Senate Bill S7312

2021-2022 Legislative Session

Enacts the Critical Infrastructure Standards and Procedures Act

download bill text pdf

Archive: Last Bill Status - In Senate Committee Internet And Technology Committee

Introduced
- In Committee Assembly
- In Committee Senate
- On Floor Calendar Assembly
- On Floor Calendar Senate
- Passed Assembly
- Passed Senate
Delivered to Governor
Signed By Governor

Please enter your contact information

First Name

Last Name

Email Address

A valid email address is required.

Home address is used to determine the senate district in which you reside. Your support or opposition to this bill is then shared immediately with the senator who represents you.

Optional services from the NY State Senate:

Create an account. An account allows you to officially support or oppose key legislation, sign petitions with a single click, and follow issues, committees, and bills that matter to you. When you create an account, you agree to this platform's terms of participation.

Include a custom message for your Senator? (Optional)

Enter a message to your senator. Many New Yorkers use this to share the reasoning behind their support or opposition to the bill. Others might share a personal anecdote about how the bill would affect them or people they care about.

Actions

View Actions

Date of Action	Assembly Actions - Lowercase Senate Actions - UPPERCASE
Jan 05, 2022	referred to internet and technology
Aug 04, 2021	referred to rules

co-Sponsors

2021-S7312 (ACTIVE) - Details

Current Committee:: Senate Internet And Technology
Law Section:: State Technology Law
Laws Affected:: Add Art 4 §§401 - 405, St Tech L

2021-S7312 (ACTIVE) - Summary

Enacts the "Critical Infrastructure Standards and Procedures (CRISP) Act".

2021-S7312 (ACTIVE) - Sponsor Memo

                                
 
BILL NUMBER: S7312

SPONSOR: THOMAS
 
TITLE OF BILL:

An act to amend the state technology law, in relation to enacting the
"critical infrastructure standards and procedures act"

 
PURPOSE OR GENERAL IDEA OF BILL:

An act to amend the state technology law, in relation to enacting the
"critical infrastructure standards and procedures act."

 
SUMMARY OF PROVISIONS:

Section one of the bill amends the state technology law to add a new
article 4 titled the "critical infrastructure standards and procedures
act."

Section 402 of article 4 establishes various definitions, including
"critical infrastructure", "automation and control system," "automation

and control system component," "asset owner," and "operational technolo-
gy."

Section 403 of article 4 requires the Office of Information Technology,
along with the State Department of Homeland Security and the Department
of Financial Services to identify critical infrastructure, both public
and private, that could be comprised by cyber-attacks.

Section 404 of article 4 requires "asset owners" of "critical infras-
tructure" as defined an in Section 402 and identified by OIT and DHS to
be compliant with the ISA 62443 cybersecurity standard when procuring
Automation and Control System components, services or solutions as
defined or when contracting for facility upgrades or the construction of
new critical infrastructure facilities by July 1, 2026.

Section 405 of article 4 requires that the asset owner shall be respon-
sible for ensuring that the operation and maintenance of operational
technology, including critical infrastructure, automation control
systems, and automation control system components be compliant with the
standards and practices defined in the ISA/IEC 62443 series of standards
as referenced by the National Institute of Standards and Technology
Cybersecurity Framework (NIST CSF), including annual risk assessments
and the creation of a mitigation plan in the event of a cyber-security
breach by July 1, 2024.

Section two of the bill is the effective date.

 
JUSTIFICATION:

The operational technologies that automate the critical infrastructure
and commercial facilities of daily life are experiencing a rapid
increase in cybersecurity incidents. The impact is serious, affecting
life, safety, the environment, and economic viability across sectors.
The recent cybersecurity intrusions of the public water system in Olds-
mar, Florida, the shutdown of the Colonial Pipeline by the criminal
enterprise Darkside, the intrusion of the Bowman Dam in Rye Brook, New
York by Iranian hackers in 2013, and the hacking of numerous federal
agencies by suspected Russian hackers underscore the need to provide the
public and private sectors with clarity and support on how to improve
control systems cybersecurity.

A standard definition of the security capabilities for system components
will provide a common language for product suppliers and all other
control system stakeholders, simplifying the procurement and integration
processes for the computers, applications, network equipment, and
control devices that make up a control system.

The United States National Institute of Standards and Technology (NIST)
published the NIST Cybersecurity Framework (CSF) which references
several relevant cybersecurity standards including ISA/IEC 62443. The
NIST CSF was codified into Florida IT cybersecurity standard 60GG-2 as
of 2019. The internationally recognized ISA/IEC 62443 family of stand-
ards defines a set of measures and benchmarks purpose-built to guide
organizations through the process of assessing the risk of a particular
automation and control system (OT) and in identifying and applying secu-
rity countermeasures to reduce that risk.

 
PRIOR LEGISLATIVE HISTORY:

New Bill

 
FISCAL IMPLICATIONS FOR STATE AND LOCAL GOVERNMENTS:

To be determined

 
EFFECTIVE DATE:
This legislation will take effect 180 days after enactment into law
except that compliance with the ISA 62443 series of standards for compo-
nents is delayed until July 2026 and the operational and maintenance
requirements are delayed until July 2024 in order to permit asset owners
and product suppliers to become compliant and develop compliant products
and solutions.

2021-S7312 (ACTIVE) - Bill Text download pdf

                            
 
                     S T A T E   O F   N E W   Y O R K
 ________________________________________________________________________
 
                                   7312
 
                        2021-2022 Regular Sessions
 
                             I N  S E N A T E
 
                              August 4, 2021
                                ___________
 
 Introduced  by  Sen.  THOMAS -- read twice and ordered printed, and when
   printed to be committed to the Committee on Rules
 
 AN ACT to amend the state technology law, in relation  to  enacting  the
   "critical infrastructure standards and procedures act"
 
   THE  PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND ASSEM-
 BLY, DO ENACT AS FOLLOWS:
 
   Section 1. The state technology law is amended by adding a new article
 4 to read as follows:
                                  ARTICLE 4
           CRITICAL INFRASTRUCTURE STANDARDS AND PROCEDURES ACT
 SECTION 401. SHORT TITLE.
         402. DEFINITIONS.
         403.  COMPLIANCE  WITH  CYBERSECURITY  STANDARDS  FOR   CRITICAL
                INFRASTRUCTURE.
         404.   PROCUREMENT,  CONSTRUCTION,  RECONSTRUCTION,  ALTERATION,
                DESIGN AND COMMISSIONING OF  CRITICAL  INFRASTRUCTURE  OR
                AUTOMATION  CONTROL  SYSTEMS OR AUTOMATION CONTROL SYSTEM
                COMPONENTS.
         405. OPERATIONS AND MAINTENANCE OF CRITICAL INFRASTRUCTURE.
   § 401. SHORT TITLE. THIS ARTICLE SHALL BE KNOWN AND MAY  BE  CITED  AS
 THE "CRITICAL INFRASTRUCTURE STANDARDS AND PROCEDURES (CRISP) ACT".
   § 402. DEFINITIONS. THE FOLLOWING TERMS SHALL HAVE THE FOLLOWING MEAN-
 INGS:
   1. CRITICAL INFRASTRUCTURE SHALL INCLUDE, BUT SHALL NOT BE LIMITED TO:
   (A) PUBLIC TRANSPORTATION;
   (B) WATER AND WASTEWATER TREATMENT FACILITIES;
   (C)  PUBLIC UTILITIES AND SERVICES SUBJECT TO THE JURISDICTION, SUPER-
 VISION, POWERS AND DUTIES OF  THE  PUBLIC  SERVICE  COMMISSION  AND  THE
 DEPARTMENT OF PUBLIC SERVICE;
   (D) PUBLIC BUILDINGS, INCLUDING THOSE OPERATED BY THE STATE UNIVERSITY
 OF NEW YORK;

  EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
                       [ ] is old law to be omitted.

                                                            LBD11950-01-1

 S. 7312                             2
 
   (E) HOSPITALS AND PUBLIC HEALTH FACILITIES REGULATED PURSUANT TO ARTI-
 CLE TWENTY-EIGHT OF THE PUBLIC HEALTH LAW;
   (F)  FACILITIES  CREATED OR EXISTING UNDER THE PUBLIC AUTHORITIES LAW;
 AND
   (G) FINANCIAL SERVICES ORGANIZATIONS  REGULATED  UNDER  THE  FINANCIAL
 SERVICES LAW.
   2.  AUTOMATION  AND  CONTROL SYSTEM SHALL INCLUDE PERSONNEL, HARDWARE,
 SOFTWARE AND POLICIES INVOLVED IN THE OPERATION OF THE CRITICAL  INFRAS-
 TRUCTURE  THAT  MAY  AFFECT  OR  INFLUENCE ITS SAFE, SECURE AND RELIABLE
 OPERATION.
   3. AUTOMATION AND CONTROL SYSTEM COMPONENTS SHALL MEAN CONTROL SYSTEMS
 AND ANY COMPLEMENTARY HARDWARE AND SOFTWARE COMPONENTS  THAT  HAVE  BEEN
 INSTALLED AND CONFIGURED TO OPERATE IN AN AUTOMATION AND CONTROL SYSTEM.
 SUCH SYSTEMS SHALL INCLUDE, BUT SHALL NOT BE LIMITED TO:
   (A)  CONTROL  SYSTEMS,  WHETHER  PHYSICALLY  SEPARATE  OR  INTEGRATED,
 INCLUDING DISTRIBUTED CONTROL SYSTEMS, PROGRAMMABLE  LOGIC  CONTROLLERS,
 REMOTE  TERMINAL  UNITS,  INTELLIGENT  ELECTRONIC  DEVICES,  SUPERVISORY
 CONTROL AND DATA ACQUISITION, NETWORKED ELECTRONIC SENSING AND  CONTROL,
 AND MONITORING AND DIAGNOSTIC SYSTEMS;
   (B)  ASSOCIATED INFORMATION SYSTEMS, SUCH AS ADVANCED OR MULTIVARIABLE
 CONTROL, ONLINE  OPTIMIZERS,  DEDICATED  EQUIPMENT  MONITORS,  GRAPHICAL
 INTERFACES,  PROCESS  HISTORIANS,  MANUFACTURING  EXECUTION  SYSTEMS AND
 PLANT INFORMATION MANAGEMENT SYSTEMS;
   (C) ASSOCIATED INTERNAL, HUMAN, NETWORK, OR MACHINE INTERFACES USED TO
 PROVIDE CONTROL, SAFETY, AND MANUFACTURING OPERATIONS  FUNCTIONALITY  TO
 CONTINUOUS, BATCH, DISCRETE; AND
   (D)  OTHER  PROCESSES AS DEFINED BY THE INTERNATIONAL SOCIETY OF AUTO-
 MATION INCLUDING THE ISA/IEC 62443 SERIES OF STANDARDS, AS REFERENCED BY
 THE NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY (NIST).
   4. ASSET OWNER SHALL MEAN  THE  PUBLIC  OR  PRIVATE  OWNER  OR  ENTITY
 ACCOUNTABLE AND RESPONSIBLE FOR OPERATION OF THE CRITICAL INFRASTRUCTURE
 AND  FOR THE AUTOMATION AND CONTROL SYSTEM. THE ASSET OWNER SHALL BE THE
 OPERATOR OF THE AUTOMATION AND CONTROL  SYSTEM  AND  OF  SUCH  EQUIPMENT
 UNDER CONTROL.
   5.  OPERATIONAL  TECHNOLOGY  SHALL MEAN THE HARDWARE AND SOFTWARE THAT
 DETECTS OR CAUSES A CHANGE IN THE CRITICAL  INFRASTRUCTURE  THROUGH  THE
 DIRECT MONITORING OR CONTROL OF PHYSICAL DEVICES, SYSTEMS, PROCESSES AND
 EVENTS.
   §  403.  COMPLIANCE  WITH CYBERSECURITY STANDARDS FOR CRITICAL INFRAS-
 TRUCTURE. THE OFFICE, IN CONSULTATION WITH THE  DEPARTMENT  OF  HOMELAND
 SECURITY  AND  EMERGENCY  SERVICES  AND  THE SUPERINTENDENT OF FINANCIAL
 SERVICES SHALL MAKE A DETERMINATION OF CRITICAL INFRASTRUCTURE,  INCLUD-
 ING  WHOSE  ASSETS,  SYSTEMS, AND NETWORKS, WHETHER PHYSICAL OR VIRTUAL,
 ARE CONSIDERED VITAL AND VULNERABLE TO CYBERSECURITY ATTACKS.
   § 404. PROCUREMENT, CONSTRUCTION, RECONSTRUCTION,  ALTERATION,  DESIGN
 AND  COMMISSIONING  OF  CRITICAL  INFRASTRUCTURE  OR  AUTOMATION CONTROL
 SYSTEMS OR AUTOMATION CONTROL SYSTEM COMPONENTS. ON OR AFTER JULY FIRST,
 TWO THOUSAND TWENTY-SIX, THE ASSET OWNER, WHEN PROCURING AUTOMATION  AND
 CONTROL  SYSTEM  COMPONENTS,  AS DEFINED IN SUBDIVISION THREE OF SECTION
 FOUR HUNDRED TWO  OF  THIS  ARTICLE,  SERVICES  OR  SOLUTIONS,  OR  WHEN
 CONTRACTING  FOR  FACILITY  UPGRADES  OR  THE  CONSTRUCTION  OF CRITICAL
 INFRASTRUCTURE FACILITIES, SHALL REQUIRE SUCH COMPONENTS, SERVICES,  AND
 SOLUTIONS  TO CONFORM TO THE ISA/IEC 62443 SERIES OF STANDARDS AS REFER-
 ENCED BY NIST FOR DEFINING MEASURES TO ASSURE CONFORMANCE. ALL CONTRACTS
 AWARDED FOR CONSTRUCTION, RECONSTRUCTION, ALTERATION, DESIGN AND COMMIS-
 SIONING OF FACILITIES IDENTIFIED AS CRITICAL INFRASTRUCTURE  UNDER  THIS

 S. 7312                             3
 
 ARTICLE  SHALL PROVIDE THAT SUCH INSTALLED AUTOMATION AND CONTROL COMPO-
 NENTS MEET THE MINIMUM STANDARDS FOR CYBERSECURITY  AS  DEFINED  BY  THE
 ISA/IEC 62443 SERIES OF STANDARDS AS REFERENCED BY NIST.
   §  405.  OPERATIONS  AND MAINTENANCE OF CRITICAL INFRASTRUCTURE. ON OR
 AFTER JULY FIRST, TWO THOUSAND TWENTY-FOUR, THE  ASSET  OWNER  SHALL  BE
 RESPONSIBLE  FOR  ENSURING  THAT THE OPERATION AND MAINTENANCE OF OPERA-
 TIONAL TECHNOLOGY, INCLUDING CRITICAL INFRASTRUCTURE, AUTOMATION CONTROL
 SYSTEMS AND  AUTOMATION  CONTROL  SYSTEM  COMPONENTS  CONFORM  WITH  THE
 ISA/IEC 62443 SERIES OF STANDARDS AS REFERENCED BY NIST, INCLUDING ANNU-
 AL RISK ASSESSMENTS AND SHALL CREATE A MITIGATION PLAN.
   § 2. This act shall take effect on the one hundred eightieth day after
 it  shall  have  become  a  law.  Effective immediately, the office, the
 commissioner of homeland security and emergency services and the  super-
 intendent of financial services may promulgate rules and regulations and
 take  other  actions  reasonably necessary to implement this act on that
 date.

Comments

Open Legislation is a forum for New York State legislation. All comments are subject to review and community moderation is encouraged.

Comments deemed off-topic, commercial, campaign-related, self-promotional; or that contain profanity, hate or toxic speech; or that link to sites outside of the nysenate.gov domain are not permitted, and will not be published. Attempts to intimidate and silence contributors or deliberately deceive the public, including excessive or extraneous posting/posts, or coordinated activity, are prohibited and may result in the temporary or permanent banning of the user. Comment moderation is generally performed Monday through Friday. By contributing or voting you agree to the Terms of Participation and verify you are over 13.

Create an account. An account allows you to sign petitions with a single click, officially support or oppose key legislation, and follow issues, committees, and bills that matter to you. When you create an account, you agree to this platform's terms of participation.

Find your Senator and share your views on important issues.

Do you support this bill?

Senate Bill S7312

Sponsored By

Archive: Last Bill Status - In Senate Committee Internet And Technology Committee

Actions

co-Sponsors

2021-S7312 (ACTIVE) - Details

2021-S7312 (ACTIVE) - Summary

2021-S7312 (ACTIVE) - Sponsor Memo

2021-S7312 (ACTIVE) - Bill Text download pdf

Comments

Do you support this bill?

Get Status Alerts for 2021-S7312

Senate Bill S7312

Share this bill

Sponsored By

Kevin Thomas

Archive: Last Bill Status - In Senate Committee Internet And Technology Committee

Actions

co-Sponsors

Alessandra Biaggi

Leroy Comrie

Brad Hoylman-Sigal

Zellnor Myrie

2021-S7312 (ACTIVE) - Details

2021-S7312 (ACTIVE) - Summary

2021-S7312 (ACTIVE) - Sponsor Memo

2021-S7312 (ACTIVE) - Bill Text download pdf

Comments