Florida Senate - 2022 CS for SB 828
By the Committee on Governmental Oversight and Accountability;
and Senator Hutson
585-02668-22 2022828c1
1 A bill to be entitled
2 An act relating to critical infrastructure standards
3 and procedures; creating s. 282.32, F.S.; providing a
4 short title; providing legislative findings; providing
5 definitions; requiring a local government asset owner
6 procuring certain components, services, or solutions
7 or entering into certain contracts to require
8 conformance with certain standards, beginning on a
9 specified date; requiring such a local government
10 asset owner to ensure that certain contracts require
11 that certain components meet certain minimum
12 standards; requiring the Florida Digital Service, in
13 consultation with the Florida Cybersecurity Advisory
14 Council, to adopt rules; providing an effective date.
15
16 WHEREAS, the operational technologies that automate the
17 critical infrastructure of daily life are experiencing a rapid
18 increase in cybersecurity incidents, and the impact of such
19 incidents affect life, safety, the environment, and economic
20 viability across sectors, and
21 WHEREAS, the recent cybersecurity hacking and shutdown of
22 the Colonial Pipeline by the criminal enterprise DarkSide in
23 2021; the infiltration of the Bowman Avenue Dam in Rye Brook,
24 New York, by Iranian hackers in 2013; and the intrusion of
25 numerous federal agencies by suspected Russian hackers
26 underscore the need to provide the public and private sectors
27 with clarity and support on how to improve the cybersecurity of
28 control systems, NOW, THEREFORE,
29
30 Be It Enacted by the Legislature of the State of Florida:
31
32 Section 1. Section 282.32, Florida Statutes, is created to
33 read:
34 282.32 Critical infrastructure standards and procedures.—
35 (1) This section may be cited as the “Critical
36 Infrastructure Standards and Procedures Act.”
37 (2) The Legislature finds that standard definitions of the
38 security capabilities of system components are necessary to
39 provide a common language for product suppliers and other
40 control system stakeholders and to simplify the procurement and
41 integration processes for the computers, applications, network
42 equipment, and control devices that make up a control system.
43 The United States National Institute of Standards and Technology
44 Cybersecurity Framework (NIST CSF), which references several
45 relevant cybersecurity standards, including the International
46 Society of Automation ISA 62443 series of standards, is an
47 appropriate resource for use in establishing such standard
48 definitions.
49 (3) As used in this section, the term:
50 (a) “Automation and control system” means the personnel,
51 hardware, software, and policies involved in the operation of
52 critical infrastructure which may affect or influence such
53 critical infrastructure’s safe, secure, and reliable operation.
54 (b) “Automation and control system component” means control
55 systems and complementary hardware and software components that
56 are installed and configured to operate in an automation and
57 control system. For purposes of this section, the term “control
58 systems” includes, but is not limited to:
59 1. Distributed control systems, programmable logic
60 controllers, remote terminal units, intelligent electronic
61 devices, supervisory control and data acquisition, networked
62 electronic sensing and control, monitoring and diagnostic
63 systems, and process control systems, including basic process
64 control system and safety-instrumented system functions,
65 regardless of whether such functions are physically separate or
66 integrated.
67 2. Associated information and analytic systems, including
68 advanced or multivariable control, online optimizers, dedicated
69 equipment monitors, graphical interfaces, process historians,
70 manufacturing execution systems, and plant information
71 management systems.
72 3. Associated internal, human, network, or machine
73 interfaces used to provide control, safety, and manufacturing
74 operations functionality to continuous, batch, discrete, and
75 other processes as defined in the ISA 62443 series of standards
76 as referenced by the NIST CSF.
77 (c) “Critical infrastructure” means infrastructure for
78 which all assets, systems, and networks, regardless of whether
79 physical or virtual, are considered vital and vulnerable to
80 cybersecurity attacks as determined by the Florida Digital
81 Service in consultation with the Florida Cybersecurity Advisory
82 Council. The term includes, but is not limited to, public
83 transportation as defined in s. 163.566(8); water and wastewater
84 treatment facilities; public utilities and services subject to
85 the jurisdiction, supervision, powers, and duties of the Public
86 Service Commission; public buildings, including buildings
87 operated by the state university system; hospitals and public
88 health facilities; and financial services organizations.
89 (d) “Local government asset owner” means the local
90 government owner or entity accountable and responsible for
91 operation of critical infrastructure and its automation and
92 control system. The term includes the operator of the automation
93 and control system and the equipment under control.
94 (e) “Operational technology” means the hardware and
95 software that cause or detect a change through the direct
96 monitoring or control of physical devices, systems, processes,
97 or events in critical infrastructure.
98 (4) Beginning July 1, 2022, a local government asset owner
99 procuring automation and control system components, services, or
100 solutions or entering into a contract for the construction,
101 reconstruction, alteration, or design of a critical
102 infrastructure facility must require that such components,
103 services, and solutions conform to the ISA 62443 series of
104 standards as referenced by the NIST CSF. Such local government
105 asset owner shall ensure that all contracts for the
106 construction, reconstruction, alteration, or design of a
107 critical infrastructure facility require that installed
108 automation and control system components meet the minimum
109 standards for cybersecurity as defined in the ISA 62443 series
110 of standards as referenced by the NIST CSF.
111 Section 2. The Florida Digital Service shall, in
112 consultation with the Florida Cybersecurity Advisory Council,
113 adopt rules to implement this act.
114 Section 3. This act shall take effect July 1, 2022.