Florida Senate - 2022                                     SB 828
       
       
        
       By Senator Hutson
       
       
       
       
       
       7-00350-22                                             2022828__
    1                        A bill to be entitled                      
    2         An act relating to critical infrastructure; providing
    3         a short title; creating s. 943.6873, F.S.; providing
    4         legislative findings; defining terms; requiring that,
    5         beginning on a specified date, asset owners ensure
    6         that the operation and maintenance of operational
    7         technology comply with specified standards and
    8         practices; requiring, beginning on a specified date,
    9         asset owners to require that certain components,
   10         services, and solutions conform to such standards and
   11         practices; requiring that certain contracts for
   12         critical infrastructure meet specified minimum
   13         standards; providing requirements and procedures
   14         relating to civil actions based on cybersecurity
   15         breach-related claims; authorizing a court to take
   16         specified action upon a showing that a business, a
   17         service provider, or another person or entity violates
   18         the act; authorizing the Department of Law Enforcement
   19         to institute appropriate legal proceedings against a
   20         business, a service provider, or another person or
   21         entity that violates the act; providing procedures for
   22         such legal proceedings; providing for departmental
   23         actions; requiring the department to adopt rules;
   24         providing an effective date.
   25  
   26         WHEREAS, the operational technologies that automate the
   27  critical infrastructure of and commercial facilities in this
   28  state are experiencing a rapid increase in cybersecurity
   29  incidents, and the impact is serious, affecting daily life,
   30  public safety, the environment, and economic viability across
   31  sectors, and
   32         WHEREAS, the recent cybersecurity intrusion of the public
   33  water system in Oldsmar, the hacking and shutdown of the
   34  Colonial Pipeline by the criminal enterprise Darkside, the
   35  infiltration of the Bowman Dam in Rye Brook, New York, by
   36  Iranian hackers in 2013, and the intrusion of numerous federal
   37  agencies by suspected Russian hackers underscore the need to
   38  provide the public and private sectors with clarity and support
   39  in improving control systems cybersecurity, NOW, THEREFORE,
   40  
   41  Be It Enacted by the Legislature of the State of Florida:
   42  
   43         Section 1. This act may be cited as the “Critical
   44  Infrastructure Standards and Procedures Act.”
   45         Section 2. Section 943.6873, Florida Statutes, is created
   46  to read:
   47         943.6873 Critical infrastructure standards; civil actions.—
   48         (1) The Legislature finds that a standard definition of the
   49  security capabilities for system components will provide a
   50  common language for product suppliers and all other control
   51  system stakeholders, simplifying the procurement and integration
   52  processes for the computers, applications, network equipment,
   53  and control devices that make up a control system. The United
   54  States National Institute of Standards and Technology (NIST)
   55  published the NIST Cybersecurity Framework, which references
   56  several relevant cybersecurity standards, including the
   57  internationally recognized ISA/IEC 62443 series of standards.
   58  These standards define a set of measures and benchmarks
   59  specifically built to guide organizations through the process of
   60  assessing the risk associated with a particular automation and
   61  control system and in identifying and applying security
   62  countermeasures to reduce that risk.
   63         (2) As used in this section, the term:
   64         (a) “Asset owner” means the public or private owner of, or
   65  the entity accountable and responsible for operation of, the
   66  critical infrastructure and the automation and control system.
   67  The asset owner is also the operator of the automation and
   68  control system components and the equipment under its control.
   69         (b) “Automation and control system” means a collection of
   70  personnel, hardware, software, and policies associated with the
   71  operation of the critical infrastructure which can affect or
   72  influence its safe, secure, and reliable operation.
   73         (c) “Automation and control system component” means control
   74  systems and any complementary hardware and software components
   75  installed and configured to operate in an automation and control
   76  system. These systems include, but are not limited to:
   77         1. Control systems, including distributed control systems,
   78  programmable logic controllers, remote terminal units,
   79  intelligent electronic devices, supervisory control and data
   80  acquisition, networked electronic sensing and control,
   81  monitoring and diagnostic systems, and process control systems
   82  that include physically separate or integrated basic process
   83  control system and safety-instrumented system functions;
   84         2. Associated information systems, such as advanced or
   85  multivariable control, online optimizers, dedicated equipment
   86  monitors, graphical interfaces, process historians,
   87  manufacturing execution systems, and plant information
   88  management systems; and
   89         3. Associated internal, human, network, or machine
   90  interfaces used to provide control, safety, and manufacturing
   91  operations functionality to continuous, batch, discrete, and
   92  other processes as defined by the International Society of
   93  Automation ISA/IEC 62443 series of standards as referenced by
   94  the NIST Cybersecurity Framework.
   95         (d) “Critical infrastructure” means all physical and
   96  virtual assets, systems, and networks considered vital and
   97  vulnerable to cybersecurity attacks, as determined by the
   98  department in consultation with the Florida Digital Service and
   99  the Florida Cybersecurity Advisory Council. Critical
  100  infrastructure includes, but is not limited to, public
  101  transportation as defined in s. 163.566; water and wastewater
  102  treatment facilities, public utilities, and public services
  103  subject to the jurisdiction, supervision, powers, and duties of
  104  the Florida Public Service Commission; public buildings,
  105  including those operated by the State University System;
  106  hospitals and public health facilities; and financial services
  107  organizations regulated by the Department of Financial Services.
  108         (e) “Cybersecurity-breach-related claim” means a legal
  109  proceeding or civil action against an asset owner for failure to
  110  meet the minimum standards required by this section.
  111         (f) “Department” means the Department of Law Enforcement.
  112         (g) “Operation technology” means the hardware and software
  113  that detects or causes a change through the direct monitoring or
  114  control of physical devices and systems, processes, and events
  115  in the critical infrastructure.
  116         (3) Beginning on July 1, 2024, the asset owner shall ensure
  117  that the operation and maintenance of operational technology,
  118  including critical infrastructure, automation control systems,
  119  and automation control system components, are compliant with the
  120  standards and practices defined in the ISA/IEC 62443 series of
  121  standards as referenced by the NIST Cybersecurity Framework,
  122  including annual risk assessments and creation of a mitigation
  123  plan.
  124         (4) Beginning on July 1, 2026, when procuring automation
  125  and control system components, services, or solutions, or when
  126  contracting for facility upgrades or the construction of
  127  critical infrastructure facilities, an asset owner shall require
  128  that those components, services, or solutions conform to the
  129  ISA/IEC 62443 series of standards as referenced by the NIST
  130  Cybersecurity Framework for defining measures to assure
  131  conformance. All contracts awarded for construction,
  132  reconstruction, alteration, design, or commissioning of
  133  facilities identified as critical infrastructure must require
  134  that installed automation and control components meet the
  135  minimum standards for cybersecurity as defined by the ISA/IEC
  136  62443 series of standards as referenced by the NIST
  137  Cybersecurity Framework.
  138         (5) In any civil action based on a cybersecurity-breach
  139  related claim, including a civil action brought by the
  140  department pursuant to subsection (6):
  141         (a) A court shall determine as a matter of law whether the
  142  defendant made a good faith effort to comply with subsection (3)
  143  or subsection (4), as applicable.
  144         (b) If the court determines that the defendant made such a
  145  good faith effort, the defendant is immune from civil liability.
  146         (c) If the court determines that the defendant did not make
  147  such a good faith effort, the plaintiff may proceed with the
  148  action.
  149         (d) The trial court, upon a showing that any business,
  150  service provider, or other person or entity is in violation of
  151  this section, may take any of the following actions:
  152         1. Issue a temporary or permanent injunction.
  153         2. Impose a civil penalty of not more than $2,500 for each
  154  unintentional violation or $7,500 for each intentional
  155  violation.
  156         3. Award reasonable costs of enforcement, including
  157  reasonable attorney fees and costs.
  158         4. Grant any other relief as the court deems appropriate.
  159         (6) If the department has reason to believe that any
  160  business, service provider, or other person or entity is in
  161  violation of this section and that proceedings would be in the
  162  public interest, the department may institute an appropriate
  163  legal proceeding, which may include a civil action, against such
  164  party.
  165         (a) After the department has notified a business in writing
  166  of an alleged violation, the department may grant the business,
  167  service provider, or other person or entity a 30-day period to
  168  cure the alleged violation. The department may consider the
  169  number of violations, the substantial likelihood of injury to
  170  the public, or the safety of persons or property in determining
  171  whether to grant the 30-day period to cure an alleged violation.
  172         (b) If the business, service provider, or other person or
  173  entity cures the alleged violation to the satisfaction of the
  174  department and provides proof of such cure to the department,
  175  the department may issue a letter of guidance to the business,
  176  service provider, or other person or entity which indicates that
  177  the business, service provider, or other person or entity will
  178  not be offered a 30-day cure period for any future violation. If
  179  the business, service provider, or other person or entity fails
  180  to cure the violation within 30 days, the department may bring a
  181  legal proceeding against the business for the alleged violation.
  182         (7) The department shall adopt rules, in consultation with
  183  the Florida Digital Service and the Florida Cybersecurity
  184  Advisory Council, to implement and administer this section.
  185         Section 3. This act shall take effect October 1, 2022.