,
    14  telecommunications systems, mass transportation  systems,  public  road-
    15  ways,  railways,  bridges and tunnels, [and attendant industrial control
    16  systems as defined by subdivision fifteen of section 1-103 of the energy
    17  law] and develop strategies that may be used to protect such infrastruc-
    18  ture from terrorist attack, cyber attack, and other natural and man-made
    19  disasters;
    20    § 3. Paragraph (a) of subdivision 19  of  section  66  of  the  public
    21  service  law,  as  amended by a chapter of the laws of 2022 amending the
    22  energy law, the executive law and the public  service  law  relating  to
    23  critical  energy infrastructure security and responsibility, as proposed
    24  in legislative bills numbers S. 5579-A and A. 3904-B, is amended to read
    25  as follows:
    26    (a) The commission shall have power  to  provide  for  management  and
    27  operations  audits  of  gas corporations and electric corporations. Such
    28  audits shall be performed at least once every five years for combination
    29  gas and electric corporations, as well as for straight gas  corporations
    30  having  annual  gross revenues in excess of two hundred million dollars.
    31  The audit shall include, but not be limited to, an investigation of  the
    32  company's  construction program planning in relation to the needs of its
    33  customers for reliable service, an evaluation of the efficiency  of  the
    34  company's  operations,  an  evaluation  of customer privacy protections,
    35  including but not limited to customer  electrical  and  gas  consumption
    36  data,  and  protection  of  critical energy infrastructure as defined in
    37  subdivision fourteen of section 1-103 of the energy law, recommendations
    38  with respect to same, and the timing with respect to the  implementation
    39  of  such  recommendations.  The commission shall have discretion to have
    40  such audits performed by its staff, or by independent auditors.
    41    In every case in which  the  commission  chooses  to  have  the  audit
    42  provided  for in this subdivision or pursuant to subdivision fourteen of
    43  section sixty-five of this article performed by independent auditors, it
    44  shall have authority to select the auditors, and to require the  company
    45  being  audited  to enter into a contract with the auditors providing for
    46  their payment by the company. Such contract shall provide  further  that
    47  the  auditors  shall  work for and under the direction of the commission
    48  according to such terms as the commission may  determine  are  necessary
    49  and reasonable.
    50    §  4.  Paragraph  (d)  of  subdivision  19 of section 66 of the public
    51  service law, as added by a chapter of the  laws  of  2022  amending  the
    52  energy  law,  the  executive  law and the public service law relating to
    53  critical energy infrastructure security and responsibility, as  proposed
    54  in legislative bills numbers S. 5579-A and A. 3904-B, is amended to read
    55  as follows:
        S. 1345                             3

     1    (d) The commission shall have the power to provide for an annual audit
     2  of  gas  corporations and electric corporations relating to the adequacy
     3  of  cyber-security  policies,  protocols,  procedures  and   protections
     4  including,  but  not limited to, as such policies, protocols, procedures
     5  and  protections  relate to critical energy infrastructure as defined in
     6  subdivision fourteen of section 1-103 of the energy law  and  [also  to]
     7  customer  privacy including but not limited to customer electric and gas
     8  consumption data. The commission shall have the discretion to have  such
     9  audits performed by its staff or by an independent third party.
    10    §  5.  Subdivisions 30 and 31 of section 66 of the public service law,
    11  as added by a chapter of the laws of 2022 amending the energy  law,  the
    12  executive  law  and  the  public service law relating to critical energy
    13  infrastructure security and responsibility, as proposed  in  legislative
    14  bills numbers S. 5579-A and A. 3904-B, are amended and a new subdivision
    15  32 is added to read as follows:
    16    30.  Promulgate rules and regulations to direct electric or gas corpo-
    17  rations to develop and  implement  tools  to  monitor:  (a)  operational
    18  control  networks  giving the electric or gas corporation the ability to
    19  undertake the detection of unauthorized network behavior related to such
    20  corporation's industrial control  systems,  as  defined  in  subdivision
    21  fifteen  of section 1-103 of the energy law; and (b) monitor and protect
    22  customer privacy, including but not limited to customer electric and gas
    23  consumption data from unauthorized disclosure.  On  or  before  December
    24  thirty-first,  two  thousand  twenty-three and not later than five years
    25  after such date, and every five years thereafter, the  commission  shall
    26  provide a report to the governor, the temporary president of the senate,
    27  the  speaker  of  the assembly, the chairperson of the assembly standing
    28  committee on energy, and the chairperson of the senate standing  commit-
    29  tee  on  energy  and telecommunications reviewing electric or gas corpo-
    30  ration compliance with this section, including, as necessary,  recommen-
    31  dations  to the legislature if the commission determines that additional
    32  measures are required to ensure the effective protection of electric  or
    33  gas corporation critical infrastructure.
    34    31.  Promulgate rules and regulations to direct electric or gas corpo-
    35  rations to require the installation of advanced metering  infrastructure
    36  that  connects  to  the electric or gas distribution network operated by
    37  such electric or gas corporation be permitted only so long as access  to
    38  the  advanced meter infrastructure enables two-way communication between
    39  utilities and meters through the optimal communications network  option,
    40  such as a wireless network, that is shared by at least two meter provid-
    41  ers  operating  within  the  United States of America, if the commission
    42  determines that it is cost effective and technically feasible to do so.
    43    32. Customer electric and gas consumption  data  shall  be  considered
    44  confidential.  The  commission  shall  have  the authority to promulgate
    45  rules and regulations to require gas or electric  corporations  to  take
    46  necessary measures to protect such data from unauthorized or unconsented
    47  disclosure.
    48    §  6.  Section  8 of a chapter of the laws of 2022 amending the energy
    49  law, the executive law and the public service law relating  to  critical
    50  energy infrastructure security and responsibility, as proposed in legis-
    51  lative  bills  numbers  S.  5579-A  and A. 3904-B, is amended to read as
    52  follows:
    53    § 8. This act shall take effect on the one hundred eightieth day after
    54  it shall have become a law. Effective immediately,  the  public  service
    55  commission  is  authorized  and  directed  to  take actions necessary to
    56  promulgate rules and regulations related to the implementation of subdi-
        S. 1345                             4

     1  visions 30 [and], 31 and 32 of section 66 of the public service  law  on
     2  or before such effective date.
     3    §  7.  This  act shall take effect immediately; provided however, that
     4  sections one, two, three, four and five of this act shall take effect on
     5  the same date and in the same manner as a chapter of the  laws  of  2022
     6  amending  the  energy  law, the executive law and the public service law
     7  relating to critical energy infrastructure security and  responsibility,
     8  as  proposed in legislative bills numbers S. 5579-A and A. 3904-B, takes
     9  effect.