EXPLANATION: CAPITALS INDICATE MAT TER ADDED TO EXISTIN G LAW.
[Brackets] indicate matter deleted from existing law.
Underlining indicates amendments to bill.
Strike out indicates matter stricken from the bill by amendment or deleted from the law by
amendment.
*hb1420*
HOUSE BILL 1420
S2, C5 4lr3277
By: Delegate Kaiser
Introduced and read first time: February 9, 2024
Assigned to: Health and Government Operations
Reassigned: Economic Matters and Health and Government Operations, February 15, 2024
Committee Report: Favorable with amendments
House action: Adopted
Read second time: March 9, 2024
CHAPTER ______
AN ACT concerning 1
Cybersecurity – Office of People’s Counsel, Public Service Companies, Public 2
Service Commission, and Maryland Cybersecurity Council 3
FOR the purpose of requiring authorizing the Office of People’s Counsel to retain or hire at 4
least a certain number of assistant people’s counsel with cybersecurity expertise to 5
perform certain duties experts in the field of cybersecurity; requiring certain public 6
service companies to engage with a third party to conduct an assessment that 7
analyzes certain critical software; requiring a certain certification to be submitted to 8
the Office of People’s Counsel; requiring certain regulations adopted by the Public 9
Service Commission to include cyber resilience; defining “critical infrastructure” for 10
certain provisions relating to the Maryland Cybersecurity Council; and generally 11
relating to cybersecurity. 12
BY repealing and reenacting, with amendments, 13
Article – Public Utilities 14
Section 2–203(f), 5–306, and 7–213(a) and (e)(1) 15
Annotated Code of Maryland 16
(2020 Replacement Volume and 2023 Supplement) 17
BY repealing and reenacting, without amendments, 18
Article – Public Utilities 19
Section 2–203(a)(1) and 7–213(d) 20
Annotated Code of Maryland 21
(2020 Replacement Volume and 2023 Supplement) 22 2 HOUSE BILL 1420
BY repealing and reenacting, with amendments, 1
Article – Public Utilities 2
Section 2–203(a)(2), 5–306, and 7–213(a) and (e)(1) 3
Annotated Code of Maryland 4
(2020 Replacement Volume and 2023 Supplement) 5
BY repealing and reenacting, with amendments, 6
Article – State Government 7
Section 9–2901(a) 8
Annotated Code of Maryland 9
(2021 Replacement Volume and 2023 Supplement) 10
BY repealing and reenacting, without amendments, 11
Article – State Government 12
Section 9–2901(b) and (j) 13
Annotated Code of Maryland 14
(2021 Replacement Volume and 2023 Supplement) 15
SECTION 1. BE IT ENACTED BY THE GENERAL ASSEMBLY OF MARYLAND, 16
That the Laws of Maryland read as follows: 17
Article – Public Utilities 18
2–203. 19
(f) The Office of People’s Counsel may retain as necessary for a particular matter 20
or hire experts in the field of: 21
(1) utility regulation, including cost of capital experts, rate design experts, 22
accountants, economists, engineers, transportation specialists, and lawyers; [and] 23
(2) climate change, including meteorologists, oceanographers, ecologists, 24
foresters, geologists, seismologists, botanists, and experts in any other field of science that 25
the People’s Counsel determines is necessary; AND 26
(3) CYBERSECURITY . 27
(a) (1) The State budget shall provide sufficient money for the Office of 28
People’s Counsel to hire necessary staff in addition to the staff assistance that is provided 29
under § 2–205(c)(2) of this subtitle. 30
(2) The Office of People’s Counsel shall hire: 31
(I) at least one assistant people’s counsel who will focus on 32
environmental issues; AND 33 HOUSE BILL 1420 3
(II) AT LEAST ONE ASSISTANT PEOPLE’S COUNSEL WITH 1
CYBERSECURITY EXPERT ISE TO: 2
1. ADVISE THE PEOPLE’S COUNSEL ON MEASURES T O 3
IMPROVE OVERSIGHT OF THE CYBERSECURITY PR ACTICES OF PUBLIC SE RVICE 4
COMPANIES; 5
2. CONSULT WITH THE OFFICE OF SECURITY 6
MANAGEMENT ON CYBERSECURITY ISSUES RELATED TO UTILITY R EGULATION; 7
3. ASSIST THE OFFICE OF PEOPLE’S COUNSEL IN 8
MONITORING THE MINIM UM SECURITY STANDARD S DEVELOPED UNDER § 5–306 OF 9
THIS ARTICLE; 10
4. PARTICIPATE IN BRIEF INGS TO DISCUSS 11
CYBERSECURITY PRACTI CES BASED ON: 12
A. APPLICABLE NATIONAL ASSOCIATION OF 13
REGULATORY UTILITY COMMISSIONERS GUIDANC E; AND 14
B. IMPROVEMENTS TO CYBE RSECURITY PRACTICES 15
RECOMMENDED IN THE C YBERSECURITY ASSESSM ENTS REQUIRED UNDER § 5–306 16
OF THIS ARTICLE; AND 17
5. SUPPORT PUBLIC SERVICE COMPANIES TH AT DO NOT 18
MEET MINIMUM SECURIT Y STANDARDS WITH REM EDIATING VULNERABILI TIES OR 19
ADDRESSING CYBERSECU RITY ASSESSMENT FIND INGS. 20
5–306. 21
(a) (1) In this section[, “zero–trust” means a cybersecurity approach: 22
(1) focused on cybersecurity resource protection; and 23
(2) based on the premise that trust is never granted implicitly but must be 24
continually evaluated.] THE FOLLOWING WORDS HAVE THE MEANINGS IN DICATED. 25
(2) “CRITICAL SOFTWARE ” MEANS ANY SOFTWARE T HAT HAS, OR HAS 26
DIRECT SOFTWAR E DEPENDENCIES ON , ONE OR MORE COMPONEN TS WITH AT LEAST 27
ONE OF THE FOLLOWING ATTRIBUTES: 28
(I) THE ABILITY TO RUN W ITH ELEVATED PRIVILE GE OR TO 29
MANAGE PRIVILEGES ; 30
4 HOUSE BILL 1420
(II) DIRECT OR PRIVILEGED ACCESS TO NETWORKING OR 1
COMPUTING RESOURCES ; 2
(III) THE ABILITY TO CONTROL A CCESS TO DATA OR 3
OPERATIONAL TECHNOLO GY; 4
(IV) THE ABILITY TO PERFO RM A FUNCTION CRITIC AL TO TRUST; 5
OR 6
(V) THE ABILITY TO OPERA TE OUTSIDE NORMAL TR UST 7
BOUNDARIES WITH PRIV ILEGED ACCESS . 8
(3) “SUPPLY CHAIN RISK ” MEANS A RISK THA T AN ADVERSARY MAY 9
SABOTAGE, MALICIOUSLY INTRODUC E UNWANTED FUNCTION TO, EXTRACT DATA 10
FROM, OR OTHERWISE SUBVERT THE DESIGN , INTEGRITY, MANUFACTURING , 11
PRODUCTION , DISTRIBUTION, INSTALLATION, OPERATION, MAINTENANCE , 12
DISPOSITION, OR RETIREMENT OF A S YSTEM OR ITEM OF SUPPLY SO AS TO SURVEIL, 13
DENY, DISRUPT, OR OTHERWISE MANIPUL ATE THE FUNCTION , USE, OR OPERATION 14
OF THE SYSTEM OR ITE M OF SUPPLY OR INFOR MATION STORED OR TRA NSMITTED 15
BY OR THROUGH THE SY STEM OR ITEM OF SUPP LY. 16
(4) “ZERO–TRUST” MEANS A CYBERSECUR ITY APPROACH : 17
(I) FOCUSED ON CYBERSECU RITY RESOURCE PROTEC TION; 18
AND 19
(II) BASED ON THE PREMISE THAT TRUST IS NEVER GRANTED 20
IMPLICITLY BUT MUST BE CONTINUALLY EVALU ATED. 21
(b) This section does not apply to a public service company that is: 22
(1) a common carrier; or 23
(2) a telephone company. 24
(c) A public service company shall: 25
(1) adopt and implement cybersecurity standards that are equal to or 26
exceed standards adopted by the Commission; 27
(2) adopt a zero–trust cybersecurity approach for on–premises services and 28
cloud–based services; 29
HOUSE BILL 1420 5
(3) establish minimum security standards for each operational technology 1
and information technology device based on the level of security risk for each device, 2
including [security risks associated with supply chains] SUPPLY CHAIN RISKS ; and 3
(4) (i) on or before July 1, 2024, and on or before July 1 every other year 4
thereafter, engage a third party to conduct an assessment of operational technology and 5
information technology devices THAT: 6
1. IS based on: 7
[1.] A. the Cybersecurity and Infrastructure Security 8
Agency’s Cross–Sector Cybersecurity Performance Goals; or 9
[2.] B. a more stringent standard that is based on the 10
National Institute of Standards and Technology security frameworks; and 11
2. ANALYZES CRITICAL SO FTWARE USED IN THE 12
OPERATIONAL TECHNOLO GY AND INFORMATION T ECHNOLOGY DEVICES ; AND 13
(ii) submit to the Commission AND THE OFFICE OF PEOPLE’S 14
COUNSEL certification of the public service company’s compliance with standards used in 15
the assessments under item (i) of this item. 16
(d) (1) Each public service company shall report, in accordance with the 17
process established under paragraph (2) of this subsection, a cybersecurity incident, 18
including an attack on a system being used by the public service company, to the State 19
Security Operations Center in the Department of Information Technology. 20
(2) The State Chief Information Security Officer, in consultation with the 21
Commission, shall establish a process for a public service company to report cybersecurity 22
incidents under paragraph (1) of this subsection, including establishing: 23
(i) the criteria for determining the circumstances under which a 24
cybersecurity incident must be reported; 25
(ii) the manner in which a cybersecurity incident must be reported; 26
and 27
(iii) the time period within which a cybersecurity incident must be 28
reported. 29
(3) The State Security Operations Center shall immediately notify 30
appropriate State and local agencies of a cybersecurity incident reported under this 31
subsection. 32
7–213. 33 6 HOUSE BILL 1420
(a) (1) In this section the following words have the meanings indicated. 1
(2) “CYBER RESILIENCE ” MEANS THE ABILITY TO ANTICIPATE, 2
WITHSTAND, RECOVER FROM , AND ADAPT TO ADVERSE CONDITIONS, STRESSES, 3
ATTACKS, OR COMPROMISES ON S YSTEMS THAT USE OR A RE ENABLED BY CYBER 4
RESOURCES. 5
[(2)] (3) (i) “Eligible reliability measure” means a replacement of or 6
an improvement in existing infrastructure of an electric company that: 7
1. is made on or after June 1, 2014; 8
2. is designed to improve public safety or infrastructure 9
reliability; 10
3. does not increase the revenue of an electric company by 11
connecting an improvement directly to new customers; and 12
4. is not included in the current rate base of the electric 13
company as determined in the electric company’s most recent base rate proceeding. 14
(ii) “Eligible reliability measure” includes vegetation management 15
measures that are necessary to meet applicable service quality and reliability standards 16
under this section. 17
[(3)] (4) “Fund” means the Electric Reliability Remediation Fund 18
established under subsection (j) of this section. 19
[(4)] (5) “System–average interruption duration index” or “SAIDI” means 20
the sum of the customer interruption hours divided by the total number of customers 21
served. 22
[(5)] (6) “System–average interruption frequency index” or “SAIFI” 23
means the sum of the number of customer interruptions divided by the total number of 24
customers served. 25
(d) On or before July 1, 2012, the Commission shall adopt regulations that 26
implement service quality and reliability standards relating to the delivery of electricity to 27
retail customers by electric companies through their distribution systems, using: 28
(1) SAIFI; 29
(2) SAIDI; and 30
HOUSE BILL 1420 7
(3) any other performance measurement that the Commission determines 1
to be reasonable. 2
(e) (1) The regulations adopted under subsection (d) of this section shall: 3
(i) include service quality and reliability standards, including 4
standards relating to: 5
1. service interruption; 6
2. downed wire response; 7
3. customer communications; 8
4. vegetation management; 9
5. periodic equipment inspections; 10
6. annual reliability reporting; [and] 11
7. CYBER RESILIENCE ; AND 12
[7.] 8. any other standards established by the Commission; 13
(ii) account for major outages caused by events outside the control of 14
an electric company; and 15
(iii) for an electric company that fails to meet the applicable service 16
quality and reliability standards, require the electric company to file a corrective action 17
plan that details specific actions the company will take to meet the standards. 18
Article – State Government 19
9–2901. 20
(a) (1) In this subtitle the following words have the meanings indicated. 21
(2) “Council” means the Maryland Cybersecurity Council. 22
(3) “CRITICAL INFRASTRUCTU RE” MEANS SYSTEMS AND AS SETS, 23
WHETHER PHYSICAL OR VIRTUAL, SO VITAL TO THE STATE THAT THE INCAPA CITY 24
OR DESTRUCTION OF SU CH SYSTEMS AND ASSET S WOULD HAVE A DEBIL ITATING 25
IMPACT ON SECURI TY, ECONOMIC SECURITY , PUBLIC HEALTH OR SAF ETY, OR ANY 26
COMBINATION OF THOSE MATTERS. 27
8 HOUSE BILL 1420
[(3)] (4) “Executive Order” means Executive Order 13636 of the President 1
of the United States. 2
(b) There is a Maryland Cybersecurity Council. 3
(j) The Council shall work with the National Institute of Standards and 4
Technology and other federal agencies, private sector businesses, and private cybersecurity 5
experts to: 6
(1) for critical infrastructure not covered by federal law or the Executive 7
Order, review and conduct risk assessments to determine which local infrastructure sectors 8
are at the greatest risk of cyber attacks and need the most enhanced cybersecurity 9
measures; 10
(2) use federal guidance to identify categories of critical infrastructure as 11
critical cyber infrastructure if cyber damage or unauthorized cyber access to the 12
infrastructure could reasonably result in catastrophic consequences, including: 13
(i) interruption in the provision of energy, water, transportation, 14
emergency services, food, or other life–sustaining services sufficient to cause a mass 15
casualty event or mass evacuations; 16
(ii) catastrophic economic damage; or 17
(iii) severe degradation of State or national security; 18
(3) assist infrastructure entities that are not covered by the Executive 19
Order in complying with federal cybersecurity guidance; 20
(4) assist private sector cybersecurity businesses in adopting, adapting, 21
and implementing the National Institute of Standards and Technology cybersecurity 22
framework of standards and practices; 23
(5) examine inconsistencies between State and federal laws regarding 24
cybersecurity; 25
(6) recommend a comprehensive State strategic plan to ensure a 26
coordinated and adaptable response to and recovery from cybersecurity attacks; and 27
(7) recommend any legislative changes considered necessary by the 28
Council to address cybersecurity issues. 29
SECTION 2. AND BE IT FURTHER ENACTED, That this Act shall take effect 30
October 1, 2024. 31