EXPLANATION: CAPITALS INDICATE MAT TER ADDED TO EXISTIN G LAW.
[Brackets] indicate matter deleted from existing law.
*sb0810*
SENATE BILL 810
S2, E4, C5 2lr2965
By: Senator Hester
Introduced and read first time: February 7, 2022
Assigned to: Finance
A BILL ENTITLED
AN ACT concerning 1
Cybersecurity – Critical Infrastructure and Public Service Companies 2
(Critical Infrastructure Security Act of 2022) 3
FOR the purpose of authorizing the Department of Emergency Management to take action 4
to reduce the disaster risk and vulnerability of critical infrastructure; establishing 5
the Critical Infrastructure Cybersecurity Grant Program in the Department to 6
leverage certain funds to make cybersecurity improvements to critical 7
infrastructure; altering the duties and staffing requirements of the Public Service 8
Commission to include cybersecurity; authorizing the Office of People’s Counsel to 9
retain or hire an expert in cybersecurity; requiring certain public service companies 10
to adopt certain cybersecurity best practices, protect certain information, include 11
certain language in certain contracts, and establish certain security standards for 12
certain technology devices, data, and personally identifiable information; requiring 13
certain regulations on service quality and reliability standards for electric companies 14
and gas companies to include cyber resiliency; and generally relating to cybersecurity 15
risk protection of critical infrastructure and public service companies. 16
BY repealing and reenacting, with amendments, 17
Article – Public Safety 18
Section 14–101, 14–102(a), and 14–103 19
Annotated Code of Maryland 20
(2018 Replacement Volume and 2021 Supplement) 21
BY adding to 22
Article – Public Safety 23
Section 14–118 24
Annotated Code of Maryland 25
(2018 Replacement Volume and 2021 Supplement) 26
BY repealing and reenacting, without amendments, 27
Article – Public Utilities 28 2 SENATE BILL 810
Section 1–101(a) and 7–213(d) 1
Annotated Code of Maryland 2
(2020 Replacement Volume and 2021 Supplement) 3
BY adding to 4
Article – Public Utilities 5
Section 1–101(h–1) through (h–3) and 5–305 6
Annotated Code of Maryland 7
(2020 Replacement Volume and 2021 Supplement) 8
BY repealing and reenacting, with amendments, 9
Article – Public Utilities 10
Section 2–108(d), 2–113(a), 2–203(f), and 7–213(e)(1) 11
Annotated Code of Maryland 12
(2020 Replacement Volume and 2021 Supplement) 13
SECTION 1. BE IT ENACTED BY THE GENERAL ASSEMBLY OF MARYLAND, 14
That the Laws of Maryland read as follows: 15
Article – Public Safety 16
14–101. 17
(a) In this title the following words have the meanings indicated. 18
(B) “CRITICAL INFRASTRUCTU RE” MEANS SYSTEMS AND ASSETS , WHETHER 19
PHYSICAL OR VIRTUAL , THAT ARE SO VITAL TO THE STATE THAT THE INCAPA CITY 20
OR DESTRUCTION OF THE SYSTEM OR ASSET WOULD HAVE A D EBILITATING IMPACT 21
ON ANY ONE OR COMBINATI ON OF THE FOLLOWING : 22
(1) SECURITY; 23
(2) ECONOMIC SECURITY ; 24
(3) PUBLIC HEALTH ; OR 25
(4) PUBLIC SAFETY. 26
(C) (1) “CYBERSECURITY ” MEANS PROCESSES OR CAPABIL ITIES IN 27
WHICH SYSTEMS, COMMUNICATIONS , AND INFORMATION ARE PROTECTED AND 28
DEFENDED AGAINST DAM AGE, UNAUTHORIZED USE OR MODIFICATION , AND 29
EXPLOITATION . 30
(2) “CYBERSECURITY ” INCLUDES PROTECTING THE AVAILABILITY , 31
INTEGRITY, AUTHENTICATION , CONFIDENTIALITY , AND NONREPUDIATION O F 32 SENATE BILL 810 3
INFORMATION . 1
[(b)] (D) “Department” means the Maryland Department of Emergency 2
Management. 3
[(c)] (E) “Emergency” means the imminent threat or occurrence of severe or 4
widespread loss of life, injury, or other health impacts, property damage or destruction, 5
social or economic disruption, or environmental degradation from natural, technological, or 6
human–made causes. 7
[(d)] (F) (1) “Emergency management” means the planning, implementing, 8
and conducting of risk reduction and consequence management activities across the 9
mission areas of prevention, protection, mitigation, response, and recovery to enhance 10
preparedness, save lives, preserve public health and safety, protect public and private 11
property, and minimize or repair injury and damage that results or may result from 12
emergencies. 13
(2) “Emergency management” does not include the preparation for and 14
carrying out of functions in an emergency for which military forces are primarily 15
responsible. 16
[(e)] (G) “Local organization for emergency management” means an 17
organization established by a political subdivision or other local authority under § 14–109 18
of this subtitle. 19
[(f)] (H) “Political subdivision” means a county or municipal corporation of the 20
State. 21
[(g)] (I) “Secretary” means the Secretary of Emergency Management. 22
(J) “SECURITY BY DESIGN ” MEANS THE CONSIDERATION OF 23
CYBERSECURITY RISKS IN EVERY PHASE OF A PROJECT. 24
[(h)] (K) “Senior elected official” means: 25
(1) the mayor; 26
(2) the county executive; 27
(3) for a county that does not have a county executive, the president of the 28
board of county commissioners or county council or other chief executive officer of the 29
county; or 30
(4) for a municipal corporation that does not have a mayor, the burgess, 31
chairperson, or president of the municipal governing body or other chief executive officer of 32
the municipal corporation. 33 4 SENATE BILL 810
14–102. 1
(a) To ensure that the State will be adequately prepared to deal with emergencies, 2
to protect the public peace, health, and safety in the State, to preserve the lives and 3
property of the people of the State, and to ensure the social and economic resilience of the 4
State, it is necessary to: 5
(1) establish a Maryland Department of Emergency Management; 6
(2) authorize the establishment of local organizations for emergency 7
management in the political subdivisions; 8
(3) confer on the Governor and on the senior elected officials or governing 9
bodies of the political subdivisions the emergency powers provided in this subtitle; 10
(4) provide for the rendering of mutual aid among the political subdivisions 11
and with other states in carrying out emergency management functions; [and] 12
(5) authorize a comprehensive emergency management system that 13
empowers all State departments and agencies to systematically prepare for, mitigate, 14
respond to, and recover from potential or actual emergencies through risk reduction and 15
consequence management; AND 16
(6) AUTHORIZE THE DEPARTMENT TO ESTABLI SH A GRANT PROGRAM 17
FOR THE PROTECTION O F CRITICAL INFRASTRUCT URE. 18
14–103. 19
(a) There is a Maryland Department of Emergency Management established as a 20
principal department of the Executive Branch of State government. 21
(b) The Department has primary responsibility and authority for developing 22
emergency management policies and is responsible for coordinating disaster risk reduction, 23
consequence management, and disaster recovery activities. 24
(c) The Department may act to: 25
(1) reduce the disaster risk and vulnerability of persons, CRITICAL 26
INFRASTRUCTURE , and property located in the State; 27
(2) develop and coordinate emergency planning and preparedness; and 28
(3) coordinate emergency management activities and operations: 29
(i) relating to an emergency that involves two or more State 30 SENATE BILL 810 5
agencies; 1
(ii) between State agencies and political subdivisions; 2
(iii) with local governments; 3
(iv) with agencies of the federal government and other states; and 4
(v) with private and nonprofit entities. 5
14–118. 6
(A) IN THIS SECTION, “PROGRAM” MEANS THE CRITICAL INFRASTRUCTURE 7
CYBERSECURITY GRANT PROGRAM. 8
(B) THERE IS A CRITICAL INFRASTRUCTURE CYBERSECURITY GRANT 9
PROGRAM IN THE DEPARTMENT . 10
(C) THE PURPOSE OF THE PROGRAM IS TO LEVERAGE FUNDS AVAIL ABLE 11
FROM FEDERAL , STATE, AND LOCAL GRANT PROG RAMS TO MAKE CYBERSECURIT Y 12
IMPROVEMENTS TO CRIT ICAL INFRASTRUCTURE . 13
(D) THE DEPARTMENT SHALL : 14
(1) ADMINISTER THE PROGRAM; 15
(2) ESTABLISH APPLICATIO N PROCEDURES FOR THE PROGRAM; AND 16
(3) AWARD GRANTS FROM TH E PROGRAM. 17
(E) (1) IN DETERMINING THE TYPES OF CYBERSECURI TY IMPROVEMENTS 18
AND RECIPIENTS ELIGIBLE FOR GRANTS UNDER THE PROGRAM, THE DEPARTMENT 19
SHALL: 20
(I) CONSULT WITH ELECTRIC COMPANIES , GAS COMPANIES , 21
WATER UTILITIES , STATE AGENCIES, AND POLITICAL SUBDIV ISIONS TO: 22
1. IDENTIFY CURRENT AND FORESEEA BLE 23
CYBERSECURITY RISKS TO THE STATE’S ELECTRIC GRID , NATURAL GAS 24
INFRASTRUCTURE , AND WATER AND SEWER SYSTEMS; AND 25
2. PREPARE A REPORT ON THE CYBERSECURITY RISKS 26
IDENTIFIED UNDER ITE M 1 OF THIS ITEM; 27
6 SENATE BILL 810
(II) IDENTIFY FUNDING TO F UND THE GRANTS AWARDED U NDER 1
THE PROGRAM; AND 2
(III) DEVELOP CRITERIA FOR SELECTING GRANT RECIPIENTS 3
BASED ON A GRANT APPLICANT’S CYBERSECURITY RISK . 4
(2) ON OR BEFORE DECEMBER 1, 2022, THE DEPARTMENT SHALL 5
SUBMIT THE REPORT PR EPARED UNDER PARAGRA PH (1)(I)2 OF THIS SUBSECTION 6
TO THE GOVERNOR AND , IN ACCORDANCE WITH § 2–1257 OF THE STATE 7
GOVERNMENT ARTICLE, THE GENERAL ASSEMBLY. 8
(F) THE DEPARTMENT SHALL : 9
(1) REQUIRE EACH GRANT R ECIPIENT TO DEVELOP PROCESSES TO 10
ADDRESS CYBERSECURIT Y RISKS AND SUBMIT A REPORT ON IMPLEMENTED 11
PROCESSES TO THE DEPARTMENT ; AND 12
(2) REQUIRE GRANT RECIPIE NTS THAT MODERNIZE OR IMPROVE THE 13
RESILIENCE OF ELECTRIC GRIDS , NATURAL GAS INFRASTR UCTURE, OR WATER AND 14
SEWER SYSTEMS TO: 15
(I) SUBMIT A REPORT ON IMPLEMENTED SECURITY BY DESIGN 16
PRINCIPLES TO THE DEPARTMENT ; AND 17
(II) ESTABLISH A CYBERSEC URITY PLAN THAT ADDR ESSES 18
CYBERSECURITY RISKS IN POLICY, SOFTWARE DEVELOPMEN T, HARDWARE , AND 19
NETWORKS. 20
Article – Public Utilities 21
1–101. 22
(a) In this division the following words have the meanings indicated. 23
(H–1) “CYBER RESILIENCY ” MEANS THE ABILITY TO ANTICIPATE, WITHSTAND, 24
RECOVER FROM , AND ADAPT TO ADVERSE CONDITIONS, STRESSES, ATTACKS, OR 25
COMPROMISES ON SYSTE MS THAT USE OR ARE E NABLED BY A CYBER RESOURCE . 26
(H–2) “CYBER RESOURCE ” MEANS AN INFORMATION SOURCE THAT : 27
(1) CREATES, STORES, PROCESSES, MANAGES, TRANSMITS, OR 28
DISPOSES OF INFORMAT ION IN AN ELECTRONIC FORMAT; AND 29
(2) CAN BE ACCESSED BY A NETWORK OR BY USING NETWORKING 30 SENATE BILL 810 7
METHODS. 1
(H–3) “CYBERSECURITY ” HAS THE MEANING STAT ED IN § 14–101 OF THE 2
PUBLIC SAFETY ARTICLE. 3
2–108. 4
(d) (1) The State budget shall provide sufficient money for the Commission to 5
hire, develop, and organize a staff to perform the functions of the Commission, including 6
analyzing data submitted to the Commission and participating in proceedings as provided 7
in § 3–104 of this article. 8
(2) (i) As the Commission considers necessary, the Commission shall 9
hire experts including economists, cost of capital experts, rate design experts, accountants, 10
engineers, transportation specialists, and lawyers. 11
(ii) To assist in the regulation of intrastate hazardous liquid 12
pipelines under Title 11, Subtitle 2 of this article, the Commission shall include on its staff 13
at least one engineer who specializes in the storage of and the transportation of hazardous 14
liquid materials by pipeline. 15
(3) THE COMMISSION SHALL INCL UDE ON ITS STAFF ONE OR MORE 16
EMPLOYEES DEDICATED TO C YBERSECURITY POLICY , STRATEGY, AUDITING, AND 17
REPORTING. 18
(4) The Commission may retain on a case by case basis additional experts 19
as required for a particular matter. 20
[(4)] (5) The lawyers who represent the Commission staff in proceedings 21
before the Commission shall be appointed by the Commission and shall be organized and 22
operate independently of the office of General Counsel. 23
[(5)] (6) (i) As required, the Commission shall hire public utility law 24
judges. 25
(ii) Public utility law judges are a separate organizational unit and 26
shall report directly to the Commission. 27
[(6)] (7) The Commission shall hire personal staff members for each 28
commissioner as required to provide advice, draft proposed orders and rulings, and perform 29
other personal staff functions. 30
[(7)] (8) Subject to § 3–104 of this article, the Commission may delegate 31
to a commissioner or personnel the authority to perform an administrative function 32
necessary to carry out a duty of the Commission. 33
8 SENATE BILL 810
[(8)] (9) (i) Except as provided in subparagraph (ii) of this paragraph 1
or otherwise by law, all personnel of the Commission are subject to the provisions of the 2
State Personnel and Pensions Article. 3
(ii) The following are in the executive service, management service, 4
or are special appointments in the State Personnel Management System: 5
1. each commissioner of the Commission; 6
2. the Executive Director; 7
3. the General Counsel and each assistant general counsel; 8
4. the Executive Secretary; 9
5. the commissioners’ personal staff members; 10
6. the chief public utility law judge; and 11
7. each license hearing officer. 12
2–113. 13
(a) (1) The Commission shall: 14
(i) supervise and regulate the public service companies subject to 15
the jurisdiction of the Commission to: 16
1. ensure their operation in the interest of the public; and 17
2. promote adequate, economical, and efficient delivery of 18
utility services in the State without unjust discrimination; and 19
(ii) enforce compliance with the requirements of law by public 20
service companies, including requirements with respect to financial condition, 21
capitalization, franchises, plant, manner of operation, rates, and service. 22
(2) In supervising and regulating public service companie s, the 23
Commission shall consider: 24
(i) the public safety; 25
(ii) the economy of the State; 26
(iii) the maintenance of fair and stable labor standards for affected 27
workers; 28
SENATE BILL 810 9
(iv) the conservation of natural resources; 1
(v) the preservation of environmental quality, including protection 2
of the global climate from continued short–term and long–term warming based on the best 3
available scientific information recognized by the Intergovernmental Panel on Climate 4
Change; [and] 5
(vi) the achievement of the State’s climate commitments for reducing 6
statewide greenhouse gas emissions, including those specified in Title 2, Subtitle 12 of the 7
Environment Article; AND 8
(V) THE CYBERSECURITY RISKS FACED BY PUBLI C SERVICE 9
COMPANIES IN THE STATE. 10
2–203. 11
(f) The Office of People’s Counsel may retain as necessary for a particular matter 12
or hire experts in the field of: 13
(1) utility regulation, including cost of capital experts, rate design experts, 14
accountants, economists, engineers, transportation specialists, and lawyers; [and] 15
(2) climate change, including meteorologists, oceanographers, ecologists, 16
foresters, geologists, seismologists, botanists, and experts in any other field of science that 17
the People’s Counsel determines is necessary; AND 18
(3) CYBERSECURITY . 19
5–305. 20
(A) IN THIS SECTION, “ZERO TRUST” MEANS A CYBERSECURIT Y APPROACH: 21
(1) FOCUSED ON CYBERSECU RITY RESOURCE PROTEC TION; AND 22
(2) BASED ON THE PREMISE THAT TRU ST IS NEVER GRANTED 23
IMPLICITLY BUT MUST BE CONTINUALLY EVALU ATED. 24
(B) THIS SECTION DOES NOT APPLY TO A PUBLIC SE RVICE COMPANY THAT 25
IS: 26
(1) A COMMON CARRIER ; OR 27
(2) A TELEPHONE COMPANY . 28
(C) EACH PUBLIC SERVICE C OMPANY SHALL : 29 10 SENATE BILL 810
(1) ADOPT CYBERSECURITY BEST PRACTICES , INCLUDING 1
IMPLEMENTING ZERO TR UST PRINCIPLES; 2
(2) PROTECT PERSONALLY I DENTIFIABLE INFORMAT ION OF 3
CUSTOMERS AND EMPLOY EES; 4
(3) INCLUDE IN CONTRACTS WITH THIRD –PARTY INFORMATION 5
TECHNOLOGY OR OPERAT IONAL TECHNOLOGY PRO VIDERS PROVISIONS RE QUIRING 6
THE THIRD–PARTY PROVIDERS TO : 7
(I) COLLECT AND PRE SERVE DATA FOR CYBER SECURITY 8
ANALYSIS; AND 9
(II) SHARE THAT DATA AND REPORT ANY CYBERSECU RITY 10
BREACHES TO THE PUBL IC SERVICE COMPANY ; 11
(4) ESTABLISH MINIMUM SE CURITY STANDARDS FOR INFORMATION 12
TECHNOLOGY AND OPERA TIONAL TECHNOLOGY DE VICES; AND 13
(5) ENCRYPT AND CREATE M INIMUM SECURITY STAN DARDS FOR 14
DATA AND PERSONALLY IDENTIFIABLE INFORMA TION HELD BY THE PUBLIC 15
SERVICE COMPANY . 16
7–213. 17
(d) On or before July 1, 2012, the Commission shall adopt regulations that 18
implement service quality and reliability standards relating to the delivery of electricity to 19
retail customers by electric companies through their distribution systems, using: 20
(1) SAIFI; 21
(2) SAIDI; and 22
(3) any other performance measurement that the Commission determines 23
to be reasonable. 24
(e) (1) The regulations adopted under subsection (d) of this section shall: 25
(i) include service quality and reliability standards, including 26
standards relating to: 27
1. service interruption; 28
2. downed wire response; 29 SENATE BILL 810 11
3. customer communications; 1
4. vegetation management; 2
5. periodic equipment inspections; 3
6. annual reliability reporting; [and] 4
7. CYBER RESILIENCY ; AND 5
8. any other standards established by the Commission; 6
(ii) account for major outages caused by events outside the control of 7
an electric company; and 8
(iii) for an electric company that fails to meet the applicable service 9
quality and reliability standards, require the electric company to file a corrective action 10
plan that details specific actions the company will take to meet the standards. 11
SECTION 2. AND BE IT FURTHER ENACTED, That on or before June 31, 2023, 12
the Public Service Commission shall update the regulations adopted under § 7–213(d) of 13
the Public Utilities Article to include service quality and reliability standards for cyber 14
resiliency. 15
SECTION 3. AND BE IT FURTHER ENACTED, That this Act shall take effect June 16
1, 2022. 17