These standards would be applied to the state’s public transportation, water and wastewater treatment facilities, public utilities, public buildings, hospitals, public health facilities and select financial services organizations.
Other areas, such as automation and control system components, including hardware, software and policies involved in the operation of critical infrastructure, would also have to comply with these new standards.
“This is something I’ve been wanting to do for quite some time,” the bill’s sponsor, Sen. Kevin Thomas, D-6, said. “There have been an increased amount of cyber attacks where hackers are just holding people hostage.”
“The bill looks to address this by updating systems to match international standards so that the state’s critical infrastructure is protected as much as possible,” Thomas said.
One of these standards is the ISA/IEC 62443 series of standards created by the International Society of Automation.
According to the ISA website, these standards include having a framework to address and mitigate current and future security vulnerabilities in industrial automation and identifying and applying security countermeasures to reduce any risk to tolerable levels.
To achieve this in the state, the governor’s office, with input from the state’s Division of Homeland Security and Emergency Services and the superintendent of financial services, will decide which critical infrastructure systems are considered vital and vulnerable to cybersecurity attacks and how to address these issues.
“There needs to be more vigilance. We need to know whether these critical infrastructure systems can be compromised and how to upgrade them to prevent them from being compromised,” Thomas said. “This bill is one way of doing that.”
The state’s Division of Homeland Security and Emergency Services declined to comment on the pending legislation.
