BILL ANALYSIS
Senate Research Center |
S.B. 2013 |
88R9921 JXC-F |
By: Schwertner; King |
|
Business & Commerce |
|
3/16/2023 |
|
As Filed |
AUTHOR'S / SPONSOR'S STATEMENT OF INTENT
In today�s climate of cyber and physical attacks on electric grids, it is now more important than ever to ensure we are taking the necessary steps to protect our grid from hostile foreign powers. Currently, all critical grid equipment is not prohibited from having an external connection. This creates an environment in which there could be connections to hostile country-controlled businesses and unsecured communications. Inverters, converters, and similar sensitive equipment are often manufactured in hostile countries by companies with known connections to hostile intelligence services and are maintained remotely by hostile nation companies or their subsidiaries. Protective relays at substations are also vulnerable to remote manipulation which could cause a cascading grid failure. Additionally, there is no requirement for background checks for sensitive positions at ERCOT. S.B. 2013 hardens the security of the Texas power grid and puts in place necessary protections to prevent exposure from attacks on the electric grid.
As proposed, S.B. 2013 amends current law relating to access to and the security of certain critical infrastructure.
RULEMAKING AUTHORITY
Rulemaking authority is expressly granted to the Public Utility Commission of Texas in SECTION 6 (Section 39.360, Utilities Code) of this bill.
SECTION BY SECTION ANALYSIS
SECTION 1. Amends Section 113.001, Business and Commerce Code, as added by Chapter 975 (S.B. 2116), Acts of the 87th Legislature, Regular Session, 2021, by adding Subdivision (5) to define "affiliate."
SECTION 2. Amends Section 113.002, Business and Commerce Code, as added by Chapter 975 (S.B. 2116), Acts of the 87th Legislature, Regular Session, 2021, by adding Subsection (c), as follows:
(c) Authorizes a business entity to enter into an agreement described by Subsection (a)(1) (relating to prohibiting certain agreements with a company that would be granted direct or remote access to or control of critical infrastructure in this state) in which the critical infrastructure is electric grid equipment if the business entity takes reasonable and necessary actions to ensure that remote access or control by the company is mitigated, notwithstanding Subsection (a) (relating to prohibiting a business from entering into an agreement relating to critical infrastructure in this state under certain circumstances).
SECTION 3. Amends Subchapter F, Chapter 411, Government Code, by adding Section 411.1183, as follows:
Sec. 411.1183. ACCESS TO CRIMINAL HISTORY RECORD INFORMATION: INDEPENDENT ORGANIZATION CERTIFIED UNDER UTILITIES CODE. (a) Entitles an independent organization certified under Section 39.151 (Essential Organizations), Utilities Code, for security reasons to obtain from the Department of Public Safety of the State of Texas (DPS) criminal history record information maintained by DPS that relates to a person who has or is seeking employment at or access to the independent organization's systems that affect the security of the electric grid.
(b) Prohibits criminal history information obtained from DPS from being released or disclosed except:
(1) as needed in protecting the security of the electric grid;
(2) as authorized by a court order or a federal or state law or order; or
(3) with the consent of the person who is the subject of the criminal history record information.
SECTION 4. Amends Section 2274.0101, Government Code, as added by Chapter 975 (S.B. 2116), Acts of the 87th Legislature, Regular Session, 2021, by amending Subdivision (5) and adding Subdivision (6), to redefine "governmental entity" and define "affiliate."
SECTION 5. Amends Section 39.151, Utilities Code, by adding Subsection (g-7), as follows:
(g-7) Requires the organization, to maintain certification as an independent organization under this section, to:
(1) identify all employee positions in the organization that are critical to the security of the electric grid; and
(2) before hiring a person for a position described by Subdivision (1), obtain from DPS or a private vendor all criminal history record information relating to the prospective employee.
SECTION 6. Amends Subchapter H, Chapter 39, Utilities Code, by adding Section 39.360, as follows:
Sec. 39.360. TRANSACTIONS WITH CERTAIN FOREIGN-OWNED COMPANIES IN CONNECTION WITH CRITICAL INFRASTRUCTURE. (a) Defines "company" and "critical infrastructure."
(b) Prohibits an independent organization certified under Section 39.151 from registering a business entity to operate in the power region for which the independent organization is certified unless the business entity:
(1) attests that the entity complies with Chapter 113 (Prohibition on Agreements With Certain Foreign-Owned Companies in Connection With Critical Infrastructure), Business and Commerce Code, as added by Chapter 975 (S.B. 2116), Acts of the 87th Legislature, Regular Session, 2021, including by taking reasonable and necessary actions to mitigate remote access to or control of the entity's electric grid equipment by a company described by Section 113.002(a)(2) (relating to prohibiting a business entity from entering into an agreement relating to critical infrastructure in this state with a company if the business entity knows that the company is owned or controlled by citizens of or is directly controlled by the government of China, Iran, North Korea, Russia, or a designated country), Business and Commerce Code, as added by Chapter 975 (S.B. 2116), Acts of the 87th Legislature, Regular Session, 2021;
(2)� takes reasonable and necessary actions to mitigate remote access to or control of the entity's electric grid equipment by a country designated under Section 113.003 (Designation of Country as Threat to Critical Infrastructure), Business and Commerce Code, as added by Chapter 975 (S.B. 2116), Acts of the 87th Legislature, Regular Session, 2021; and
(3)� attests that the entity complies with Subdivision (2).
(c) Requires an independent organization certified under Section 39.151 to require as a condition of operating in the region that a business entity:
(1) report to the independent organization the purchase of any critical electric grid equipment from a company described by Section 113.002(a)(2), Business and Commerce Code, as added by Chapter 975 (S.B. 2116), Acts of the 87th Legislature, Regular Session, 2021; and
(2) take reasonable and necessary actions to mitigate access to or control of the purchased critical electric grid equipment by a company described by Section 113.002(a)(2), Business and Commerce Code, as added by Chapter 975 (S.B. 2116), Acts of the 87th Legislature, Regular Session, 2021.
(d) Authorizes an independent organization certified under Section 39.151, notwithstanding any other law, to immediately suspend or terminate a company's registration or access to any of the independent organization's systems if the independent organization has a reasonable suspicion that the company meets any of the criteria described by Section 2274.0102(a)(2) (relating to prohibiting a governmental entity from entering into certain contracts including if the governmental entity knows that the company is owned by or the majority of stock or other ownership interest of the company is held or controlled by certain individuals), Government Code, as added by Chapter 975 (S.B. 2116), Acts of the 87th Legislature, Regular Session, 2021.
(e) Provides that a contractual provision that limits or contradicts Subsection (d) is contrary to public policy and is unenforceable and void.
(f) Authorizes an independent organization certified under Section 39.151 to adopt guidelines or procedures relating to the suspension or termination of a company's registration or access to any of the independent organization's systems.
(g) Requires the Public Utility Commission of Texas (PUC) to:
(1) adopt any rules necessary to administer this section or authorize an independent organization to carry out a duty imposed by this section; and
(2) by rule establish a process to allow a company that has been adversely affected by a suspension or termination under Subsection (d) to request that the PUC review and approve or deny the suspension or termination.
SECTION 7. Makes application of changes made to Chapter 113, Business and Commerce Code, and Chapter 2274, Government Code, prospective.
SECTION 8. Provides that it is intent of the 88th Legislature, Regular Session, 2023, that the amendments made by this Act be harmonized with another Act of the 88th Legislature, Regular Session, 2023, relating to nonsubstantive additions to and corrections in enacted codes.
SECTION 9. Effective date: upon passage or September 1, 2023.