S T A T E O F N E W Y O R K
________________________________________________________________________
6195
2019-2020 Regular Sessions
I N S E N A T E
May 22, 2019
___________
Introduced by Sen. PARKER -- read twice and ordered printed, and when
printed to be committed to the Committee on Energy and Telecommuni-
cations
AN ACT to amend the energy law, the public officers law, the executive
law, and the public service law, in relation to critical utility
infrastructure security and responsibility
THE PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND ASSEM-
BLY, DO ENACT AS FOLLOWS:
Section 1. Subdivision 1 of section 3-101 of the energy law, as
amended by chapter 253 of the laws of 2013, is amended to read as
follows:
1. to obtain and maintain an adequate and continuous supply of safe,
dependable and economical energy for the people of the state, INCLUDING
THROUGH THE PROTECTION OF CRITICAL INFRASTRUCTURE AS DEFINED IN SUBDIVI-
SION FIVE OF SECTION EIGHTY-SIX OF THE PUBLIC OFFICERS LAW, and to
accelerate development and use within the state of renewable energy
sources, all in order to promote the state's economic growth, to create
employment within the state, to protect its environmental values and
agricultural heritage, to husband its resources for future generations,
and to promote the health and welfare of its people;
§ 2. Subdivision 5 of section 86 of the public officers law, as added
by chapter 403 of the laws of 2003, is amended to read as follows:
5. "Critical infrastructure" means systems, INCLUDING INDUSTRIAL
CONTROL SYSTEMS, assets, places or things, whether physical or virtual,
so vital to the state that the disruption, incapacitation or destruction
of such systems, INCLUDING INDUSTRIAL CONTROL SYSTEMS, assets, places or
things could jeopardize the health, safety, welfare or security of the
state, its residents or its economy.
§ 3. Section 86 of the public officers law is amended by adding a new
subdivision 6 to read as follows:
EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
[ ] is old law to be omitted.
LBD08666-04-9
S. 6195 2
6. "INDUSTRIAL CONTROL SYSTEMS" MEANS A COMBINATION OF CONTROL COMPO-
NENTS THAT SUPPORT OPERATIONAL FUNCTIONS IN GAS, DISTRIBUTION, TRANS-
MISSION, AND ADVANCED METERING INFRASTRUCTURE CONTROL CENTERS, AND ACT
TOGETHER TO ACHIEVE AN INDUSTRIAL OBJECTIVE, INCLUDING CONTROLS THAT ARE
FULLY AUTOMATED OR THAT INCLUDE A HUMAN-MACHINE INTERFACE.
§ 4. Paragraph (j) of subdivision 2 of section 709 of the executive
law, as amended by section 14 of part B of chapter 56 of the laws of
2010, is amended to read as follows:
(j) work with local, state and federal agencies and private entities
to conduct assessments of the vulnerability of critical infrastructure
to terrorist attack, CYBER ATTACK, CRIMINAL BEHAVIOR, and other natural
and man-made disasters, including, but not limited to, nuclear facili-
ties, power plants, telecommunications systems, mass transportation
systems, public roadways, railways, bridges and tunnels, AND ATTENDANT
INDUSTRIAL CONTROL SYSTEMS AS DEFINED BY SUBDIVISION SIX OF SECTION
EIGHTY-SIX OF THE PUBLIC OFFICERS LAW and develop strategies that may be
used to protect such infrastructure from terrorist attack, CYBER ATTACK,
CRIMINAL BEHAVIOR, and other natural and man-made disasters;
§ 5. Subdivision 1 and paragraph (a) of subdivision 2 of section 713
of the executive law, as amended by section 16 of part B of chapter 56
of the laws of 2010, are amended to read as follows:
1. Notwithstanding any other provision of law, the commissioner of the
division of homeland security and emergency services, IN COORDINATION
WITH THE STATE OFFICE OF INFORMATION TECHNOLOGY SERVICES, shall conduct
a review and analysis of measures being taken by the public service
commission and any other agency or authority of the state or any poli-
tical subdivision thereof and, to the extent practicable, of any federal
entity, to protect the security of critical infrastructure related to
energy generation and transmission located within the state. The commis-
sioner of the division of homeland security and emergency services AND
THE DIRECTOR OF THE STATE OFFICE OF INFORMATION TECHNOLOGY SERVICES
shall have the authority to review any audits or reports related to the
security of such critical infrastructure, including audits or reports
conducted at the request of the public service commission or any other
agency or authority of the state or any political subdivision thereof
or, to the extent practicable, of any federal entity. The owners and
operators of such energy generating or transmission facilities shall, in
compliance with any federal and state requirements regarding the dissem-
ination of such information, provide access to the commissioner of the
division of homeland security and emergency services AND THE DIRECTOR OF
THE STATE OFFICE OF INFORMATION TECHNOLOGY SERVICES to such audits or
reports regarding such critical infrastructure provided, however, that
exclusive custody and control of such audits and reports shall remain
solely with the owners and operators of such energy generating or trans-
mission facilities. For the purposes of this article, the term "critical
infrastructure" has the meaning ascribed to that term in subdivision
five of section eighty-six of the public officers law.
(a) On or before December thirty-first, two thousand four, and not
later than three years after such date, and every five years thereafter,
the commissioner of the division of homeland security and emergency
services, IN COORDINATION WITH THE STATE OFFICE OF INFORMATION TECHNOLO-
GY SERVICES, shall report to the governor, the temporary president of
the senate, the speaker of the assembly, THE CHAIRPERSON OF THE ASSEMBLY
STANDING COMMITTEE ON ENERGY, THE CHAIRPERSON OF THE SENATE STANDING
COMMITTEE ON ENERGY AND TELECOMMUNICATIONS, the chairperson of the
public service commission and the chief executive of any such affected
S. 6195 3
generating or transmission company or his or her designee. Such report
shall review the security measures being taken regarding critical
infrastructure related to energy generating and transmission facilities
IN CONSULTATION WITH THE MOST RECENT VERSION OF THE NATIONAL INSTITUTE
OF STANDARDS AND TECHNOLOGY "FRAMEWORK FOR IMPROVING CRITICAL INFRAS-
TRUCTURE CYBERSECURITY" AND THE NORTH AMERICAN ELECTRICAL RELIABILITY
CORPORATION'S CRITICAL INFRASTRUCTURE PROTECTION STANDARDS, assess the
effectiveness thereof, and include recommendations to the legislature or
the public service commission if the commissioner of the division of
homeland security and emergency services AND THE DIRECTOR OF THE STATE
OFFICE OF INFORMATION TECHNOLOGY SERVICES determines that additional
measures are required to be implemented, considering, among other
factors, the unique characteristics of each energy generating or trans-
mission facility.
§ 6. The public service law is amended by adding a new section 54 to
read as follows:
§ 54. ELECTRIC OR GAS CONSUMPTION DATA PROTECTION. 1. AN ELECTRIC OR
GAS CORPORATION OR MUNICIPALITY SHALL NOT SHARE, SELL, DISCLOSE, OR
OTHERWISE MAKE ACCESSIBLE TO ANY THIRD PARTY A CUSTOMER'S ELECTRIC OR
GAS CONSUMPTION DATA, EXCEPT WHERE THE CUSTOMER HAS CONSENTED AND AS
PROVIDED IN SUBDIVISION TWO OF THIS SECTION.
2.(A) NOTHING IN THIS SECTION SHALL PRECLUDE AN ELECTRIC OR GAS CORPO-
RATION OR MUNICIPALITY FROM DISCLOSING A CUSTOMER'S ELECTRIC OR GAS
CONSUMPTION DATA FOR ANALYSIS, REPORTING, OR PROGRAM MANAGEMENT AS LONG
AS ALL INFORMATION HAS BEEN ANONYMIZED REGARDING THE INDIVIDUAL IDENTITY
OF A CUSTOMER.
(B) NOTHING IN THIS SECTION SHALL PRECLUDE AN ELECTRIC OR GAS CORPO-
RATION OR MUNICIPALITY FROM DISCLOSING ELECTRIC OR GAS CONSUMPTION DATA
AS REQUIRED OR PERMITTED UNDER STATE OR FEDERAL LAW OR BY AN ORDER OF
THE COMMISSION.
(C) NOTHING IN THIS SECTION SHALL PRECLUDE AN ELECTRIC OR GAS CORPO-
RATION OR MUNICIPALITY FROM DISCLOSING A CUSTOMER'S ELECTRIC OR GAS
CONSUMPTION DATA TO A THIRD PARTY THAT CONTRACTS WITH SUCH CORPORATION
OR MUNICIPALITY TO PROVIDE SERVICES ON BEHALF OF THE CORPORATION.
3. AN ELECTRIC OR GAS CORPORATION SHALL ESTABLISH: (A) MINIMUM CYBER-
SECURITY AND SAFETY STANDARDS AND (B) MINIMUM CYBER-SECURITY INSURANCE
REQUIREMENTS, WHICH SHALL BE APPLICABLE TO THIRD PARTIES SEEKING TO
CONNECT TO ANY SUCH CORPORATION'S SYSTEMS TO RECEIVE CONSUMPTION OR
OTHER DATA. ANY THIRD PARTY NOT CONTRACTED BY SUCH A CORPORATION THAT
SEEKS TO CONNECT TO SUCH CORPORATION'S SYSTEMS TO RECEIVE CONSUMPTION OR
OTHER DATA SHALL MEET ANY SUCH ESTABLISHED CYBER-SECURITY AND SAFETY
STANDARDS AND INSURANCE REQUIREMENTS.
4. THE COMMISSION SHALL PROMULGATE RULES AND REGULATIONS BY JANUARY
FIRST, TWO THOUSAND TWENTY-ONE TO ENSURE THE IMPLEMENTATION AND ENFORCE-
MENT OF THIS SECTION.
§ 7. Paragraph (a) of subdivision 19 of section 66 of the public
service law, as amended by section 4 of part X of chapter 57 of the laws
of 2013, is amended to read as follows:
(a) The commission shall have power to provide for management and
operations audits of gas corporations and electric corporations. Such
audits shall be performed at least once every five years for combination
gas and electric corporations, as well as for straight gas corporations
having annual gross revenues in excess of two hundred million dollars.
The audit shall include, but not be limited to, an investigation of the
company's construction program planning in relation to the needs of its
customers for reliable service, an evaluation of the efficiency of the
S. 6195 4
company's operations AND USE OF CUSTOMER ELECTRIC OR GAS CONSUMPTION
DATA AS PROVIDED FOR IN SECTION FIFTY-FOUR OF THE PUBLIC SERVICE LAW,
recommendations with respect to same, and the timing with respect to the
implementation of such recommendations. The commission shall have
discretion to have such audits performed by its staff, or by independent
auditors.
In every case in which the commission chooses to have the audit
provided for in this subdivision or pursuant to subdivision fourteen of
section sixty-five of this article performed by independent auditors, it
shall have authority to select the auditors, and to require the company
being audited to enter into a contract with the auditors providing for
their payment by the company. Such contract shall provide further that
the auditors shall work for and under the direction of the commission
according to such terms as the commission may determine are necessary
and reasonable.
§ 8. This act shall take effect on the one hundred eightieth day after
it shall have become a law; provided, however, that section six of this
act shall take effect thirty days after it shall have become a law.
Effective immediately, the public service commission is authorized and
directed to take actions necessary to promulgate rules and regulations
related to the implementation of subdivision 3 of section 54 of the
public service law on or before such effective date.