85R2330 GRM-D
 
  By: Hall S.B. No. 83
 
 
 
A BILL TO BE ENTITLED
 
AN ACT
  relating to protection of energy critical infrastructure from
  electromagnetic, geomagnetic, terrorist, and cyber-attack threats.
         BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
         SECTION 1.  Chapter 418, Government Code, is amended by
  adding Subchapter I to read as follows:
  SUBCHAPTER I.  ELECTROMAGNETIC THREAT PREPAREDNESS
         Sec. 418.201.  ELECTROMAGNETIC THREAT PREPAREDNESS TASK
  FORCE. (a)  In this section, "energy critical infrastructure"
  means an electrical power-generating facility, substation,
  switching station, electrical control center, or electrical
  transmission or distribution facility and includes an associated
  electronic control center and other electronic infrastructure used
  in electric power delivery.
         (b)  The electromagnetic threat preparedness task force is
  created. The task force shall develop a comprehensive recovery
  plan.
         (c)  The task force consists of 10 members appointed by the
  chief described by Section 418.041. Each member must be a regional
  emergency management representative.
         (d)  The task force shall:
               (1)  identify and develop technical and electronic
  resources to assist the division in the division's functions;
               (2)  implement a program to educate owners and
  operators of energy critical infrastructure and vital utility
  facilities and emergency responders about electromagnetic,
  geomagnetic, and cyber-attack threats;
               (3)  evaluate emergency planning and response
  technologies related to electromagnetic, geomagnetic, and
  cyber-attack threats;
               (4)  develop a comprehensive threat protection and
  recovery plan for energy critical infrastructure and vital utility
  facilities of this state against electromagnetic, geomagnetic,
  terrorist, and cyber-attack threats; and
               (5)  identify and compile a comprehensive list of
  contractors capable of performing work to increase the security of
  the electric grid.
         (e)  Information collected by the task force related to the
  security of the electric grid is confidential and is not subject to
  disclosure under Chapter 552.
         (f)  Not later than September 1, 2018, the task force shall
  prepare and submit to the governor and the legislature a report of
  the task force's findings and recommendations.
         (g)  A member of the task force established under this
  section is not entitled to compensation. Members may be reimbursed
  for expenses as follows:
               (1)  a member is entitled to reimbursement for travel
  and other necessary expenses as provided in the General
  Appropriations Act; and
               (2)  a member appointed as a representative of a state
  agency is eligible for reimbursement for travel and other necessary
  expenses according to the applicable agency's policies.
         (h)  This section expires September 1, 2018.
         Sec. 418.202.  TECHNOLOGICAL HAZARDS. (a)  In this section,
  "energy critical infrastructure" means an electrical
  power-generating facility, substation, switching station,
  electrical control center, or electrical transmission or
  distribution facility and includes an associated electronic
  control center and other electronic infrastructure used in electric
  power delivery.
         (b)  The division shall implement the comprehensive threat
  protection and recovery plan developed by the electromagnetic
  threat preparedness task force for energy critical infrastructure
  and vital utility facilities of this state against electromagnetic,
  geomagnetic, terrorist, and cyber-attack threats.
         (c)  The governor may instruct an agency to take actions as
  are necessary to implement the comprehensive threat protection and
  recovery plan developed by the electromagnetic threat preparedness
  task force.
         (d)  Information collected by the division related to the
  security of the electric grid is confidential and is not subject to
  disclosure under Chapter 552.
         SECTION 2.  Chapter 39, Utilities Code, is amended by adding
  Subchapter M to read as follows:
  SUBCHAPTER M.  GRID SECURITY
         Sec. 39.601.  INFORMATION RELATED TO GRID SECURITY. The
  independent organization certified under Section 39.151 shall
  collect and compile information related to the security of the
  electric grid. The information is confidential and is not subject
  to disclosure under Chapter 552, Government Code.
         Sec. 39.602.  ELECTRIC GRID SECURITY PROGRAM. (a)  In this
  section:
               (1)  "Committee" means the Electric Grid Security
  Advisory Committee.
               (2)  "Energy critical infrastructure" has the meaning
  assigned by Section 418.202, Government Code.
         (b)  The commission shall establish a program to meet
  implementation deadlines and pay costs incurred to increase the
  security of the electric grid in ERCOT.  The program must be
  designed to pay for:
               (1)  an audit related to security of the electric grid
  and associated computer systems and networks conducted by:
                     (A)  an independent security expert for a
  transmission and distribution utility;
                     (B)  an independent organization certified by the
  commission under Section 39.151;
                     (C)  an electric cooperative;
                     (D)  a river authority; or
                     (E)  a municipally owned utility operating in
  ERCOT;
               (2)  reimbursement of an investment made or expense
  incurred to implement a measure recommended by the committee or
  implement a recommendation made in an audit conducted under
  Subdivision (1) by:
                     (A)  a transmission and distribution utility;
                     (B)  an independent organization certified by the
  commission under Section 39.151;
                     (C)  an electric cooperative;
                     (D)  a river authority; or
                     (E)  a municipally owned utility operating in
  ERCOT;
               (3)  an expense incurred by the committee related to
  the retention of a consultant or other necessary expert to assist
  the committee in performing a duty of the committee;
               (4)  reimbursement to a member of the committee for
  travel expenses; and
               (5)  reimbursement of a cost incurred by the commission
  in administering this section.
         (c)  Entities other than the commission seeking
  reimbursement from the program shall provide adequate
  documentation to the committee to demonstrate that the investment,
  expense, or cost is eligible for reimbursement under this section.  
  The commission shall authorize reimbursement of an eligible
  investment, expense, or cost on receipt of a certification from the
  committee that the item is eligible under this section not later
  than five business days after the date of the receipt of a valid
  certification.
         (d)  The commission shall report each quarter the total
  amount paid by the program for each of the categories listed in
  Subsection (b) to the governor, lieutenant governor, and speaker of
  the house of representatives.
         (e)  This section does not prevent recovery authorized by
  this title for a cost incurred through a reasonable and necessary
  expenditure related to an ongoing effort to secure electric
  facilities from physical and cybersecurity threats by:
               (1)  a transmission and distribution utility;
               (2)  an independent organization certified by the
  commission under Section 39.151;
               (3)  an electric cooperative;
               (4)  a river authority; or
               (5)  a municipally owned utility operating in ERCOT.
         (f)  The program may not pay for an audit described by
  Subsection (b)(1) that is conducted by an independent security
  expert unless the expert meets professional standards adopted by
  commission rule that are at least as stringent as those required for
  certification as a:
               (1)  certified information systems security
  professional (CISSP) by the International Information System
  Security Certification Consortium; or
               (2)  global industrial cyber security professional
  (GICSP) by the Global Information Assurance Certification.
         Sec. 39.603.  GRID SECURITY ADVISORY COMMITTEE.  (a)  The
  Electric Grid Security Advisory Committee is composed of the
  following members:
               (1)  two members appointed by the governor;
               (2)  two members appointed by the lieutenant governor;
  and
               (3)  two members appointed by the speaker of the house
  of representatives.
         (b)  The governor shall designate a member of the committee
  to serve as presiding officer.
         (c)  The committee shall convene at the call of the presiding
  officer.
         (d)  The committee shall study the Texas electric grid and
  the computer systems and networks related to the grid. The study
  must:
               (1)  evaluate and summarize the current state of the
  electric grid and associated computer systems and networks;
               (2)  research and consider potential security threats
  to the electric grid and to associated computer systems and
  networks;
               (3)  assess whether further efforts are needed to
  secure the electric grid and associated computer systems and
  networks against damage, including the threat of electromagnetic
  pulse or other attacks and natural threats, including solar flares;
               (4)  recommend measures to secure the electric grid and
  associated computer systems and networks against damage;
               (5)  recommend a program to develop technical expertise
  in the protection of the electric transmission and distribution
  system against electromagnetic, geomagnetic, and cyber-attack
  threats;
               (6)  determine energy critical infrastructure and
  vital utility facilities that are at risk from electromagnetic,
  geomagnetic, and cyber-attack threats;
               (7)  evaluate technologies available to improve the
  resiliency of energy critical infrastructure and vital utility
  facilities against electromagnetic, geomagnetic, or cyber-attack
  threats;
               (8)  evaluate the capabilities of energy critical
  infrastructure and vital utility facilities to recover from
  electromagnetic, geomagnetic, or cyber-attack threats; and
               (9)  develop a comprehensive plan to protect the energy
  critical infrastructure and vital utility facilities of this state
  against electromagnetic, geomagnetic, terrorist, and cyber-attack
  threats.
         (e)  The committee may share its findings with any state
  agency it considers important to the security of the electric grid
  or associated computer systems or networks. To the extent allowed
  by law, a state agency with which the committee shares information
  is encouraged to implement any recommendations that the agency
  determines will improve the security of the state's electric grid
  or associated computer systems or networks.
         (f)  ERCOT shall cooperate with the committee to provide any
  information and resources the committee considers important to the
  study.
         (g)  A member of the committee is not entitled to
  compensation but is entitled to reimbursement for the member's
  travel expenses as provided by Chapter 660, Government Code, and
  the General Appropriations Act.
         (h)  A vacancy on the committee shall be filled for the
  unexpired term in the same manner as the original appointment.
         (i)  The committee is not subject to Chapter 2110, Government
  Code.
         (j)  Not later than December 1, 2018, the committee shall
  prepare a report of its findings, including any recommendations for
  legislation resulting from the findings, and shall submit the
  report to the governor, the lieutenant governor, and the speaker of
  the house of representatives.
         (k)  The committee's work relates to sensitive matters of
  security. Notwithstanding any other law, the meetings, work, and
  findings of the committee are not subject to the requirements of
  Chapter 551 or 552, Government Code.
         Sec. 39.604.  GRID PROTECTION. (a) This section applies to:
               (1)  a transmission and distribution utility;
               (2)  an electric cooperative operating in ERCOT;
               (3)  a river authority operating in ERCOT; and
               (4)  a municipally owned utility operating in ERCOT.
         (b)  Not later than December 31, 2018, each entity to which
  this section applies shall assess and report to the technological
  hazards unit of the Texas Division of Emergency Management the
  vulnerabilities the equipment, facilities, and systems the utility
  uses to provide power have from the following:
               (1)  a high altitude electromagnetic pulse device;
               (2)  geomagnetic storms; and
               (3)  intentional electromagnetic interference.
         (c)  Not later than December 31, 2021, each entity to which
  this section applies shall complete enhancements to transformers,
  control centers, substations, and other equipment sufficient to
  comply with the following standards, as applicable to the equipment
  or facility:
               (1)  MIL-STD 188-125-1, "High-Altitude Electromagnetic
  Pulse (HEMP) Protection for Ground-Based C4I Facilities Performing
  Critical, Time-Urgent Missions, Part 1: Fixed Facilities," April 7,
  2005;
               (2)  Cigré TB 600, "Protection of High-Voltage Power
  Network Control Electronics Against Intentional Electromagnetic
  Interference (IEMI)," November 2014;
               (3)  IEEE Std 1642-2015, "IEEE Recommended Practice for
  Protecting Publicly Accessible Computer Systems from Intentional
  Electromagnetic Interference (IEMI)";
               (4)  IEC/TR 61000-1-3 Ed. 1.0 (2002-06):
  Electromagnetic compatibility (EMC) - Part 1-3: General - The
  effects of high-altitude EMP (HEMP) on civil equipment and systems;
               (5)  IEC/TR 61000-1-5 Ed. 1.0 (2004-11):
  Electromagnetic compatibility (EMC) - Part 1-5: General - High
  power electromagnetic (HPEM) effects on civil systems;
               (6)  IEC 61000-2-9 Ed. 1.0 (1996-02): Electromagnetic
  compatibility (EMC) - Part 2: Environment - Section 9: Description
  of HEMP environment - Radiated disturbance;
               (7)  IEC 61000-2-10 Ed. 1.0 (1998-11): Electromagnetic
  compatibility (EMC) - Part 2-10: Environment - Description of HEMP
  environment - Conducted disturbance;
               (8)  IEC 61000-2-11 Ed. 1.0 (1999-10): Electromagnetic
  compatibility (EMC) - Part 2-11: Environment - Classification of
  HEMP environments;
               (9)  IEC 61000-2-13 Ed. 1.0 (2005-03): Electromagnetic
  compatibility (EMC) - Part 2-13: Environment - High-power
  electromagnetic (HPEM) environments - Radiated and conducted;
               (10)  IEC 61000-4-23 Ed. 1.0 (2000-10):
  Electromagnetic compatibility (EMC) - Part 4-23: Testing and
  measurement techniques - Test methods for protective devices for
  HEMP and other radiated disturbances;
               (11)  IEC 61000-4-24 Ed. 1.0 (2011-15):
  Electromagnetic compatibility (EMC) - Part 4: Testing and
  measurement techniques - Section 24: Test methods for protective
  devices for HEMP conducted disturbance;
               (12)  IEC 61000-4-25 Ed. 1.1 (2012-05):
  Electromagnetic compatibility (EMC) - Part 4-25: Testing and
  measurement techniques - HEMP immunity test methods for equipment
  and systems;
               (13)  IEC 61000-4-36 Ed. 1.0 (2014-11):
  Electromagnetic compatibility (EMC) - Part 4-36: Testing and
  measurement techniques - IEMI immunity test methods for equipment
  and systems;
               (14)  IEC/TR 61000-5-3 Ed. 1.0 (1999-07):
  Electromagnetic compatibility (EMC) - Part 5-3: Installation and
  mitigation guidelines - HEMP protection concepts;
               (15)  IEC/TR 61000-5-6 Ed. 1.0 (2002-06):
  Electromagnetic compatibility (EMC) - Part 5-6: Installation and
  mitigation guidelines - Mitigation of external EM influences;
               (16)  IEC/TS 61000-5-8 Ed. 1.0 (2009-08):
  Electromagnetic compatibility (EMC) - Part 5-8: Installation and
  mitigation guidelines - HEMP protection methods for the distributed
  infrastructure;
               (17)  IEC/TS 61000-5-9 Ed. 1.0 (2009-07):
  Electromagnetic compatibility (EMC) - Part 5-9: Installation and
  mitigation guidelines - System-level susceptibility assessments
  for HEMP and HPEM; and
               (18)  IEC 61000-6-6 Ed. 1.0 (2003-04): Electromagnetic
  compatibility (EMC) - Part 6-6: Generic standards - HEMP immunity
  for indoor equipment.
         (d)  An entity to which this section applies that is required
  to complete enhancements under this section may recover costs
  incurred in completing the enhancements from the reimbursement
  program established under Section 39.602.
         SECTION 3.  The governor, the lieutenant governor, and the
  speaker of the house of representatives shall appoint members to
  the Electric Grid Security Advisory Committee, as required by this
  Act, as soon as practicable after the effective date of this Act,
  but not later than the 120th day after the effective date of this
  Act.
         SECTION 4.  This Act takes effect immediately if it receives
  a vote of two-thirds of all the members elected to each house, as
  provided by Section 39, Article III, Texas Constitution.  If this
  Act does not receive the vote necessary for immediate effect, this
  Act takes effect September 1, 2017.