Florida Senate - 2022 SB 828
By Senator Hutson
7-00350-22 2022828__
1 A bill to be entitled
2 An act relating to critical infrastructure; providing
3 a short title; creating s. 943.6873, F.S.; providing
4 legislative findings; defining terms; requiring that,
5 beginning on a specified date, asset owners ensure
6 that the operation and maintenance of operational
7 technology comply with specified standards and
8 practices; requiring, beginning on a specified date,
9 asset owners to require that certain components,
10 services, and solutions conform to such standards and
11 practices; requiring that certain contracts for
12 critical infrastructure meet specified minimum
13 standards; providing requirements and procedures
14 relating to civil actions based on cybersecurity
15 breach-related claims; authorizing a court to take
16 specified action upon a showing that a business, a
17 service provider, or another person or entity violates
18 the act; authorizing the Department of Law Enforcement
19 to institute appropriate legal proceedings against a
20 business, a service provider, or another person or
21 entity that violates the act; providing procedures for
22 such legal proceedings; providing for departmental
23 actions; requiring the department to adopt rules;
24 providing an effective date.
25
26 WHEREAS, the operational technologies that automate the
27 critical infrastructure of and commercial facilities in this
28 state are experiencing a rapid increase in cybersecurity
29 incidents, and the impact is serious, affecting daily life,
30 public safety, the environment, and economic viability across
31 sectors, and
32 WHEREAS, the recent cybersecurity intrusion of the public
33 water system in Oldsmar, the hacking and shutdown of the
34 Colonial Pipeline by the criminal enterprise Darkside, the
35 infiltration of the Bowman Dam in Rye Brook, New York, by
36 Iranian hackers in 2013, and the intrusion of numerous federal
37 agencies by suspected Russian hackers underscore the need to
38 provide the public and private sectors with clarity and support
39 in improving control systems cybersecurity, NOW, THEREFORE,
40
41 Be It Enacted by the Legislature of the State of Florida:
42
43 Section 1. This act may be cited as the “Critical
44 Infrastructure Standards and Procedures Act.”
45 Section 2. Section 943.6873, Florida Statutes, is created
46 to read:
47 943.6873 Critical infrastructure standards; civil actions.—
48 (1) The Legislature finds that a standard definition of the
49 security capabilities for system components will provide a
50 common language for product suppliers and all other control
51 system stakeholders, simplifying the procurement and integration
52 processes for the computers, applications, network equipment,
53 and control devices that make up a control system. The United
54 States National Institute of Standards and Technology (NIST)
55 published the NIST Cybersecurity Framework, which references
56 several relevant cybersecurity standards, including the
57 internationally recognized ISA/IEC 62443 series of standards.
58 These standards define a set of measures and benchmarks
59 specifically built to guide organizations through the process of
60 assessing the risk associated with a particular automation and
61 control system and in identifying and applying security
62 countermeasures to reduce that risk.
63 (2) As used in this section, the term:
64 (a) “Asset owner” means the public or private owner of, or
65 the entity accountable and responsible for operation of, the
66 critical infrastructure and the automation and control system.
67 The asset owner is also the operator of the automation and
68 control system components and the equipment under its control.
69 (b) “Automation and control system” means a collection of
70 personnel, hardware, software, and policies associated with the
71 operation of the critical infrastructure which can affect or
72 influence its safe, secure, and reliable operation.
73 (c) “Automation and control system component” means control
74 systems and any complementary hardware and software components
75 installed and configured to operate in an automation and control
76 system. These systems include, but are not limited to:
77 1. Control systems, including distributed control systems,
78 programmable logic controllers, remote terminal units,
79 intelligent electronic devices, supervisory control and data
80 acquisition, networked electronic sensing and control,
81 monitoring and diagnostic systems, and process control systems
82 that include physically separate or integrated basic process
83 control system and safety-instrumented system functions;
84 2. Associated information systems, such as advanced or
85 multivariable control, online optimizers, dedicated equipment
86 monitors, graphical interfaces, process historians,
87 manufacturing execution systems, and plant information
88 management systems; and
89 3. Associated internal, human, network, or machine
90 interfaces used to provide control, safety, and manufacturing
91 operations functionality to continuous, batch, discrete, and
92 other processes as defined by the International Society of
93 Automation ISA/IEC 62443 series of standards as referenced by
94 the NIST Cybersecurity Framework.
95 (d) “Critical infrastructure” means all physical and
96 virtual assets, systems, and networks considered vital and
97 vulnerable to cybersecurity attacks, as determined by the
98 department in consultation with the Florida Digital Service and
99 the Florida Cybersecurity Advisory Council. Critical
100 infrastructure includes, but is not limited to, public
101 transportation as defined in s. 163.566; water and wastewater
102 treatment facilities, public utilities, and public services
103 subject to the jurisdiction, supervision, powers, and duties of
104 the Florida Public Service Commission; public buildings,
105 including those operated by the State University System;
106 hospitals and public health facilities; and financial services
107 organizations regulated by the Department of Financial Services.
108 (e) “Cybersecurity-breach-related claim” means a legal
109 proceeding or civil action against an asset owner for failure to
110 meet the minimum standards required by this section.
111 (f) “Department” means the Department of Law Enforcement.
112 (g) “Operation technology” means the hardware and software
113 that detects or causes a change through the direct monitoring or
114 control of physical devices and systems, processes, and events
115 in the critical infrastructure.
116 (3) Beginning on July 1, 2024, the asset owner shall ensure
117 that the operation and maintenance of operational technology,
118 including critical infrastructure, automation control systems,
119 and automation control system components, are compliant with the
120 standards and practices defined in the ISA/IEC 62443 series of
121 standards as referenced by the NIST Cybersecurity Framework,
122 including annual risk assessments and creation of a mitigation
123 plan.
124 (4) Beginning on July 1, 2026, when procuring automation
125 and control system components, services, or solutions, or when
126 contracting for facility upgrades or the construction of
127 critical infrastructure facilities, an asset owner shall require
128 that those components, services, or solutions conform to the
129 ISA/IEC 62443 series of standards as referenced by the NIST
130 Cybersecurity Framework for defining measures to assure
131 conformance. All contracts awarded for construction,
132 reconstruction, alteration, design, or commissioning of
133 facilities identified as critical infrastructure must require
134 that installed automation and control components meet the
135 minimum standards for cybersecurity as defined by the ISA/IEC
136 62443 series of standards as referenced by the NIST
137 Cybersecurity Framework.
138 (5) In any civil action based on a cybersecurity-breach
139 related claim, including a civil action brought by the
140 department pursuant to subsection (6):
141 (a) A court shall determine as a matter of law whether the
142 defendant made a good faith effort to comply with subsection (3)
143 or subsection (4), as applicable.
144 (b) If the court determines that the defendant made such a
145 good faith effort, the defendant is immune from civil liability.
146 (c) If the court determines that the defendant did not make
147 such a good faith effort, the plaintiff may proceed with the
148 action.
149 (d) The trial court, upon a showing that any business,
150 service provider, or other person or entity is in violation of
151 this section, may take any of the following actions:
152 1. Issue a temporary or permanent injunction.
153 2. Impose a civil penalty of not more than $2,500 for each
154 unintentional violation or $7,500 for each intentional
155 violation.
156 3. Award reasonable costs of enforcement, including
157 reasonable attorney fees and costs.
158 4. Grant any other relief as the court deems appropriate.
159 (6) If the department has reason to believe that any
160 business, service provider, or other person or entity is in
161 violation of this section and that proceedings would be in the
162 public interest, the department may institute an appropriate
163 legal proceeding, which may include a civil action, against such
164 party.
165 (a) After the department has notified a business in writing
166 of an alleged violation, the department may grant the business,
167 service provider, or other person or entity a 30-day period to
168 cure the alleged violation. The department may consider the
169 number of violations, the substantial likelihood of injury to
170 the public, or the safety of persons or property in determining
171 whether to grant the 30-day period to cure an alleged violation.
172 (b) If the business, service provider, or other person or
173 entity cures the alleged violation to the satisfaction of the
174 department and provides proof of such cure to the department,
175 the department may issue a letter of guidance to the business,
176 service provider, or other person or entity which indicates that
177 the business, service provider, or other person or entity will
178 not be offered a 30-day cure period for any future violation. If
179 the business, service provider, or other person or entity fails
180 to cure the violation within 30 days, the department may bring a
181 legal proceeding against the business for the alleged violation.
182 (7) The department shall adopt rules, in consultation with
183 the Florida Digital Service and the Florida Cybersecurity
184 Advisory Council, to implement and administer this section.
185 Section 3. This act shall take effect October 1, 2022.