NY State Senate Bill 2021-S5579A

Archive: Last Bill Status Via A3904 - Passed Senate

Introduced
- In Committee Assembly
- In Committee Senate
- On Floor Calendar Assembly
- On Floor Calendar Senate
- Passed Assembly
- Passed Senate
Delivered to Governor
Signed By Governor

Please enter your contact information

First Name

Last Name

Email Address

A valid email address is required.

Home address is used to determine the senate district in which you reside. Your support or opposition to this bill is then shared immediately with the senator who represents you.

Optional services from the NY State Senate:

Create an account. An account allows you to officially support or oppose key legislation, sign petitions with a single click, and follow issues, committees, and bills that matter to you. When you create an account, you agree to this platform's terms of participation.

Include a custom message for your Senator? (Optional)

Enter a message to your senator. Many New Yorkers use this to share the reasoning behind their support or opposition to the bill. Others might share a personal anecdote about how the bill would affect them or people they care about.

Actions

View Actions

Date of Action	Assembly Actions - Lowercase Senate Actions - UPPERCASE
May 17, 2022	returned to assembly passed senate 3rd reading cal.1008 substituted for s5579a
May 17, 2022	substituted by a3904b
May 05, 2022	advanced to third reading
May 04, 2022	2nd report cal.
May 03, 2022	1st report cal.1008
Apr 26, 2022	reported and committed to finance
Mar 25, 2022	print number 5579a
Mar 25, 2022	amend and recommit to energy and telecommunications
Jan 05, 2022	referred to energy and telecommunications
Mar 11, 2021	referred to energy and telecommunications

Votes

- May 17, 2022 - Floor Vote
  A3904
  
  Aye
  
  61
  
  Nay
  
  0
  
  Absent
  
  0
  
  Excused
  
  2
  
  Abstained
  
  0
  - - Floor Vote: May 17, 2022
      
      aye (61)
      
      Addabbo Jr.
      
      Akshar
      
      Bailey
      
      Biaggi
      
      Borrello
      
      Boyle
      
      Breslin
      
      Brisport
      
      Brooks
      
      Cleare
      
      Comrie
      
      Cooney
      
      Felder
      
      Gallivan
      
      Gaughran
      
      Gianaris
      
      Gounardes
      
      Griffo
      
      Harckham
      
      Helming
      
      Hinchey
      
      Hoylman-Sigal
      
      Jackson
      
      Jordan
      
      Kaminsky
      
      Kaplan
      
      Kavanagh
      
      Kennedy
      
      Krueger
      
      Lanza
      
      Liu
      
      Mannion
      
      Martucci
      
      Mattera
      
      May
      
      Mayer
      
      Myrie
      
      O'Mara
      
      Oberacker
      
      Ortt
      
      Palumbo
      
      Parker
      
      Persaud
      
      Ramos
      
      Rath III
      
      Reichlin-Melnick
      
      Ritchie
      
      Rivera
      
      Ryan
      
      Salazar
      
      Savino
      
      Sepúlveda
      
      Serino
      
      Serrano
      
      Skoufis
      
      Stavisky
      
      Stec
      
      Stewart-Cousins
      
      Tedisco
      
      Thomas
      
      Weik
      
      excused (2)
      
      Brouk
      
      Sanders Jr.
  May 3, 2022 - Finance Committee Vote
  S5579A
  
  Aye
  
  22
  
  Nay
  
  0
  
  Aye with Reservations
  
  0
  
  Absent
  
  1
  
  Excused
  
  0
  
  Abstained
  
  0
  - - Finance Committee Vote: May 3, 2022
      
      aye (22)
      
      Bailey
      
      Borrello
      
      Breslin
      
      Comrie
      
      Gallivan
      
      Gounardes
      
      Griffo
      
      Harckham
      
      Hoylman-Sigal
      
      Kennedy
      
      Krueger
      
      Liu
      
      O'Mara
      
      Ritchie
      
      Rivera
      
      Salazar
      
      Savino
      
      Serino
      
      Skoufis
      
      Stavisky
      
      Tedisco
      
      Thomas
      
      absent (1)
      
      Parker
  Apr 26, 2022 - Energy And Telecommunications Committee Vote
  S5579A
  
  Aye
  
  8
  
  Nay
  
  0
  
  Aye with Reservations
  
  1
  
  Absent
  
  0
  
  Excused
  
  0
  
  Abstained
  
  0
  - - Energy And Telecommunications Committee Vote: Apr 26, 2022
      
      aye (8)
      
      Boyle
      
      Gaughran
      
      Harckham
      
      Hinchey
      
      Kavanagh
      
      Kennedy
      
      Parker
      
      Ritchie
      
      aye wr (1)
      
      O'Mara

Bill Amendments

Original

A (Active)

2021-S5579 - Details

See Assembly Version of this Bill:: A3904
Law Section:: Energy Law
Laws Affected:: Amd §§3-101 & 1-103, Energy L; amd §709, Exec L; amd §66, Pub Serv L
Versions Introduced in 2019-2020 Legislative Session:: S8794, A10006

2021-S5579 - Summary

Relates to critical energy infrastructure security and responsibility; relates to the protection of critical infrastructure in the state.

2021-S5579 - Sponsor Memo

                                
 
BILL NUMBER: S5579

SPONSOR: PARKER
 
TITLE OF BILL:

An act to amend the energy law, the executive law and the public service
law, in relation to critical energy infrastructure security and respon-
sibility

 
PURPOSE OR GENERAL IDEA OF BILL:

This legislation will protect New York's critical energy infrastructure
from cyber attacks.

 
SUMMARY OF PROVISIONS:

Section 1 amends the energy law by adding the protection of critical
energy infrastructure to the energy policy of the state.

Section 2 amends the energy law to define "critical energy infrastruc-
ture" and "industrial control systems".

Section 3 amends the executive law by empowering the Division of Home-
land Security and Emergency Services to work with local, state, and
federal agencies and private entities to conduct assessments of the
vulnerabilities of critical infrastructure to cyber-attacks.

Section 4 amends the public service law to require the Public Service
Commission to include in its five year audit of gas corporations and
electric corporations an evaluation of the efficiency of the company's
operations and protection of critical energy infrastructure.

Section 5 amends the public service law by adding cyber-attacks to elec-
tric corporations emergency response plans.

Section 6 amends the public service law to require the Public Service
Commission to direct electric or gas corporations to implement tools to
continuously monitor operational control networks and to submit a report
every five years reviewing the corporation's compliance with the order.
Additionally, the PSC shall direct electric and gas corporations to
require that smart meters connected to their distribution networks
utilize an interoperability standard.

Section 7 is the effective date.

 
JUSTIFICATION:

On the afternoon of December 23, 2015, more than 230,000 residents in
Ukraine were suddenly plunged into darkness. Power grid operators
watched helplessly as the cursors on their computer monitors began
moving on their own, eventually disabling power at roughly 30
substations (1). Hackers have similarly probed the American energy grid
(2)(3), including in 2017, when the power plant that provides energy to
Fort Drum in Upstate New York was targeted by foreign hackers in a
massive breach of our nation's energy grid (4). Cyber criminals, in
addition to nation-states, have likewise discovered the pain point that
our energy grid represents (5) . These episodes highlight the need for
immediate action by New York State to protect critical infrastructure
from threats to our energy grid. Utilities and generators in New York
are turning, in some cases rapidly, to digitalization. The New York
Power Authority is the vanguard of this movement, with it's "Vision
2020" initiative designed to build the first "next generation" electric
utility (6). The benefits come in the form of increased efficiency,
network reliability, and predictive tools that will enable NYPA to
better move renewable energy from generation sites in Upstate New York
and offsh ore to high-demand regions like New York City. Other utilities
are rolling out a variety of Internet connected devices which will
enable customers to monitor and curb their electricity use in real time
and provide savings by encouraging those customers to move their energy
intensive activities to "off-peak" hours.

However, cyber attacks targeting the energy grid through Internet
connected devices have occurred in other countries pointing to possible
security risks (7). In Spain, for instance, researchers have found secu-
rity flaws in internet connected metering devices that would enable
hackers to shut down power to individual homes, create fraudulent bill-
ing, or turn the meters against the grid in order to cause widespread
blackouts (8). Additionally, the end to end digitization of grid opera-
tors and power generators, including NYPA, means each sensor must be
secured and continuously monitored.  Otherwise, this energy "Internet of
Things" could become a vulnerability and exponentially increase the
attack surface for cyber attacks.

Today, New York's laws are inadequate to protect critical energy infras-
tructure from the evolving threat of cyber attacks. To address this
situation, this legislation would: (1) enshrine the protection of crit-
ical energy infrastructure in the energy policy of the state;

(2) define "critical energy infrastructure" and "industrial control
systems" to ensure future legislation is able to be easily created in
this space;

(3) empower the Division of Homeland Security and Emergency Services to
assess the vulnerabilities of critical infrastructure to cyber attack;

(4) require the Public Service Commission to include an assessment of
how well gas and electric corporations are protecting critical energy
infrastructure in their five year audits; (5) require electric corpo-
rations to include a response to cyber attacks in their annual emergency
response plans; (6) require electric and gas corporations to develop and
implement tools to ensure their industrial control systems are being
continuously monitored for behavioral anomalies

(7); and (8) ensure smart meters that are connected to the energy grid
utilize an-on-proprietary wireless standard that provides for easy diag-
nostics, up-to-date security protocols, and prevents network lock-in.

 
PRIOR LEGISLATIVE HISTORY:

2019-20: 58794 - reported referred to rules

 
FISCAL IMPLICATIONS FOR STATE AND LOCAL GOVERNMENTS:

None.

 
EFFECTIVE DATE:
This act shall take effect on the one hundred eightieth day after it
shall have become law. The PSC is authorized and directed to immediately
take action to promulgate rules and regulations related to subdivisions
29 and 30 of section 66 of the public service law.
1) https://www.wired.com/2016/03/inside-cunning- unprecedented-hack-uk-
raines-power-grid/
2) https://www.utilitydive.com/news/hackers-hit- communicationssystem-
of-eneray-transfer-partners- pipeline/520531
3) https://wvvw.eenews.net/stories/1060242741
4) https://www.wsj.com/articles/americas- electric-grid-has-avulnera-
ble-back-doorand- russia-walked-through-it-11547137112
5) https://www.wired.com/story/ekans- ransomware-
industrialcontrolsystems/
6) hftps://www.nypaygov/about/strategic-vision
7) https://www.politico.eu/article/smart-grids-and-meters- raise-hack-
ing-risks/
8)https://www.reuters.com/article/
uscybersecurityspain-idUSKCNORW15E201410
9) https://www.utilitydive.com/news/old- windows-and-bad-passwords-util-
ity-cyber- vulnerabilities-grow- despite-c/565630/

2021-S5579 - Bill Text download pdf

                            
 
                     S T A T E   O F   N E W   Y O R K
 ________________________________________________________________________
 
                                   5579
 
                        2021-2022 Regular Sessions
 
                             I N  S E N A T E
 
                              March 11, 2021
                                ___________
 
 Introduced  by  Sen.  PARKER -- read twice and ordered printed, and when
   printed to be committed to the Committee on  Energy  and  Telecommuni-
   cations
 
 AN ACT to amend the energy law, the executive law and the public service
   law,  in  relation  to  critical  energy  infrastructure  security and
   responsibility

   THE PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND  ASSEM-
 BLY, DO ENACT AS FOLLOWS:
 
   Section  1.  Subdivision  1  of  section  3-101  of the energy law, as
 amended by chapter 253 of the laws  of  2013,  is  amended  to  read  as
 follows:
   1.  to  obtain and maintain an adequate and continuous supply of safe,
 dependable and economical energy for the people of the state,  INCLUDING
 THROUGH  THE  PROTECTION OF CRITICAL ENERGY INFRASTRUCTURE AS DEFINED IN
 SUBDIVISION FOURTEEN OF SECTION 1-103 OF THIS CHAPTER, and to accelerate
 development and use within the state of renewable energy sources, all in
 order to promote the state's economic growth, to create employment with-
 in the state, to  protect  its  environmental  values  and  agricultural
 heritage,  to  husband  its  resources  for  future  generations, and to
 promote the health and welfare of its people;
   § 2. Section 1-103 of the energy law is  amended  by  adding  two  new
 subdivisions 14 and 15 to read as follows:
   14.  "CRITICAL  ENERGY INFRASTRUCTURE" MEANS SYSTEMS, INCLUDING INDUS-
 TRIAL CONTROL SYSTEMS, CUSTOMER  ELECTRICAL  OR  GAS  CONSUMPTION  DATA,
 ASSETS,  PLACES  OR THINGS, WHETHER PHYSICAL OR VIRTUAL, SO VITAL TO THE
 STATE  THAT  THE  DISRUPTION,  INCAPACITATION  OR  DESTRUCTION  OF  SUCH
 SYSTEMS,  INCLUDING  INDUSTRIAL  CONTROL SYSTEMS, CUSTOMER ELECTRICAL OR
 GAS CONSUMPTION DATA, ASSETS, PLACES  OR  THINGS  COULD  JEOPARDIZE  THE
 HEALTH, SAFETY, WELFARE, ENERGY DISTRIBUTION, TRANSMISSION, RELIABILITY,
 OR SECURITY OF THE STATE, ITS RESIDENTS OR ITS ECONOMY.
 
  EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
                       [ ] is old law to be omitted.
                                                            LBD06856-01-1

 S. 5579                             2
 
   15. "INDUSTRIAL CONTROL SYSTEMS" MEANS A COMBINATION OF CONTROL COMPO-
 NENTS  THAT  SUPPORT  OPERATIONAL FUNCTIONS IN GAS, DISTRIBUTION, TRANS-
 MISSION, AND ADVANCED METERING INFRASTRUCTURE CONTROL CENTERS,  AND  ACT
 TOGETHER TO ACHIEVE AN INDUSTRIAL OBJECTIVE, INCLUDING CONTROLS THAT ARE
 FULLY AUTOMATED OR THAT INCLUDE A HUMAN-MACHINE INTERFACE.
   §  3.  Paragraph  (j) of subdivision 2 of section 709 of the executive
 law, as amended by section 14 of part B of chapter 56  of  the  laws  of
 2010, is amended to read as follows:
   (j)  work  with local, state and federal agencies and private entities
 to conduct assessments of the vulnerability of  critical  infrastructure
 to terrorist attack, CYBER ATTACK, and other natural and man-made disas-
 ters,  including,  but not limited to, nuclear facilities, power plants,
 telecommunications systems, mass transportation  systems,  public  road-
 ways,  railways,  bridges  and tunnels, AND ATTENDANT INDUSTRIAL CONTROL
 SYSTEMS AS DEFINED BY SUBDIVISION FIFTEEN OF SECTION 1-103 OF THE ENERGY
 LAW and develop strategies that may be used to protect such  infrastruc-
 ture from terrorist attack, CYBER ATTACK, and other natural and man-made
 disasters;
   §  4.    Paragraph  (a)  of subdivision 19 of section 66 of the public
 service law, as amended by section 4 of part X of chapter 57 of the laws
 of 2013, is amended to read as follows:
   (a) The commission shall have power  to  provide  for  management  and
 operations  audits  of  gas corporations and electric corporations. Such
 audits shall be performed at least once every five years for combination
 gas and electric corporations, as well as for straight gas  corporations
 having  annual  gross revenues in excess of two hundred million dollars.
 The audit shall include, but not be limited to, an investigation of  the
 company's  construction program planning in relation to the needs of its
 customers for reliable service, an evaluation of the efficiency  of  the
 company's operations AND PROTECTION OF CRITICAL ENERGY INFRASTRUCTURE AS
 DEFINED  IN  SUBDIVISION  FOURTEEN  OF  SECTION 1-103 OF THE ENERGY LAW,
 recommendations with respect to same, and the timing with respect to the
 implementation  of  such  recommendations.  The  commission  shall  have
 discretion to have such audits performed by its staff, or by independent
 auditors.
   In  every  case  in  which  the  commission  chooses to have the audit
 provided for in this subdivision or pursuant to subdivision fourteen  of
 section sixty-five of this article performed by independent auditors, it
 shall  have authority to select the auditors, and to require the company
 being audited to enter into a contract with the auditors  providing  for
 their  payment  by the company. Such contract shall provide further that
 the auditors shall work for and under the direction  of  the  commission
 according  to  such  terms as the commission may determine are necessary
 and reasonable.
   § 5. Paragraph (a) of subdivision 21  of  section  66  of  the  public
 service  law,  as added by section 4 of part X of chapter 57 of the laws
 of 2013, is amended to read as follows:
   (a) Each electric corporation subject to section twenty-five-a of this
 chapter shall annually, on or before December fifteenth, submit  to  the
 commission an emergency response plan for review and approval. The emer-
 gency response plan shall be designed for the reasonably prompt restora-
 tion  of service in the case of an emergency event, defined for purposes
 of this subdivision as an event where widespread outages  have  occurred
 in  the service territory of the company due to storms, CYBER ATTACK, or
 other causes beyond the control of the company. The  emergency  response
 plan  shall  include, but need not be limited to, the following: (i) the

 S. 5579                             3
 
 identification of management staff responsible  for  company  operations
 during  an emergency; (ii) a communications system with customers during
 an emergency that extends beyond  normal  business  hours  and  business
 conditions;  (iii) identification of and outreach plans to customers who
 had documented their need for essential electricity for  medical  needs;
 (iv)  identification  of  and  outreach plans to customers who had docu-
 mented their need for essential electricity to provide critical telecom-
 munications,  critical  transportation,   critical   fuel   distribution
 services or other large-load customers identified by the commission; (v)
 designation  of  company  staff  to communicate with local officials and
 appropriate regulatory  agencies;  (vi)  provisions  regarding  how  the
 company  will  assure the safety of its employees and contractors; (vii)
 procedures for deploying company and mutual aid crews to work assignment
 areas; (viii) identification of additional supplies and equipment needed
 during an emergency; (ix) the means of obtaining additional supplies and
 equipment; (x) procedures to practice the emergency response plan;  (xi)
 appropriate  safety  precautions regarding electrical hazards, including
 plans to promptly secure downed wires within thirty-six hours of notifi-
 cation of the location of such downed wires from a  municipal  emergency
 official;  and (xii) such other additional information as the commission
 may require. Each such corporation shall, on an annual basis,  undertake
 drills  implementing  procedures  to  practice  its emergency management
 plan. The commission may adopt additional requirements  consistent  with
 ensuring  the reasonably prompt restoration of service in the case of an
 emergency event.
   § 6. Section 66 of the public service law is amended by adding two new
 subdivisions 29 and 30 to read as follows:
   29. PROMULGATE RULES AND REGULATIONS TO DIRECT ELECTRIC OR GAS  CORPO-
 RATIONS  TO  DEVELOP  AND IMPLEMENT TOOLS TO CONTINUOUSLY MONITOR OPERA-
 TIONAL CONTROL NETWORKS GIVING THE ELECTRIC OR GAS CORPORATION THE ABIL-
 ITY  TO  UNDERTAKE  THE  IMMEDIATE  DETECTION  OF  UNAUTHORIZED  NETWORK
 BEHAVIOR  RELATED  TO  SUCH CORPORATION'S INDUSTRIAL CONTROL SYSTEMS, AS
 DEFINED IN SUBDIVISION FIFTEEN OF SECTION 1-103 OF THE ENERGY LAW. ON OR
 BEFORE DECEMBER THIRTY-FIRST, TWO THOUSAND TWENTY-THREE  AND  NOT  LATER
 THAN  FIVE  YEARS  AFTER SUCH DATE, AND EVERY FIVE YEARS THEREAFTER, THE
 COMMISSION SHALL PROVIDE A REPORT TO THE GOVERNOR, THE TEMPORARY  PRESI-
 DENT  OF THE SENATE, THE SPEAKER OF THE ASSEMBLY, THE CHAIRPERSON OF THE
 ASSEMBLY STANDING COMMITTEE ON ENERGY, AND THE CHAIRPERSON OF THE SENATE
 STANDING COMMITTEE ON ENERGY AND TELECOMMUNICATIONS  REVIEWING  ELECTRIC
 OR  GAS  CORPORATION  COMPLIANCE WITH THIS SECTION, INCLUDING, AS NECES-
 SARY, RECOMMENDATIONS TO THE LEGISLATURE IF  THE  COMMISSION  DETERMINES
 THAT ADDITIONAL MEASURES ARE REQUIRED TO ENSURE THE EFFECTIVE PROTECTION
 OF ELECTRIC OR GAS CORPORATION CRITICAL INFRASTRUCTURE.
   30.  PROMULGATE RULES AND REGULATIONS TO DIRECT ELECTRIC OR GAS CORPO-
 RATIONS TO REQUIRE THE INSTALLATION OF ADVANCED METERING  INFRASTRUCTURE
 THAT  CONNECTS  TO  THE ELECTRIC OR GAS DISTRIBUTION NETWORK OPERATED BY
 SUCH ELECTRIC OR GAS CORPORATION BE PERMITTED ONLY SO LONG AS ACCESS  TO
 THE  ADVANCED METER INFRASTRUCTURE IS GRANTED VIA A WIRELESS MESH INTER-
 OPERABILITY STANDARD THAT IS SHARED BY AT LEAST  TWO  ADVANCED  METERING
 INFRASTRUCTURE PROVIDERS OPERATING WITHIN THE UNITED STATES OF AMERICA.
   § 7. This act shall take effect on the one hundred eightieth day after
 it  shall  have  become a law. Effective immediately, the public service
 commission is authorized and  directed  to  take  actions  necessary  to
 promulgate rules and regulations related to the implementation of subdi-
 visions  29  and 30 of section 66 of the public service law on or before
 such effective date.

2021-S5579A (ACTIVE) - Details

See Assembly Version of this Bill:: A3904
Law Section:: Energy Law
Laws Affected:: Amd §§3-101 & 1-103, Energy L; amd §709, Exec L; amd §66, Pub Serv L
Versions Introduced in 2019-2020 Legislative Session:: S8794, A10006

2021-S5579A (ACTIVE) - Summary

Relates to critical energy infrastructure security and responsibility; relates to the protection of critical infrastructure in the state.

2021-S5579A (ACTIVE) - Sponsor Memo

                                 
BILL NUMBER: S5579A

SPONSOR: PARKER
 
TITLE OF BILL:

An act to amend the energy law, the executive law and the public service
law, in relation to critical energy infrastructure security and respon-
sibility

 
PURPOSE OR GENERAL IDEA OF BILL:

This legislation will protect New York's critical energy infrastructure
from cyber attacks. Summary of Provisions:

Section 1 amends the energy law by adding the protection of critical
energy infrastructure to the energy policy of the state.

Section 2 amends the energy law to define "critical energy infrastruc-
ture" and "industrial control systems".

Section 3 amends the executive law by empowering the Division of Home-
land Security and Emergency Services to work with local, state, and
federal agencies and private entities to conduct assessments of the

vulnerabilities of critical infrastructure to cyber attacks.

Section 4 amends the public service law to require the Public Service
Commission to include in its five year audit of gas corporations and
electric corporations an evaluation of the efficiency of the company's
operations and protection of critical energy infrastructure.

Section 5 amends the public service law by adding cyber attacks to elec-
tric corporations emergency response plans.

Section 6 amends the public service law to require the Public Service
Commission to direct electric or gas corporations to implement tools to
continuously monitor operational control networks and to submit a report
every five years reviewing the corporation's compliance with the order.
Additionally, the PSC shall direct electric and gas corporations to
require that smart meters connected to their distribution networks
utilize an interoper ability standard.

Section 7 is the effective date.

 
JUSTIFICATION:

On the afternoon of December 23, 2015, more than 230,000 residents in
Ukraine were suddenly plunged into darkness. Power grid operators
watched helplessly as the cursors on their computer' monitors began
moving on their own, eventually disabling power at roughly 30
substations (1). Hackers have similarly probed the American energy grid
(2)(3), including in 2017, when the power plant that provides energy to
Fort Drum in Upstate New York was targeted by foreign hackers in a
massive breach of our nation's energy grid (4). Cyber criminals, in
addition to nation-states, have likewise discovered the pain point that
our energy grid represents (5) . These episodes highlight the need for
immediate action by New York State to protect critical infrastructure
from threats to our energy grid.


Utilities and generators in New York are turning, in some cases rapidly,
to digitalization. The New York Power Authority is the vanguard of this
movement, with its "Vision 2020" initiative designed to build the first
"next generation" electric utility (6). The benefits come in the form of
increased efficiency, network reliability, and predictive tools that
will enable NYPA to better move renewable energy from generation sites
in Upstate New York and offshore to high-demand regions like New York
City. Other utilities are rolling out a variety of intemet connected
devices which will enable customers to monitor and curb their electric-
ity use in real time and provide savings by encouraging those customers
to move their energy intensive activities to "off-peak" hours.

However, cyber attacks targeting the energy grid through intemet
connected devices have occurred in other countries pointing to possible
security risks (7). In Spain, for instance, researchers have found secu-
rity flaws in intemet connected metering devices that would enable hack-
ers to shut down power to individual homes, create fraudulent billing,
or turn the meters against the grid in order to cause widespread black-
outs (8). Additionally, the end to end digitization of grid operators
and power generators, including NYPA, means each sensor must be secured
and continuously monitored.  Otherwise, this energy "Internet of Things"
could become a vulnerability and exponentially increase the attack
surface for cyber attacks.

Today, New York's laws are inadequate to protect critical energy infras-
tructure from the evolving threat of cyber attacks. To address this
situation, this legislation would: 1) enshrine the protection of crit-
ical energy infrastructure in the energy policy of the state; 2) define
"critical energy infrastructure" and "industrial control systems" to
ensure future legislation is able to be easily created in this space; 3)
empower the Division of Homeland Security and Emergency Services to
assess the vulnerabilities of critical infrastructure to cyber attack;
4) require the Public Service Commission to include an assessment of how
well gas and electric corporations are protecting critical energy
infrastructure in their five year audits; 5) require electric corpo-
rations to include a response to cyber attacks in their annual emergency
response plans; 6) require electric and gas corporations to develop and
implement tools to ensure their industrial control systems are being
continuously monitored for behavioral anomalies (9); and 7) ensure smart
meters that are connected to the energy grid utilize a non-proprietary
wireless standard that provides for easy diagnostics, up-to-date securi-
ty protocols, and prevents network lock-in.

 
PRIOR LEGISLATIVE HISTORY:

2020: A10006 03/04/20 referred to energy

A10006 07/14/20 referred to ways and means; S8794 07/16/20 referred to
rules

A10006 07/17/20 reported referred to rules

 
FISCAL IMPLICATIONS OR STATE AND LOCAL GOVERNMENTS:

None.

 
EFFECTIVE DATE:
This act shall take effect on the one hundred eightieth day after it
shall have become law. The PSC is authorized and directed to immediately
take action to promulgate rules and regulations related to subdivisions
29 and 30 of section 66 of the public service law.
1) https://www.wired.00m/2016/03/inside-cunning-unorecedented hackuk-
raines-power-grid/
2) httbs://www.utilitydive.com/news/hackers- hit-communications-system-
of-eneray-transfer- partners-pipeline/ 520531/
3) https://www.eenews.net/stories/1060242741
4) https://www.wsicom/articles/americas- electric-grid-has-a-vulnera-
ble-back-doorand- russia-walked -through-it-11547137112
5) https://www,wired.com/story/ekans- ransomware-
industrialcontrolsystems/
6) https://www.nypa.gov/about/strategic-vision
7) https://www.polftico.eu/article/smart-grids- and-meters-raise-hack-
ing-risks/
8) https://www,reuters.com/article/uscybersecurity-s
DainidUSKCNOHW15E20141007
9)https://www.utilitydive,com/newsiold- windows-and-bad-passwords-utili-
ty-cyber- vulnerabilities-grow- despite-c/565630/

2021-S5579A (ACTIVE) - Bill Text download pdf

                             
                     S T A T E   O F   N E W   Y O R K
 ________________________________________________________________________
 
                                  5579--A
 
                        2021-2022 Regular Sessions
 
                             I N  S E N A T E
 
                              March 11, 2021
                                ___________
 
 Introduced  by  Sen.  PARKER -- read twice and ordered printed, and when
   printed to be committed to the Committee on  Energy  and  Telecommuni-
   cations  --  recommitted  to  the Committee on Energy and Telecommuni-
   cations in  accordance  with  Senate  Rule  6,  sec.  8  --  committee
   discharged, bill amended, ordered reprinted as amended and recommitted
   to said committee
 
 AN ACT to amend the energy law, the executive law and the public service
   law,  in  relation  to  critical  energy  infrastructure  security and
   responsibility
 
   THE PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND  ASSEM-
 BLY, DO ENACT AS FOLLOWS:
 
   Section  1.  Subdivision  1  of  section  3-101  of the energy law, as
 amended by chapter 253 of the laws  of  2013,  is  amended  to  read  as
 follows:
   1.  to  obtain and maintain an adequate and continuous supply of safe,
 dependable and economical energy for the people of the state,  INCLUDING
 THROUGH  THE  PROTECTION OF CRITICAL ENERGY INFRASTRUCTURE AS DEFINED IN
 SUBDIVISION FOURTEEN OF SECTION 1-103 OF THIS CHAPTER, and to accelerate
 development and use within the state of renewable energy sources, all in
 order to promote the state's economic growth, to create employment with-
 in the state, to  protect  its  environmental  values  and  agricultural
 heritage,  to  husband  its  resources  for  future  generations, and to
 promote the health and welfare of its people;
   § 2. Section 1-103 of the energy law is  amended  by  adding  two  new
 subdivisions 14 and 15 to read as follows:
   14.  "CRITICAL  ENERGY INFRASTRUCTURE" MEANS SYSTEMS, INCLUDING INDUS-
 TRIAL CONTROL SYSTEMS, CUSTOMER  ELECTRICAL  OR  GAS  CONSUMPTION  DATA,
 ASSETS,  PLACES  OR THINGS, WHETHER PHYSICAL OR VIRTUAL, SO VITAL TO THE
 STATE  THAT  THE  DISRUPTION,  INCAPACITATION  OR  DESTRUCTION  OF  SUCH
 SYSTEMS,  INCLUDING  INDUSTRIAL  CONTROL SYSTEMS, CUSTOMER ELECTRICAL OR
 GAS CONSUMPTION DATA, ASSETS, PLACES  OR  THINGS  COULD  JEOPARDIZE  THE
 
  EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
                       [ ] is old law to be omitted.
                                                            LBD06856-06-2

 S. 5579--A                          2
 
 HEALTH, SAFETY, WELFARE, ENERGY DISTRIBUTION, TRANSMISSION, RELIABILITY,
 OR SECURITY OF THE STATE, ITS RESIDENTS OR ITS ECONOMY.
   15. "INDUSTRIAL CONTROL SYSTEMS" MEANS A COMBINATION OF CONTROL COMPO-
 NENTS  THAT  SUPPORT  OPERATIONAL FUNCTIONS IN GAS, DISTRIBUTION, TRANS-
 MISSION, AND ADVANCED METERING INFRASTRUCTURE CONTROL CENTERS,  AND  ACT
 TOGETHER TO ACHIEVE AN INDUSTRIAL OBJECTIVE, INCLUDING CONTROLS THAT ARE
 FULLY AUTOMATED OR THAT INCLUDE A HUMAN-MACHINE INTERFACE.
   §  3.  Paragraph  (j) of subdivision 2 of section 709 of the executive
 law, as amended by section 14 of part B of chapter 56  of  the  laws  of
 2010, is amended to read as follows:
   (j)  work  with local, state and federal agencies and private entities
 to conduct assessments of the vulnerability of  critical  infrastructure
 to terrorist attack, CYBER ATTACK, and other natural and man-made disas-
 ters,  including,  but not limited to, nuclear facilities, power plants,
 telecommunications systems, mass transportation  systems,  public  road-
 ways,  railways,  bridges  and tunnels, AND ATTENDANT INDUSTRIAL CONTROL
 SYSTEMS AS DEFINED BY SUBDIVISION FIFTEEN OF SECTION 1-103 OF THE ENERGY
 LAW and develop strategies that may be used to protect such  infrastruc-
 ture from terrorist attack, CYBER ATTACK, and other natural and man-made
 disasters;
   §  4.    Paragraph  (a)  of subdivision 19 of section 66 of the public
 service law, as amended by section 4 of part X of chapter 57 of the laws
 of 2013, is amended to read as follows:
   (a) The commission shall have power  to  provide  for  management  and
 operations  audits  of  gas corporations and electric corporations. Such
 audits shall be performed at least once every five years for combination
 gas and electric corporations, as well as for straight gas  corporations
 having  annual  gross revenues in excess of two hundred million dollars.
 The audit shall include, but not be limited to, an investigation of  the
 company's  construction program planning in relation to the needs of its
 customers for reliable service, an evaluation of the efficiency  of  the
 company's operations AND PROTECTION OF CRITICAL ENERGY INFRASTRUCTURE AS
 DEFINED  IN  SUBDIVISION  FOURTEEN  OF  SECTION 1-103 OF THE ENERGY LAW,
 recommendations with respect to same, and the timing with respect to the
 implementation  of  such  recommendations.  The  commission  shall  have
 discretion to have such audits performed by its staff, or by independent
 auditors.
   In  every  case  in  which  the  commission  chooses to have the audit
 provided for in this subdivision or pursuant to subdivision fourteen  of
 section sixty-five of this article performed by independent auditors, it
 shall  have authority to select the auditors, and to require the company
 being audited to enter into a contract with the auditors  providing  for
 their  payment  by the company. Such contract shall provide further that
 the auditors shall work for and under the direction  of  the  commission
 according  to  such  terms as the commission may determine are necessary
 and reasonable.
   § 5. Subdivision 19 of section 66 of the public service law is amended
 by adding a new paragraph (d) to read as follows:
   (D) THE COMMISSION SHALL HAVE THE POWER TO PROVIDE FOR AN ANNUAL AUDIT
 OF GAS CORPORATIONS AND ELECTRIC CORPORATIONS RELATING TO  THE  ADEQUACY
 OF   CYBER-SECURITY  POLICIES,  PROTOCOLS,  PROCEDURES  AND  PROTECTIONS
 INCLUDING, BUT NOT LIMITED TO, AS SUCH POLICIES,  PROTOCOLS,  PROCEDURES
 AND  PROTECTIONS  RELATE TO CRITICAL ENERGY INFRASTRUCTURE AS DEFINED IN
 SUBDIVISION FOURTEEN OF SECTION 1-103 OF THE  ENERGY  LAW  AND  ALSO  TO
 CUSTOMER  PRIVACY. THE COMMISSION SHALL HAVE THE DISCRETION TO HAVE SUCH
 AUDITS PERFORMED BY ITS STAFF OR BY AN INDEPENDENT THIRD PARTY.
 S. 5579--A                          3
 
   § 6. Paragraph (a) of subdivision 21  of  section  66  of  the  public
 service  law,  as added by section 4 of part X of chapter 57 of the laws
 of 2013, is amended to read as follows:
   (a) Each electric corporation subject to section twenty-five-a of this
 chapter  shall  annually, on or before December fifteenth, submit to the
 commission an emergency response plan for review and approval. The emer-
 gency response plan shall be designed for the reasonably prompt restora-
 tion of service in the case of an emergency event, defined for  purposes
 of  this  subdivision as an event where widespread outages have occurred
 in the service territory of the company due to storms, CYBER ATTACK,  or
 other  causes  beyond the control of the company. The emergency response
 plan shall include, but need not be limited to, the following:  (i)  the
 identification  of  management  staff responsible for company operations
 during an emergency; (ii) a communications system with customers  during
 an  emergency  that  extends  beyond  normal business hours and business
 conditions; (iii) identification of and outreach plans to customers  who
 had  documented  their need for essential electricity for medical needs;
 (iv) identification of and outreach plans to  customers  who  had  docu-
 mented their need for essential electricity to provide critical telecom-
 munications,   critical   transportation,   critical  fuel  distribution
 services or other large-load customers identified by the commission; (v)
 designation of company staff to communicate  with  local  officials  and
 appropriate  regulatory  agencies;  (vi)  provisions  regarding  how the
 company will assure the safety of its employees and  contractors;  (vii)
 procedures for deploying company and mutual aid crews to work assignment
 areas; (viii) identification of additional supplies and equipment needed
 during an emergency; (ix) the means of obtaining additional supplies and
 equipment;  (x) procedures to practice the emergency response plan; (xi)
 appropriate safety precautions regarding electrical  hazards,  including
 plans to promptly secure downed wires within thirty-six hours of notifi-
 cation  of  the location of such downed wires from a municipal emergency
 official; and (xii) such other additional information as the  commission
 may  require. Each such corporation shall, on an annual basis, undertake
 drills implementing procedures  to  practice  its  emergency  management
 plan.  The  commission may adopt additional requirements consistent with
 ensuring the reasonably prompt restoration of service in the case of  an
 emergency event.
   § 7. Section 66 of the public service law is amended by adding two new
 subdivisions 30 and 31 to read as follows:
   30.  PROMULGATE RULES AND REGULATIONS TO DIRECT ELECTRIC OR GAS CORPO-
 RATIONS TO DEVELOP AND IMPLEMENT TOOLS TO  MONITOR  OPERATIONAL  CONTROL
 NETWORKS GIVING THE ELECTRIC OR GAS CORPORATION THE ABILITY TO UNDERTAKE
 THE  DETECTION  OF  UNAUTHORIZED NETWORK BEHAVIOR RELATED TO SUCH CORPO-
 RATION'S INDUSTRIAL CONTROL SYSTEMS, AS DEFINED IN  SUBDIVISION  FIFTEEN
 OF  SECTION 1-103 OF THE ENERGY LAW. ON OR BEFORE DECEMBER THIRTY-FIRST,
 TWO THOUSAND TWENTY-THREE AND NOT LATER THAN FIVE YEARS AFTER SUCH DATE,
 AND EVERY FIVE YEARS THEREAFTER, THE COMMISSION SHALL PROVIDE  A  REPORT
 TO  THE  GOVERNOR, THE TEMPORARY PRESIDENT OF THE SENATE, THE SPEAKER OF
 THE ASSEMBLY, THE CHAIRPERSON OF  THE  ASSEMBLY  STANDING  COMMITTEE  ON
 ENERGY,  AND  THE CHAIRPERSON OF THE SENATE STANDING COMMITTEE ON ENERGY
 AND TELECOMMUNICATIONS REVIEWING ELECTRIC OR GAS CORPORATION  COMPLIANCE
 WITH  THIS  SECTION,  INCLUDING,  AS  NECESSARY,  RECOMMENDATIONS TO THE
 LEGISLATURE IF THE COMMISSION DETERMINES THAT  ADDITIONAL  MEASURES  ARE
 REQUIRED  TO  ENSURE  THE EFFECTIVE PROTECTION OF ELECTRIC OR GAS CORPO-
 RATION CRITICAL INFRASTRUCTURE.
 S. 5579--A                          4
 
   31. PROMULGATE RULES AND REGULATIONS TO DIRECT ELECTRIC OR GAS  CORPO-
 RATIONS  TO REQUIRE THE INSTALLATION OF ADVANCED METERING INFRASTRUCTURE
 THAT CONNECTS TO THE ELECTRIC OR GAS DISTRIBUTION  NETWORK  OPERATED  BY
 SUCH  ELECTRIC OR GAS CORPORATION BE PERMITTED ONLY SO LONG AS ACCESS TO
 THE  ADVANCED METER INFRASTRUCTURE ENABLES TWO-WAY COMMUNICATION BETWEEN
 UTILITIES AND METERS THROUGH THE OPTIMAL COMMUNICATIONS NETWORK  OPTION,
 SUCH AS A WIRELESS NETWORK, THAT IS SHARED BY AT LEAST TWO METER PROVID-
 ERS  OPERATING  WITHIN  THE  UNITED STATES OF AMERICA, IF THE COMMISSION
 DETERMINES THAT IT IS COST EFFECTIVE TO DO SO.
   § 8. This act shall take effect on the one hundred eightieth day after
 it shall have become a law. Effective immediately,  the  public  service
 commission  is  authorized  and  directed  to  take actions necessary to
 promulgate rules and regulations related to the implementation of subdi-
 visions 30 and 31 of section 66 of the public service law on  or  before
 such effective date.

Comments

Open Legislation is a forum for New York State legislation. All comments are subject to review and community moderation is encouraged.

Comments deemed off-topic, commercial, campaign-related, self-promotional; or that contain profanity, hate or toxic speech; or that link to sites outside of the nysenate.gov domain are not permitted, and will not be published. Attempts to intimidate and silence contributors or deliberately deceive the public, including excessive or extraneous posting/posts, or coordinated activity, are prohibited and may result in the temporary or permanent banning of the user. Comment moderation is generally performed Monday through Friday. By contributing or voting you agree to the Terms of Participation and verify you are over 13.

Create an account. An account allows you to sign petitions with a single click, officially support or oppose key legislation, and follow issues, committees, and bills that matter to you. When you create an account, you agree to this platform's terms of participation.

Find your Senator and share your views on important issues.

Do you support this bill?

Senate Bill S5579A

Sponsored By

Archive: Last Bill Status Via A3904 - Passed Senate

Actions

Votes

May 17, 2022 - Floor Vote

Floor Vote: May 17, 2022

May 3, 2022 - Finance Committee Vote

Finance Committee Vote: May 3, 2022

Apr 26, 2022 - Energy And Telecommunications Committee Vote

Energy And Telecommunications Committee Vote: Apr 26, 2022

Bill Amendments

2021-S5579 - Details

2021-S5579 - Summary

2021-S5579 - Sponsor Memo

2021-S5579 - Bill Text download pdf

2021-S5579A (ACTIVE) - Details

2021-S5579A (ACTIVE) - Summary

2021-S5579A (ACTIVE) - Sponsor Memo

2021-S5579A (ACTIVE) - Bill Text download pdf

Comments

Do you support this bill?

Get Status Alerts for 2021-S5579A

Senate Bill S5579A

Share this bill

Sponsored By

Kevin S. Parker

Archive: Last Bill Status Via A3904 - Passed Senate

Actions

Votes

Bill Amendments

2021-S5579 - Details

2021-S5579 - Summary

2021-S5579 - Sponsor Memo

2021-S5579 - Bill Text download pdf

2021-S5579A (ACTIVE) - Details

2021-S5579A (ACTIVE) - Summary

2021-S5579A (ACTIVE) - Sponsor Memo

2021-S5579A (ACTIVE) - Bill Text download pdf

Comments