STATE OF NEW YORK
________________________________________________________________________
1345
2023-2024 Regular Sessions
IN SENATE
January 11, 2023
___________
Introduced by Sen. PARKER -- read twice and ordered printed, and when
printed to be committed to the Committee on Rules
AN ACT to amend the energy law, the executive law and the public service
law, in relation to critical energy infrastructure security and
responsibility; and to amend a chapter of the laws of 2022 amending
the energy law, the executive law and the public service law relating
to critical energy infrastructure security and responsibility, as
proposed in legislative bills numbers S. 5579-A and A. 3904-B, in
relation to the effectiveness thereof
The People of the State of New York, represented in Senate and Assem-
bly, do enact as follows:
1 Section 1. Subdivisions 14 and 15 of section 1-103 of the energy law,
2 as added by a chapter of the laws of 2022 amending the energy law, the
3 executive law and the public service law relating to critical energy
4 infrastructure security and responsibility, as proposed in legislative
5 bills numbers S. 5579-A and A. 3904-B, are amended to read as follows:
6 14. "Critical energy infrastructure" means systems, including indus-
7 trial control systems, [customer electrical or gas consumption data,]
8 assets, places or things, whether physical or virtual, so vital to the
9 state that the disruption, incapacitation or destruction of such
10 systems, including industrial control systems, [customer electrical or
11 gas consumption data,] assets, places or things could jeopardize the
12 health, safety, welfare, energy distribution, transmission, reliability,
13 or security of the state, its residents or its economy.
14 15. "Industrial control systems" means [a combination of control
15 components that support operational functions in gas, distribution,
16 transmission, and advanced metering infrastructure control centers, and
17 act together to achieve an industrial objective, including controls that
18 are fully automated or that include a human-machine interface] an infor-
19 mation system used to monitor and/or control industrial processes,
20 including supervisory control and data acquisition systems used to moni-
EXPLANATION--Matter in italics (underscored) is new; matter in brackets
[ ] is old law to be omitted.
LBD04193-01-3
S. 1345 2
1 tor and/or control geographically dispersed assets, distributed control
2 systems, human-machine interfaces, and programmable logic controllers
3 that control localized processes.
4 § 2. Paragraph (j) of subdivision 2 of section 709 of the executive
5 law, as amended by a chapter of the laws of 2022 amending the energy
6 law, the executive law and the public service law relating to critical
7 energy infrastructure security and responsibility, as proposed in legis-
8 lative bills numbers S. 5579-A and A. 3904-B, is amended to read as
9 follows:
10 (j) work with local, state and federal agencies and private entities
11 to conduct assessments of the vulnerability of critical infrastructure
12 to terrorist attack, cyber attack, and other natural and man-made disas-
13 ters, including, but not limited to, nuclear facilities, power plants,
14 telecommunications systems, mass transportation systems, public road-
15 ways, railways, bridges and tunnels, [and attendant industrial control
16 systems as defined by subdivision fifteen of section 1-103 of the energy
17 law] and develop strategies that may be used to protect such infrastruc-
18 ture from terrorist attack, cyber attack, and other natural and man-made
19 disasters;
20 § 3. Paragraph (a) of subdivision 19 of section 66 of the public
21 service law, as amended by a chapter of the laws of 2022 amending the
22 energy law, the executive law and the public service law relating to
23 critical energy infrastructure security and responsibility, as proposed
24 in legislative bills numbers S. 5579-A and A. 3904-B, is amended to read
25 as follows:
26 (a) The commission shall have power to provide for management and
27 operations audits of gas corporations and electric corporations. Such
28 audits shall be performed at least once every five years for combination
29 gas and electric corporations, as well as for straight gas corporations
30 having annual gross revenues in excess of two hundred million dollars.
31 The audit shall include, but not be limited to, an investigation of the
32 company's construction program planning in relation to the needs of its
33 customers for reliable service, an evaluation of the efficiency of the
34 company's operations, an evaluation of customer privacy protections,
35 including but not limited to customer electrical and gas consumption
36 data, and protection of critical energy infrastructure as defined in
37 subdivision fourteen of section 1-103 of the energy law, recommendations
38 with respect to same, and the timing with respect to the implementation
39 of such recommendations. The commission shall have discretion to have
40 such audits performed by its staff, or by independent auditors.
41 In every case in which the commission chooses to have the audit
42 provided for in this subdivision or pursuant to subdivision fourteen of
43 section sixty-five of this article performed by independent auditors, it
44 shall have authority to select the auditors, and to require the company
45 being audited to enter into a contract with the auditors providing for
46 their payment by the company. Such contract shall provide further that
47 the auditors shall work for and under the direction of the commission
48 according to such terms as the commission may determine are necessary
49 and reasonable.
50 § 4. Paragraph (d) of subdivision 19 of section 66 of the public
51 service law, as added by a chapter of the laws of 2022 amending the
52 energy law, the executive law and the public service law relating to
53 critical energy infrastructure security and responsibility, as proposed
54 in legislative bills numbers S. 5579-A and A. 3904-B, is amended to read
55 as follows:
S. 1345 3
1 (d) The commission shall have the power to provide for an annual audit
2 of gas corporations and electric corporations relating to the adequacy
3 of cyber-security policies, protocols, procedures and protections
4 including, but not limited to, as such policies, protocols, procedures
5 and protections relate to critical energy infrastructure as defined in
6 subdivision fourteen of section 1-103 of the energy law and [also to]
7 customer privacy including but not limited to customer electric and gas
8 consumption data. The commission shall have the discretion to have such
9 audits performed by its staff or by an independent third party.
10 § 5. Subdivisions 30 and 31 of section 66 of the public service law,
11 as added by a chapter of the laws of 2022 amending the energy law, the
12 executive law and the public service law relating to critical energy
13 infrastructure security and responsibility, as proposed in legislative
14 bills numbers S. 5579-A and A. 3904-B, are amended and a new subdivision
15 32 is added to read as follows:
16 30. Promulgate rules and regulations to direct electric or gas corpo-
17 rations to develop and implement tools to monitor: (a) operational
18 control networks giving the electric or gas corporation the ability to
19 undertake the detection of unauthorized network behavior related to such
20 corporation's industrial control systems, as defined in subdivision
21 fifteen of section 1-103 of the energy law; and (b) monitor and protect
22 customer privacy, including but not limited to customer electric and gas
23 consumption data from unauthorized disclosure. On or before December
24 thirty-first, two thousand twenty-three and not later than five years
25 after such date, and every five years thereafter, the commission shall
26 provide a report to the governor, the temporary president of the senate,
27 the speaker of the assembly, the chairperson of the assembly standing
28 committee on energy, and the chairperson of the senate standing commit-
29 tee on energy and telecommunications reviewing electric or gas corpo-
30 ration compliance with this section, including, as necessary, recommen-
31 dations to the legislature if the commission determines that additional
32 measures are required to ensure the effective protection of electric or
33 gas corporation critical infrastructure.
34 31. Promulgate rules and regulations to direct electric or gas corpo-
35 rations to require the installation of advanced metering infrastructure
36 that connects to the electric or gas distribution network operated by
37 such electric or gas corporation be permitted only so long as access to
38 the advanced meter infrastructure enables two-way communication between
39 utilities and meters through the optimal communications network option,
40 such as a wireless network, that is shared by at least two meter provid-
41 ers operating within the United States of America, if the commission
42 determines that it is cost effective and technically feasible to do so.
43 32. Customer electric and gas consumption data shall be considered
44 confidential. The commission shall have the authority to promulgate
45 rules and regulations to require gas or electric corporations to take
46 necessary measures to protect such data from unauthorized or unconsented
47 disclosure.
48 § 6. Section 8 of a chapter of the laws of 2022 amending the energy
49 law, the executive law and the public service law relating to critical
50 energy infrastructure security and responsibility, as proposed in legis-
51 lative bills numbers S. 5579-A and A. 3904-B, is amended to read as
52 follows:
53 § 8. This act shall take effect on the one hundred eightieth day after
54 it shall have become a law. Effective immediately, the public service
55 commission is authorized and directed to take actions necessary to
56 promulgate rules and regulations related to the implementation of subdi-
S. 1345 4
1 visions 30 [and], 31 and 32 of section 66 of the public service law on
2 or before such effective date.
3 § 7. This act shall take effect immediately; provided however, that
4 sections one, two, three, four and five of this act shall take effect on
5 the same date and in the same manner as a chapter of the laws of 2022
6 amending the energy law, the executive law and the public service law
7 relating to critical energy infrastructure security and responsibility,
8 as proposed in legislative bills numbers S. 5579-A and A. 3904-B, takes
9 effect.