Florida Senate - 2022                              CS for SB 828
       
       
        
       By the Committee on Governmental Oversight and Accountability;
       and Senator Hutson
       
       
       
       
       585-02668-22                                           2022828c1
    1                        A bill to be entitled                      
    2         An act relating to critical infrastructure standards
    3         and procedures; creating s. 282.32, F.S.; providing a
    4         short title; providing legislative findings; providing
    5         definitions; requiring a local government asset owner
    6         procuring certain components, services, or solutions
    7         or entering into certain contracts to require
    8         conformance with certain standards, beginning on a
    9         specified date; requiring such a local government
   10         asset owner to ensure that certain contracts require
   11         that certain components meet certain minimum
   12         standards; requiring the Florida Digital Service, in
   13         consultation with the Florida Cybersecurity Advisory
   14         Council, to adopt rules; providing an effective date.
   15  
   16         WHEREAS, the operational technologies that automate the
   17  critical infrastructure of daily life are experiencing a rapid
   18  increase in cybersecurity incidents, and the impact of such
   19  incidents affect life, safety, the environment, and economic
   20  viability across sectors, and
   21         WHEREAS, the recent cybersecurity hacking and shutdown of
   22  the Colonial Pipeline by the criminal enterprise DarkSide in
   23  2021; the infiltration of the Bowman Avenue Dam in Rye Brook,
   24  New York, by Iranian hackers in 2013; and the intrusion of
   25  numerous federal agencies by suspected Russian hackers
   26  underscore the need to provide the public and private sectors
   27  with clarity and support on how to improve the cybersecurity of
   28  control systems, NOW, THEREFORE,
   29  
   30  Be It Enacted by the Legislature of the State of Florida:
   31  
   32         Section 1. Section 282.32, Florida Statutes, is created to
   33  read:
   34         282.32 Critical infrastructure standards and procedures.—
   35         (1) This section may be cited as the “Critical
   36  Infrastructure Standards and Procedures Act.”
   37         (2) The Legislature finds that standard definitions of the
   38  security capabilities of system components are necessary to
   39  provide a common language for product suppliers and other
   40  control system stakeholders and to simplify the procurement and
   41  integration processes for the computers, applications, network
   42  equipment, and control devices that make up a control system.
   43  The United States National Institute of Standards and Technology
   44  Cybersecurity Framework (NIST CSF), which references several
   45  relevant cybersecurity standards, including the International
   46  Society of Automation ISA 62443 series of standards, is an
   47  appropriate resource for use in establishing such standard
   48  definitions.
   49         (3) As used in this section, the term:
   50         (a) “Automation and control system” means the personnel,
   51  hardware, software, and policies involved in the operation of
   52  critical infrastructure which may affect or influence such
   53  critical infrastructure’s safe, secure, and reliable operation.
   54         (b) “Automation and control system component” means control
   55  systems and complementary hardware and software components that
   56  are installed and configured to operate in an automation and
   57  control system. For purposes of this section, the term “control
   58  systems” includes, but is not limited to:
   59         1. Distributed control systems, programmable logic
   60  controllers, remote terminal units, intelligent electronic
   61  devices, supervisory control and data acquisition, networked
   62  electronic sensing and control, monitoring and diagnostic
   63  systems, and process control systems, including basic process
   64  control system and safety-instrumented system functions,
   65  regardless of whether such functions are physically separate or
   66  integrated.
   67         2. Associated information and analytic systems, including
   68  advanced or multivariable control, online optimizers, dedicated
   69  equipment monitors, graphical interfaces, process historians,
   70  manufacturing execution systems, and plant information
   71  management systems.
   72         3. Associated internal, human, network, or machine
   73  interfaces used to provide control, safety, and manufacturing
   74  operations functionality to continuous, batch, discrete, and
   75  other processes as defined in the ISA 62443 series of standards
   76  as referenced by the NIST CSF.
   77         (c) “Critical infrastructure” means infrastructure for
   78  which all assets, systems, and networks, regardless of whether
   79  physical or virtual, are considered vital and vulnerable to
   80  cybersecurity attacks as determined by the Florida Digital
   81  Service in consultation with the Florida Cybersecurity Advisory
   82  Council. The term includes, but is not limited to, public
   83  transportation as defined in s. 163.566(8); water and wastewater
   84  treatment facilities; public utilities and services subject to
   85  the jurisdiction, supervision, powers, and duties of the Public
   86  Service Commission; public buildings, including buildings
   87  operated by the state university system; hospitals and public
   88  health facilities; and financial services organizations.
   89         (d) “Local government asset owner” means the local
   90  government owner or entity accountable and responsible for
   91  operation of critical infrastructure and its automation and
   92  control system. The term includes the operator of the automation
   93  and control system and the equipment under control.
   94         (e) “Operational technology” means the hardware and
   95  software that cause or detect a change through the direct
   96  monitoring or control of physical devices, systems, processes,
   97  or events in critical infrastructure.
   98         (4) Beginning July 1, 2022, a local government asset owner
   99  procuring automation and control system components, services, or
  100  solutions or entering into a contract for the construction,
  101  reconstruction, alteration, or design of a critical
  102  infrastructure facility must require that such components,
  103  services, and solutions conform to the ISA 62443 series of
  104  standards as referenced by the NIST CSF. Such local government
  105  asset owner shall ensure that all contracts for the
  106  construction, reconstruction, alteration, or design of a
  107  critical infrastructure facility require that installed
  108  automation and control system components meet the minimum
  109  standards for cybersecurity as defined in the ISA 62443 series
  110  of standards as referenced by the NIST CSF.
  111         Section 2. The Florida Digital Service shall, in
  112  consultation with the Florida Cybersecurity Advisory Council,
  113  adopt rules to implement this act.
  114         Section 3. This act shall take effect July 1, 2022.