Florida Senate - 2022 COMMITTEE AMENDMENT
Bill No. SB 828
Ì452698^Î452698
LEGISLATIVE ACTION
Senate . House
.
.
.
.
.
—————————————————————————————————————————————————————————————————
—————————————————————————————————————————————————————————————————
The Committee on Governmental Oversight and Accountability
(Hutson) recommended the following:
1 Senate Amendment (with title amendment)
2
3 Delete everything after the enacting clause
4 and insert:
5 Section 1. Section 282.32, Florida Statutes, is created to
6 read:
7 282.32 Critical infrastructure standards and procedures.—
8 (1) This section may be cited as the “Critical
9 Infrastructure Standards and Procedures Act.”
10 (2) The Legislature finds that standard definitions of the
11 security capabilities of system components are necessary to
12 provide a common language for product suppliers and other
13 control system stakeholders and to simplify the procurement and
14 integration processes for the computers, applications, network
15 equipment, and control devices that make up a control system.
16 The United States National Institute of Standards and Technology
17 Cybersecurity Framework (NIST CSF), which references several
18 relevant cybersecurity standards, including the International
19 Society of Automation ISA 62443 series of standards, is an
20 appropriate resource for use in establishing such standard
21 definitions.
22 (3) As used in this section, the term:
23 (a) “Automation and control system” means the personnel,
24 hardware, software, and policies involved in the operation of
25 critical infrastructure which may affect or influence such
26 critical infrastructure’s safe, secure, and reliable operation.
27 (b) “Automation and control system component” means control
28 systems and complementary hardware and software components that
29 are installed and configured to operate in an automation and
30 control system. For purposes of this section, the term “control
31 systems” includes, but is not limited to:
32 1. Distributed control systems, programmable logic
33 controllers, remote terminal units, intelligent electronic
34 devices, supervisory control and data acquisition, networked
35 electronic sensing and control, monitoring and diagnostic
36 systems, and process control systems, including basic process
37 control system and safety-instrumented system functions,
38 regardless of whether such functions are physically separate or
39 integrated.
40 2. Associated information and analytic systems, including
41 advanced or multivariable control, online optimizers, dedicated
42 equipment monitors, graphical interfaces, process historians,
43 manufacturing execution systems, and plant information
44 management systems.
45 3. Associated internal, human, network, or machine
46 interfaces used to provide control, safety, and manufacturing
47 operations functionality to continuous, batch, discrete, and
48 other processes as defined in the ISA 62443 series of standards
49 as referenced by the NIST CSF.
50 (c) “Critical infrastructure” means infrastructure for
51 which all assets, systems, and networks, regardless of whether
52 physical or virtual, are considered vital and vulnerable to
53 cybersecurity attacks as determined by the Florida Digital
54 Service in consultation with the Florida Cybersecurity Advisory
55 Council. The term includes, but is not limited to, public
56 transportation as defined in s. 163.566(8); water and wastewater
57 treatment facilities; public utilities and services subject to
58 the jurisdiction, supervision, powers, and duties of the Public
59 Service Commission; public buildings, including buildings
60 operated by the state university system; hospitals and public
61 health facilities; and financial services organizations.
62 (d) “Local government asset owner” means the local
63 government owner or entity accountable and responsible for
64 operation of critical infrastructure and its automation and
65 control system. The term includes the operator of the automation
66 and control system and the equipment under control.
67 (e) “Operational technology” means the hardware and
68 software that cause or detect a change through the direct
69 monitoring or control of physical devices, systems, processes,
70 or events in critical infrastructure.
71 (4) Beginning July 1, 2022, a local government asset owner
72 procuring automation and control system components, services, or
73 solutions or entering into a contract for the construction,
74 reconstruction, alteration, or design of a critical
75 infrastructure facility must require that such components,
76 services, and solutions conform to the ISA 62443 series of
77 standards as referenced by the NIST CSF. Such local government
78 asset owner shall ensure that all contracts for the
79 construction, reconstruction, alteration, or design of a
80 critical infrastructure facility require that installed
81 automation and control system components meet the minimum
82 standards for cybersecurity as defined in the ISA 62443 series
83 of standards as referenced by the NIST CSF.
84 Section 2. The Florida Digital Service shall, in
85 consultation with the Florida Cybersecurity Advisory Council,
86 adopt rules to implement this act.
87 Section 3. This act shall take effect July 1, 2022.
88
89 ================= T I T L E A M E N D M E N T ================
90 And the title is amended as follows:
91 Delete everything before the enacting clause
92 and insert:
93 A bill to be entitled
94 An act relating to critical infrastructure standards
95 and procedures; creating s. 282.32, F.S.; providing a
96 short title; providing legislative findings; providing
97 definitions; requiring a local government asset owner
98 procuring certain components, services, or solutions
99 or entering into certain contracts to require
100 conformance with certain standards, beginning on a
101 specified date; requiring such local government asset
102 owner to ensure that certain contracts require that
103 certain components meet certain minimum standards;
104 requiring the Florida Digital Service, in consultation
105 with the Florida Cybersecurity Advisory Council, to
106 adopt rules; providing an effective date.
107
108 WHEREAS, the operational technologies that automate the
109 critical infrastructure of daily life are experiencing a rapid
110 increase in cybersecurity incidents, and the impact of such
111 incidents affect life, safety, the environment, and economic
112 viability across sectors, and
113 WHEREAS, the recent cybersecurity hacking and shutdown of
114 the Colonial Pipeline by the criminal enterprise DarkSide in
115 2021; the infiltration of the Bowman Avenue Dam in Rye Brook,
116 New York, by Iranian hackers in 2013; and the intrusion of
117 numerous federal agencies by suspected Russian hackers
118 underscore the need to provide the public and private sectors
119 with clarity and support on how to improve the cybersecurity of
120 control systems, NOW, THEREFORE,