HB 1147 2022
CODING: Words stricken are deletions; words underlined are additions.
hb1147-00
Page 1 of 7
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
A bill to be entitled 1
An act relating to critical infrastructure standards 2
and procedures; creating s. 282.32, F.S.; providing a 3
short title; providing legislative findings; providing 4
definitions; requiring an agency asset owner and 5
encouraging an asset owner procuring certain 6
components, services, or solutions or entering into 7
certain contracts to require conformance with certain 8
standards beginning on a specified date; requiring 9
such agency asset owner and encouraging such asset 10
owner to ensure that certain contracts require that 11
certain components meet certain minimum standards; 12
encouraging an asset owner to ensure that the 13
operation and maintenance of certain operational 14
technology conform to certain standards and practices 15
beginning on a specified date; encouraging such asset 16
owner to annually conduct a certain assessment and 17
create a certain plan; requiring a court to make a 18
certain determination in a civil action based on a 19
security incident-related claim; providing that a 20
defendant is immune from civil liability in certain 21
circumstances; requiring the Florida Digital Service, 22
in consultation with the Florida Cybersecurity 23
Advisory Council, to adopt rules; providing an 24
effective date. 25
HB 1147 2022
CODING: Words stricken are deletions; words underlined are additions.
hb1147-00
Page 2 of 7
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
26
WHEREAS, the operational technologies that automate the 27
critical infrastructure of daily life are experiencing a rapid 28
increase in cybersecurity incidents, and the impact of such 29
incidents affect life, safety, the environment, and economic 30
viability across sectors, and 31
WHEREAS, the recent cybersecurity hacking and shutdown of 32
the Colonial Pipeline by the criminal enterprise DarkSide in 33
2021; the infiltration of the Bowman Avenue Dam in Rye Brook, 34
New York, by Iranian hackers in 2013; and the intr usion of 35
numerous federal agencies by suspected Russian hackers 36
underscore the need to provide the public and private sectors 37
with clarity and support on how to improve the cybersecurity of 38
control systems, NOW, THEREFORE, 39
40
Be It Enacted by the Legislatu re of the State of Florida: 41
42
Section 1. Section 282.32, Florida Statutes, is created to 43
read: 44
282.32 Critical infrastructure standards and procedures. — 45
(1) This section may be cited as the "Critical 46
Infrastructure Standards and Procedures Act." 47
(2) The Legislature finds that standard definitions of the 48
security capabilities of system components are necessary to 49
provide a common language for product suppliers and other 50
HB 1147 2022
CODING: Words stricken are deletions; words underlined are additions.
hb1147-00
Page 3 of 7
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
control system stakeholders and to simplify the procurement and 51
integration processes for the computers, applications, network 52
equipment, and control devices that make up a control system. 53
The United States National Institute of Standards and Technology 54
Cybersecurity Framework (NIST CSF), which references several 55
relevant cybersecurit y standards, including the International 56
Society of Automation ISA 62443 series of standards, is an 57
appropriate resource for use in establishing such standard 58
definitions. 59
(3) As used in this section, the term: 60
(a) "Agency asset owner" means the public owner or entity 61
accountable and responsible for operation of critical 62
infrastructure and its automation and control system. The term 63
includes the operator of the automation and control system and 64
the equipment under control. 65
(b) "Asset owner" means the private owner or entity 66
accountable and responsible for operation of critical 67
infrastructure and its automation and control system. The term 68
includes the operator of the automation and control system and 69
the equipment under control. 70
(c) "Automation and c ontrol system" means the personnel, 71
hardware, software, and policies involved in the operation of 72
critical infrastructure which may affect or influence such 73
critical infrastructure's safe, secure, and reliable operation. 74
(d) "Automation and control syste m component" means 75
HB 1147 2022
CODING: Words stricken are deletions; words underlined are additions.
hb1147-00
Page 4 of 7
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
control systems and complementary hardware and software 76
components that are installed and configured to operate in an 77
automation and control system. For purposes of this section, the 78
term "control systems" includes, but is not limited to : 79
1. Distributed control systems, programmable logic 80
controllers, remote terminal units, intelligent electronic 81
devices, supervisory control and data acquisition, networked 82
electronic sensing and control, monitoring and diagnostic 83
systems, and process control systems, including basic process 84
control system and safety -instrumented system functions, 85
regardless of whether such functions are physically separate or 86
integrated. 87
2. Associated information and analytic systems, including 88
advanced or multivaria ble control, online optimizers, dedicated 89
equipment monitors, graphical interfaces, process historians, 90
manufacturing execution systems, and plant information 91
management systems. 92
3. Associated internal, human, network, or machine 93
interfaces used to provi de control, safety, and manufacturing 94
operations functionality to continuous, batch, discrete, and 95
other processes as defined in the ISA 62443 series of standards 96
as referenced by the NIST CSF. 97
(e) "Critical infrastructure" means infrastructure for 98
which all assets, systems, and networks, regardless of whether 99
physical or virtual, are considered vital and vulnerable to 100
HB 1147 2022
CODING: Words stricken are deletions; words underlined are additions.
hb1147-00
Page 5 of 7
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
cybersecurity attacks as determined by the Florida Digital 101
Service in consultation with the Florida Cybersecurity Advisory 102
Council. The term includes, but is not limited to, public 103
transportation as defined in s. 163.566(8); water and wastewater 104
treatment facilities; public utilities and services subject to 105
the jurisdiction, supervision, powers, and duties of the Public 106
Service Commission; p ublic buildings, including buildings 107
operated by the state university system; hospitals and public 108
health facilities; and financial services organizations. 109
(f) "Operational technology" means the hardware and 110
software that cause or detect a change through the direct 111
monitoring or control of physical devices, systems, processes, 112
or events in critical infrastructure. 113
(g) "Security incident" means a security compromise that 114
is significant to the asset owner, the asset owner's customers, 115
or the public. 116
(4) Beginning July 1, 2022, an agency asset owner 117
procuring automation and control system components, services, or 118
solutions or entering into a contract for the construction, 119
reconstruction, alteration, or design of a critical 120
infrastructure facility must req uire that such components, 121
services, and solutions conform to the ISA 62443 series of 122
standards as referenced by the NIST CSF. Such agency asset owner 123
shall ensure that all contracts for the construction, 124
reconstruction, alteration, or design of a critical 125
HB 1147 2022
CODING: Words stricken are deletions; words underlined are additions.
hb1147-00
Page 6 of 7
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
infrastructure facility require that installed automation and 126
control system components meet the minimum standards for 127
cybersecurity as defined in the ISA 62443 series of standards as 128
referenced by the NIST CSF. 129
(5) Beginning July 1, 2022, an asset owne r procuring 130
automation and control system components, services, or solutions 131
or entering into a contract for the construction, 132
reconstruction, alteration, or design of a critical 133
infrastructure facility is encouraged to require that such 134
components, services, and solutions conform to the ISA 62443 135
series of standards as referenced by the NIST CSF. Such asset 136
owner is encouraged to ensure that all contracts for the 137
construction, reconstruction, alteration, or design of a 138
critical infrastructure facility requ ire that installed 139
automation and control system components meet the minimum 140
standards for cybersecurity as defined in the ISA 62443 series 141
of standards as referenced by the NIST CSF. 142
(6) Beginning July 1, 2022, an asset owner is encouraged 143
to ensure that the operation and maintenance of operational 144
technology, including critical infrastructure, automation and 145
control systems, and automation and control system components, 146
conform to the standards and practices defined in the ISA 62443 147
series of standards as referenced by the NIST CSF. Such asset 148
owner is encouraged to annually conduct a risk assessment and 149
create a risk mitigation plan. 150
HB 1147 2022
CODING: Words stricken are deletions; words underlined are additions.
hb1147-00
Page 7 of 7
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
(7) In a civil action based on a security incident -related 151
claim: 152
(a) The court must determine, as a matter of law, w hether 153
the defendant made a good faith effort to meet the 154
recommendations provided in subsection (5) or subsection (6). 155
(b) If the court determines that the defendant made such a 156
good faith effort, the defendant is immune from civil liability 157
for such security incident. 158
(c) If the court determines that that the defendant did 159
not make such a good faith effort, the plaintiff may proceed 160
with the action. 161
Section 2. The Florida Digital Service shall, in 162
consultation with the Florida Cybersecurity Adviso ry Council, 163
adopt rules to implement this act. 164
Section 3. This act shall take effect July 1, 2022. 165