Florida Senate - 2022 CS for SB 828 By the Committee on Governmental Oversight and Accountability; and Senator Hutson 585-02668-22 2022828c1 1 A bill to be entitled 2 An act relating to critical infrastructure standards 3 and procedures; creating s. 282.32, F.S.; providing a 4 short title; providing legislative findings; providing 5 definitions; requiring a local government asset owner 6 procuring certain components, services, or solutions 7 or entering into certain contracts to require 8 conformance with certain standards, beginning on a 9 specified date; requiring such a local government 10 asset owner to ensure that certain contracts require 11 that certain components meet certain minimum 12 standards; requiring the Florida Digital Service, in 13 consultation with the Florida Cybersecurity Advisory 14 Council, to adopt rules; providing an effective date. 15 16 WHEREAS, the operational technologies that automate the 17 critical infrastructure of daily life are experiencing a rapid 18 increase in cybersecurity incidents, and the impact of such 19 incidents affect life, safety, the environment, and economic 20 viability across sectors, and 21 WHEREAS, the recent cybersecurity hacking and shutdown of 22 the Colonial Pipeline by the criminal enterprise DarkSide in 23 2021; the infiltration of the Bowman Avenue Dam in Rye Brook, 24 New York, by Iranian hackers in 2013; and the intrusion of 25 numerous federal agencies by suspected Russian hackers 26 underscore the need to provide the public and private sectors 27 with clarity and support on how to improve the cybersecurity of 28 control systems, NOW, THEREFORE, 29 30 Be It Enacted by the Legislature of the State of Florida: 31 32 Section 1. Section 282.32, Florida Statutes, is created to 33 read: 34 282.32 Critical infrastructure standards and procedures.— 35 (1) This section may be cited as the “Critical 36 Infrastructure Standards and Procedures Act.” 37 (2) The Legislature finds that standard definitions of the 38 security capabilities of system components are necessary to 39 provide a common language for product suppliers and other 40 control system stakeholders and to simplify the procurement and 41 integration processes for the computers, applications, network 42 equipment, and control devices that make up a control system. 43 The United States National Institute of Standards and Technology 44 Cybersecurity Framework (NIST CSF), which references several 45 relevant cybersecurity standards, including the International 46 Society of Automation ISA 62443 series of standards, is an 47 appropriate resource for use in establishing such standard 48 definitions. 49 (3) As used in this section, the term: 50 (a) “Automation and control system” means the personnel, 51 hardware, software, and policies involved in the operation of 52 critical infrastructure which may affect or influence such 53 critical infrastructure’s safe, secure, and reliable operation. 54 (b) “Automation and control system component” means control 55 systems and complementary hardware and software components that 56 are installed and configured to operate in an automation and 57 control system. For purposes of this section, the term “control 58 systems” includes, but is not limited to: 59 1. Distributed control systems, programmable logic 60 controllers, remote terminal units, intelligent electronic 61 devices, supervisory control and data acquisition, networked 62 electronic sensing and control, monitoring and diagnostic 63 systems, and process control systems, including basic process 64 control system and safety-instrumented system functions, 65 regardless of whether such functions are physically separate or 66 integrated. 67 2. Associated information and analytic systems, including 68 advanced or multivariable control, online optimizers, dedicated 69 equipment monitors, graphical interfaces, process historians, 70 manufacturing execution systems, and plant information 71 management systems. 72 3. Associated internal, human, network, or machine 73 interfaces used to provide control, safety, and manufacturing 74 operations functionality to continuous, batch, discrete, and 75 other processes as defined in the ISA 62443 series of standards 76 as referenced by the NIST CSF. 77 (c) “Critical infrastructure” means infrastructure for 78 which all assets, systems, and networks, regardless of whether 79 physical or virtual, are considered vital and vulnerable to 80 cybersecurity attacks as determined by the Florida Digital 81 Service in consultation with the Florida Cybersecurity Advisory 82 Council. The term includes, but is not limited to, public 83 transportation as defined in s. 163.566(8); water and wastewater 84 treatment facilities; public utilities and services subject to 85 the jurisdiction, supervision, powers, and duties of the Public 86 Service Commission; public buildings, including buildings 87 operated by the state university system; hospitals and public 88 health facilities; and financial services organizations. 89 (d) “Local government asset owner” means the local 90 government owner or entity accountable and responsible for 91 operation of critical infrastructure and its automation and 92 control system. The term includes the operator of the automation 93 and control system and the equipment under control. 94 (e) “Operational technology” means the hardware and 95 software that cause or detect a change through the direct 96 monitoring or control of physical devices, systems, processes, 97 or events in critical infrastructure. 98 (4) Beginning July 1, 2022, a local government asset owner 99 procuring automation and control system components, services, or 100 solutions or entering into a contract for the construction, 101 reconstruction, alteration, or design of a critical 102 infrastructure facility must require that such components, 103 services, and solutions conform to the ISA 62443 series of 104 standards as referenced by the NIST CSF. Such local government 105 asset owner shall ensure that all contracts for the 106 construction, reconstruction, alteration, or design of a 107 critical infrastructure facility require that installed 108 automation and control system components meet the minimum 109 standards for cybersecurity as defined in the ISA 62443 series 110 of standards as referenced by the NIST CSF. 111 Section 2. The Florida Digital Service shall, in 112 consultation with the Florida Cybersecurity Advisory Council, 113 adopt rules to implement this act. 114 Section 3. This act shall take effect July 1, 2022.