EXPLANATION: CAPITALS INDICATE MAT TER ADDED TO EXISTING LA W.
[Brackets] indicate matter deleted from existing law.
*hb1420*
HOUSE BILL 1420
S2, C5 4lr3277
By: Delegate Kaiser
Introduced and read first time: February 9, 2024
Assigned to: Health and Government Operations
A BILL ENTITLED
AN ACT concerning 1
Cybersecurity – Office of People’s Counsel, Public Service Companies, Public 2
Service Commission, and Maryland Cybersecurity Council 3
FOR the purpose of requiring the Office of People’s Counsel to hire at least a certain number 4
of assistant people’s counsel with cybersecurity expertise to perform certain duties; 5
requiring certain public service companies to engage with a third party to conduct 6
an assessment that analyzes certain critical software; requiring a certain 7
certification to be submitted to the Office of People’s Counsel; requiring certain 8
regulations adopted by the Public Service Commission to include cyber resilience; 9
defining “critical infrastructure” for certain provisions relating to the Maryland 10
Cybersecurity Council; and generally relating to cybersecurity. 11
BY repealing and reenacting, without amendments, 12
Article – Public Utilities 13
Section 2–203(a)(1) and 7–213(d) 14
Annotated Code of Maryland 15
(2020 Replacement Volume and 2023 Supplement) 16
BY repealing and reenacting, with amendments, 17
Article – Public Utilities 18
Section 2–203(a)(2), 5–306, and 7–213(a) and (e)(1) 19
Annotated Code of Maryland 20
(2020 Replacement Volume and 2023 Supplement) 21
BY repealing and reenacting, with amendments, 22
Article – State Government 23
Section 9–2901(a) 24
Annotated Code of Maryland 25
(2021 Replacement Volume and 2023 Supplement) 26
BY repealing and reenacting, without amendments, 27 2 HOUSE BILL 1420
Article – State Government 1
Section 9–2901(b) and (j) 2
Annotated Code of Maryland 3
(2021 Replacement Volume and 2023 Supplement) 4
SECTION 1. BE IT ENACTED BY THE GENERAL ASSEMBLY OF MARYLAND, 5
That the Laws of Maryland read as follows: 6
Article – Public Utilities 7
2–203. 8
(a) (1) The State budget shall provide sufficient money for the Office of 9
People’s Counsel to hire necessary staff in addition to the staff assistance that is provided 10
under § 2–205(c)(2) of this subtitle. 11
(2) The Office of People’s Counsel shall hire: 12
(I) at least one assistant people’s counsel who will focus on 13
environmental issues; AND 14
(II) AT LEAST ONE ASSISTA NT PEOPLE ’S COUNSEL WITH 15
CYBERSECURITY EXPERTISE TO: 16
1. ADVISE THE PEOPLE’S COUNSEL ON MEASURES TO 17
IMPROVE OVERSIGHT OF THE CYBERSECURITY PRACTICES OF PUBLIC SERVICE 18
COMPANIES; 19
2. CONSULT WITH THE OFFICE OF SECURITY 20
MANAGEMENT ON CYBERSE CURITY ISSUES RELATE D TO UTILITY REGULAT ION; 21
3. ASSIST THE OFFICE OF PEOPLE’S COUNSEL IN 22
MONITORING THE MINIM UM SECURITY STANDARD S DEVELOPED UNDER § 5–306 OF 23
THIS ARTICLE; 24
4. PARTICIPATE IN BRIEF INGS TO DISCUSS 25
CYBERSECURITY PRACTI CES BASED ON: 26
A. APPLICABLE NATIONAL ASSOCIATION OF 27
REGULATORY UTILITY COMMISSIONERS GUIDANCE ; AND 28
B. IMPROVEMENTS TO CYBE RSECURITY PRACTICES 29
RECOMMENDED IN THE C YBERSECURITY ASSESSM ENTS REQUIRED UNDER § 5–306 30
OF THIS ARTICLE; AND 31
HOUSE BILL 1420 3
5. SUPPORT PUBLIC SERVI CE COMPANIES THAT DO NOT 1
MEET MINIMUM SECURIT Y STANDARDS WITH REM EDIATING VULNERABILI TIES OR 2
ADDRESSING CYBERSECURITY A SSESSMENT FINDINGS . 3
5–306. 4
(a) (1) In this section[, “zero–trust” means a cybersecurity approach: 5
(1) focused on cybersecurity resource protection; and 6
(2) based on the premise that trust is never granted implicitly but must be 7
continually evaluated.] THE FOLLOWING WORDS HAVE THE MEANINGS IN DICATED. 8
(2) “CRITICAL SOFTWARE ” MEANS ANY SOFTWARE THAT HA S, OR HAS 9
DIRECT SOFTWARE DEPE NDENCIES ON, ONE OR MORE COMPONEN TS WITH AT LEAST 10
ONE OF THE FOLLOWING ATTRIBUTES: 11
(I) THE ABILITY TO RUN WITH ELEVATED PRIVILEGE OR TO 12
MANAGE PRIVILEGES ; 13
(II) DIRECT OR PRIVILEGED ACCESS TO NETWORKING OR 14
COMPUTING RESOURCES ; 15
(III) THE ABILITY TO CONTROL ACCESS TO DATA OR 16
OPERATIONAL TECHNOLO GY; 17
(IV) THE ABILITY TO PERFORM A FUNCTION CRITICAL TO TRUST ; 18
OR 19
(V) THE ABILITY TO OPERA TE OUTSIDE NORMAL TR UST 20
BOUNDARIES WITH PRIV ILEGED ACCESS . 21
(3) “SUPPLY CHAIN RISK ” MEANS A RISK THAT AN ADVERSARY MAY 22
SABOTAGE, MALICIOUSLY INTRODUC E UNWANTED FUNCTION TO, EXTRACT DATA 23
FROM, OR OTHERWISE SUBVERT TH E DESIGN, INTEGRITY, MANUFACTURING , 24
PRODUCTION , DISTRIBUTION, INSTALLATION, OPERATION, MAINTENANCE , 25
DISPOSITION, OR RETIREMENT OF A S YSTEM OR ITEM OF SUP PLY SO AS TO SURVEIL , 26
DENY, DISRUPT, OR OTHERWISE MANIPUL ATE THE FUNCTION , USE, OR OPERATION 27
OF THE SYSTEM OR ITE M OF SUPPLY OR INFOR MATION STORED OR TRA NSMITTED 28
BY OR THROUGH THE SY STEM OR ITEM OF SUPP LY. 29
(4) “ZERO–TRUST” MEANS A CYBERSECURIT Y APPROACH: 30
4 HOUSE BILL 1420
(I) FOCUSED ON CYBERSECU RITY RESOURCE PROTEC TION; 1
AND 2
(II) BASED ON THE P REMISE THAT TRUST IS NEVER GRANTED 3
IMPLICITLY BUT MUST BE CONTINUALLY EVALU ATED. 4
(b) This section does not apply to a public service company that is: 5
(1) a common carrier; or 6
(2) a telephone company. 7
(c) A public service company shall: 8
(1) adopt and implement cybersecurity standards that are equal to or 9
exceed standards adopted by the Commission; 10
(2) adopt a zero–trust cybersecurity approach for on–premises services and 11
cloud–based services; 12
(3) establish minimum security standards for each operational technology 13
and information technology device based on the level of security risk for each device, 14
including [security risks associated with supply chains] SUPPLY CHAIN RISKS ; and 15
(4) (i) on or before July 1, 2024, and on or before July 1 every other year 16
thereafter, engage a third party to conduct an assessment of operational technology and 17
information technology devices THAT: 18
1. IS based on: 19
[1.] A. the Cybersecurity and Infrastructure Security 20
Agency’s Cross–Sector Cybersecurity Performance Goals; or 21
[2.] B. a more stringent standard that is based on the 22
National Institute of Standards and Technology security frameworks; and 23
2. ANALYZES CRITICAL SO FTWARE USED IN THE 24
OPERATIONAL TECHNOLO GY AND INFORMATION T ECHNOLOGY DEVICES ; AND 25
(ii) submit to the Commission AND THE OFFICE OF PEOPLE’S 26
COUNSEL certification of the public service company’s compliance with standards used in 27
the assessments under item (i) of this item. 28
(d) (1) Each public service company shall report, in accordance with the 29
process established under paragraph (2) of this subsection, a cybersecurity incident, 30 HOUSE BILL 1420 5
including an attack on a system being used by the public service company, to the State 1
Security Operations Center in the Department of Information Technology. 2
(2) The State Chief Information Security Officer, in consultation with the 3
Commission, shall establish a process for a public service company to report cybersecurity 4
incidents under paragraph (1) of this subsection, including establishing: 5
(i) the criteria for determining the circumstances under which a 6
cybersecurity incident must be reported; 7
(ii) the manner in which a cybersecurity incident must be reported; 8
and 9
(iii) the time period within which a cybersecurity incident must be 10
reported. 11
(3) The State Security Operations Center shall immediately notify 12
appropriate State and local agencies of a cybersecurity incident reported under this 13
subsection. 14
7–213. 15
(a) (1) In this section the following words have the meanings indicated. 16
(2) “CYBER RESILIENCE ” MEANS THE ABILITY TO ANTICIPATE, 17
WITHSTAND, RECOVER FROM , AND ADAPT TO ADVERSE CONDITIONS, STRESSES, 18
ATTACKS, OR COMPROMISES ON SY STEMS THAT USE OR AR E ENABLED BY CYB ER 19
RESOURCES. 20
[(2)] (3) (i) “Eligible reliability measure” means a replacement of or 21
an improvement in existing infrastructure of an electric company that: 22
1. is made on or after June 1, 2014; 23
2. is designed to improve public safety or infrastructure 24
reliability; 25
3. does not increase the revenue of an electric company by 26
connecting an improvement directly to new customers; and 27
4. is not included in the current rate base of the electric 28
company as determined in the electric company’s most recent base rate proceeding. 29
(ii) “Eligible reliability measure” includes vegetation management 30
measures that are necessary to meet applicable service quality and reliability standards 31
under this section. 32
6 HOUSE BILL 1420
[(3)] (4) “Fund” means the Electric Reliability Remediation Fund 1
established under subsection (j) of this section. 2
[(4)] (5) “System–average interruption duration index” or “SAIDI” means 3
the sum of the customer interruption hours divided by the total number of customers 4
served. 5
[(5)] (6) “System–average interruption frequency index” or “SAIFI” 6
means the sum of the number of customer interruptions divided by the total number of 7
customers served. 8
(d) On or before July 1, 2012, the Commission shall adopt regulations that 9
implement service quality and reliability standards relating to the delivery of electricity to 10
retail customers by electric companies through their distribution systems, using: 11
(1) SAIFI; 12
(2) SAIDI; and 13
(3) any other performance measurement that the Commission determines 14
to be reasonable. 15
(e) (1) The regulations adopted under subsection (d) of this section shall: 16
(i) include service quality and reliability standards, including 17
standards relating to: 18
1. service interruption; 19
2. downed wire response; 20
3. customer communications; 21
4. vegetation management; 22
5. periodic equipment inspections; 23
6. annual reliability reporting; [and] 24
7. CYBER RESILIENCE ; AND 25
[7.] 8. any other standards established by the 26
Commission; 27
(ii) account for major outages caused by events outside the control of 28
an electric company; and 29 HOUSE BILL 1420 7
(iii) for an electric company that fails to meet the applicable service 1
quality and reliability standards, require the electric company to file a corrective action 2
plan that details specific actions the company will take to meet the standards. 3
Article – State Government 4
9–2901. 5
(a) (1) In this subtitle the following words have the meanings indicated. 6
(2) “Council” means the Maryland Cybersecurity Council. 7
(3) “CRITICAL INFRASTRUCTU RE” MEANS SYSTEMS AND ASSETS , 8
WHETHER PHYSICAL OR VIRTUAL, SO VITAL TO THE STATE THAT THE INCAPA CITY 9
OR DESTRUCTION OF SU CH SYSTEMS AND ASSET S WOULD HAVE A DEBIL ITATING 10
IMPACT ON SECURITY , ECONOMIC SECURITY , PUBLIC HEALTH OR SAFETY, OR ANY 11
COMBINATION OF THOSE MATTERS. 12
[(3)] (4) “Executive Order” means Executive Order 13636 of the President 13
of the United States. 14
(b) There is a Maryland Cybersecurity Council. 15
(j) The Council shall work with the National Institute of Standards and 16
Technology and other federal agencies, private sector businesses, and private cybersecurity 17
experts to: 18
(1) for critical infrastructure not covered by federal law or the Executive 19
Order, review and conduct risk assessments to determine which local infrastructure sectors 20
are at the greatest risk of cyber attacks and need the most enhanced cybersecurity 21
measures; 22
(2) use federal guidance to identify categories of critical infrastructure as 23
critical cyber infrastructure if cyber damage or unauthorized cyber access to the 24
infrastructure could reasonably result in catastrophic consequences, including: 25
(i) interruption in the provision of energy, water, transportation, 26
emergency services, food, or other life–sustaining services sufficient to cause a mass 27
casualty event or mass evacuations; 28
(ii) catastrophic economic damage; or 29
(iii) severe degradation of State or national security; 30
8 HOUSE BILL 1420
(3) assist infrastructure entities that are not covered by the Executive 1
Order in complying with federal cybersecurity guidance; 2
(4) assist private sector cybersecurity businesses in adopting, adapting, 3
and implementing the National Institute of Standards and Technology cybersecurity 4
framework of standards and practices; 5
(5) examine inconsistencies between State and federal laws regarding 6
cybersecurity; 7
(6) recommend a comprehensive State strategic plan to ensure a 8
coordinated and adaptable response to and recovery from cybersecurity attacks; and 9
(7) recommend any legislative changes considered necessary by the 10
Council to address cybersecurity issues. 11
SECTION 2. AND BE IT FURTHER ENACTED, That this Act shall take effect 12
October 1, 2024. 13