Florida Senate - 2022                        COMMITTEE AMENDMENT
       Bill No. SB 828
       
       
       
       
       
       
                                Ì452698^Î452698                         
       
                              LEGISLATIVE ACTION                        
                    Senate             .             House              
                  Comm: RCS            .                                
                  02/02/2022           .                                
                                       .                                
                                       .                                
                                       .                                
       —————————————————————————————————————————————————————————————————




       —————————————————————————————————————————————————————————————————
       The Committee on Governmental Oversight and Accountability
       (Hutson) recommended the following:
       
    1         Senate Amendment (with title amendment)
    2  
    3         Delete everything after the enacting clause
    4  and insert:
    5         Section 1. Section 282.32, Florida Statutes, is created to
    6  read:
    7         282.32Critical infrastructure standards and procedures.—
    8         (1)This section may be cited as the “Critical
    9  Infrastructure Standards and Procedures Act.”
   10         (2)The Legislature finds that standard definitions of the
   11  security capabilities of system components are necessary to
   12  provide a common language for product suppliers and other
   13  control system stakeholders and to simplify the procurement and
   14  integration processes for the computers, applications, network
   15  equipment, and control devices that make up a control system.
   16  The United States National Institute of Standards and Technology
   17  Cybersecurity Framework (NIST CSF), which references several
   18  relevant cybersecurity standards, including the International
   19  Society of Automation ISA 62443 series of standards, is an
   20  appropriate resource for use in establishing such standard
   21  definitions.
   22         (3)As used in this section, the term:
   23         (a)“Automation and control system” means the personnel,
   24  hardware, software, and policies involved in the operation of
   25  critical infrastructure which may affect or influence such
   26  critical infrastructure’s safe, secure, and reliable operation.
   27         (b)“Automation and control system component” means control
   28  systems and complementary hardware and software components that
   29  are installed and configured to operate in an automation and
   30  control system. For purposes of this section, the term “control
   31  systems” includes, but is not limited to:
   32         1.Distributed control systems, programmable logic
   33  controllers, remote terminal units, intelligent electronic
   34  devices, supervisory control and data acquisition, networked
   35  electronic sensing and control, monitoring and diagnostic
   36  systems, and process control systems, including basic process
   37  control system and safety-instrumented system functions,
   38  regardless of whether such functions are physically separate or
   39  integrated.
   40         2.Associated information and analytic systems, including
   41  advanced or multivariable control, online optimizers, dedicated
   42  equipment monitors, graphical interfaces, process historians,
   43  manufacturing execution systems, and plant information
   44  management systems.
   45         3.Associated internal, human, network, or machine
   46  interfaces used to provide control, safety, and manufacturing
   47  operations functionality to continuous, batch, discrete, and
   48  other processes as defined in the ISA 62443 series of standards
   49  as referenced by the NIST CSF.
   50         (c)“Critical infrastructure” means infrastructure for
   51  which all assets, systems, and networks, regardless of whether
   52  physical or virtual, are considered vital and vulnerable to
   53  cybersecurity attacks as determined by the Florida Digital
   54  Service in consultation with the Florida Cybersecurity Advisory
   55  Council. The term includes, but is not limited to, public
   56  transportation as defined in s. 163.566(8); water and wastewater
   57  treatment facilities; public utilities and services subject to
   58  the jurisdiction, supervision, powers, and duties of the Public
   59  Service Commission; public buildings, including buildings
   60  operated by the state university system; hospitals and public
   61  health facilities; and financial services organizations.
   62         (d)“Local government asset owner” means the local
   63  government owner or entity accountable and responsible for
   64  operation of critical infrastructure and its automation and
   65  control system. The term includes the operator of the automation
   66  and control system and the equipment under control.
   67         (e)“Operational technology” means the hardware and
   68  software that cause or detect a change through the direct
   69  monitoring or control of physical devices, systems, processes,
   70  or events in critical infrastructure.
   71         (4)Beginning July 1, 2022, a local government asset owner
   72  procuring automation and control system components, services, or
   73  solutions or entering into a contract for the construction,
   74  reconstruction, alteration, or design of a critical
   75  infrastructure facility must require that such components,
   76  services, and solutions conform to the ISA 62443 series of
   77  standards as referenced by the NIST CSF. Such local government
   78  asset owner shall ensure that all contracts for the
   79  construction, reconstruction, alteration, or design of a
   80  critical infrastructure facility require that installed
   81  automation and control system components meet the minimum
   82  standards for cybersecurity as defined in the ISA 62443 series
   83  of standards as referenced by the NIST CSF.
   84         Section 2. The Florida Digital Service shall, in
   85  consultation with the Florida Cybersecurity Advisory Council,
   86  adopt rules to implement this act.
   87         Section 3. This act shall take effect July 1, 2022.
   88  
   89  ================= T I T L E  A M E N D M E N T ================
   90  And the title is amended as follows:
   91         Delete everything before the enacting clause
   92  and insert:
   93                        A bill to be entitled                      
   94         An act relating to critical infrastructure standards
   95         and procedures; creating s. 282.32, F.S.; providing a
   96         short title; providing legislative findings; providing
   97         definitions; requiring a local government asset owner
   98         procuring certain components, services, or solutions
   99         or entering into certain contracts to require
  100         conformance with certain standards, beginning on a
  101         specified date; requiring such local government asset
  102         owner to ensure that certain contracts require that
  103         certain components meet certain minimum standards;
  104         requiring the Florida Digital Service, in consultation
  105         with the Florida Cybersecurity Advisory Council, to
  106         adopt rules; providing an effective date.
  107  
  108         WHEREAS, the operational technologies that automate the
  109  critical infrastructure of daily life are experiencing a rapid
  110  increase in cybersecurity incidents, and the impact of such
  111  incidents affect life, safety, the environment, and economic
  112  viability across sectors, and
  113         WHEREAS, the recent cybersecurity hacking and shutdown of
  114  the Colonial Pipeline by the criminal enterprise DarkSide in
  115  2021; the infiltration of the Bowman Avenue Dam in Rye Brook,
  116  New York, by Iranian hackers in 2013; and the intrusion of
  117  numerous federal agencies by suspected Russian hackers
  118  underscore the need to provide the public and private sectors
  119  with clarity and support on how to improve the cybersecurity of
  120  control systems, NOW, THEREFORE,