BILL ANALYSIS
|
Senate Research Center |
S.B. 2013 |
|
|
By: Schwertner; King |
|
|
Business & Commerce |
|
|
6/14/2023 |
|
|
Enrolled |
AUTHOR'S / SPONSOR'S STATEMENT OF INTENT
In today's climate of cyber and physical attacks on electric grids, it is now more important than ever to ensure we are taking the necessary steps to protect our grid from hostile foreign powers. Currently, all critical grid equipment is not prohibited from having an external connection. This creates an environment in which there could be connections to hostile country-controlled businesses and unsecured communications. Inverters, converters, and similar sensitive equipment are often manufactured in hostile countries by companies with known connections to hostile intelligence services and are maintained remotely by hostile nation companies or their subsidiaries. Protective relays at substations are also vulnerable to remote manipulation which could cause a cascading grid failure. Additionally, there is no requirement for background checks for sensitive positions at ERCOT. S.B. 2013 hardens the security of the Texas power grid and puts in place necessary protections to prevent exposure from attacks on the electric grid.
(Original Author's/Sponsor's Statement of Intent)
S.B. 2013 amends current law relating to access to and the security of certain critical infrastructure.
RULEMAKING AUTHORITY
Rulemaking authority is expressly granted to the Public Utility Commission of Texas in SECTION 5 (Section 39.360, Utilities Code) of this bill.
SECTION BY SECTION ANALYSIS
SECTION 1. Amends Section 113.001, Business and Commerce Code, as added by Chapter 975 (S.B. 2116), Acts of the 87th Legislature, Regular Session, 2021, by adding Subdivision (5) to define "affiliate."
�
SECTION 2. Amends Subchapter F, Chapter 411, Government Code, by adding Section 411.1183, as follows:
�
Sec. 411.1183. ACCESS TO CRIMINAL HISTORY RECORD INFORMATION: INDEPENDENT ORGANIZATION CERTIFIED UNDER UTILITIES CODE. (a) Entitles an independent organization certified under Section 39.151 (Essential Organizations), Utilities Code, for security reasons to obtain from the Department of Public Safety of the State of Texas (DPS) criminal history record information maintained by DPS that relates to a person who has or is seeking employment at or access to the independent organization's systems that affect the security of the electric grid or any other background information maintained by DPS that relates to the person that is considered necessary by the independent organization or required by the Public Utility Commission (PUC).
(b) Prohibits information obtained from DPS under this section from being released or disclosed except:
(1) as needed in protecting the security of the electric grid;
(2) as authorized by a court order or a federal or state law or order; or
(3) with the consent of the person who is the subject of the criminal history record information.
SECTION 3. Amends Section 2274.0101, Government Code, as added by Chapter 975 (S.B. 2116), Acts of the 87th Legislature, Regular Session, 2021, by amending Subdivision (5) and adding Subdivision (6) to redefine "governmental entity" and define "affiliate."
�
SECTION 4. Amends Section 39.151, Utilities Code, by adding Subsection (g-7), as follows:
�
(g-7) Requires an organization, to maintain certification as an independent organization under this section, to:
�
(1) identify all employee positions in the organization that are critical to the security of the electric grid; and
�
(2) before hiring a person for a position described by Subdivision (1), obtain from DPS or a private vendor criminal history record information relating to the prospective employee and any other background information considered necessary by the independent organization or required by the PUC.
�
SECTION 5. Amends Subchapter H, Chapter 39, Utilities Code, by adding Section 39.360, as follows:
�
Sec. 39.360. TRANSACTIONS WITH CERTAIN FOREIGN-OWNED COMPANIES IN CONNECTION WITH CRITICAL INFRASTRUCTURE. (a) Defines "company" and "critical infrastructure."
�
(b) Prohibits an independent organization certified under Section 39.151 from registering a business entity or maintaining the registration of a business entity to operate in the power region for which the independent organization is certified unless the business entity attests that the entity complies with Chapter 113 (Prohibition on Agreements With Certain Foreign-Owned Companies in Connection With Critical Infrastructure), Business and Commerce Code, as added by Chapter 975 (S.B. 2116), Acts of the 87th Legislature, Regular Session, 2021.
(c) Requires an independent organization certified under Section 39.151 to require as a condition of operating in the power region for which the independent organization is certified that a business entity report to the independent organization the purchase of any critical electric grid equipment or service from a company described by Section 113.002(a)(2) (relating to prohibiting a business entity from entering into an agreement relating to critical infrastructure in this state with a company if the business entity knows that the company is owned or controlled by citizens of or is directly controlled by the government of China, Iran, North Korea, Russia, or a designated country), Business and Commerce Code, as added by Chapter 975 (S.B. 2116), Acts of the 87th Legislature, Regular Session, 2021.
(d) Requires the business entity, for each purchase reported by a business entity under Subsection (c), to submit an attestation to the independent organization that the purchase will not result in access to or control of its critical electric grid equipment by a company described by Section 113.002(a)(2), Business and Commerce Code, as added by Chapter 975 (S.B. 2116), Acts of the 87th Legislature, Regular Session, 2021, excluding access specifically allowed by the business entity for product warranty and support purposes.
(e) Authorizes an independent organization certified under Section 39.151, notwithstanding any other law, to immediately suspend or terminate a company's registration or access to any of the independent organization's systems if the independent organization has a reasonable suspicion that the company meets any of the criteria described by Section 2274.0102(a)(2) (relating to prohibiting a governmental entity from entering into certain contracts including if the governmental entity knows that the company is owned by or the majority of stock or other ownership interest of the company is held or controlled by certain individuals), Government Code, as added by Chapter 975 (S.B. 2116), Acts of the 87th Legislature, Regular Session, 2021.
�
(f) Provides that a contractual provision that limits or contradicts Subsection (e) is contrary to public policy and is unenforceable and void.
�
(g) Authorizes an independent organization certified under Section 39.151 to adopt guidelines or procedures relating to the requirements in this section, including the qualification of electric grid equipment or services as critical.
(h) Requires the PUC to adopt any rules necessary to administer this section or authorize an independent organization to carry out a duty imposed by this section.
(i) Authorizes the attorney general to conduct periodic audits of the attestations required by Subsection (d) and to prioritize the audits as necessary to protect critical infrastructure.
SECTION 6. Makes application of changes made by this Act to Chapter 113, Business and Commerce Code, and Chapter 2274, Government Code, prospective.
SECTION 7. (a) Requires a business entity operating in a power region on the effective date of this Act, for the purposes of Section 39.360(c), Utilities Code, as added by this Act, to report to the independent organization certified for that power region under Section 39.151, Utilities Code, any purchase made within the five years preceding the effective date of this Act.
(b) Requires the business entity, for any past purchase reported by a business entity as described by Subsection (a) of this section, to take reasonable and necessary actions to mitigate access to or control of its critical electric grid equipment by a company described by Section 113.002(a)(2), Business and Commerce Code, as added by Chapter 975 (S.B. 2116), Acts of the 87th Legislature, Regular Session, 2021, excluding access specifically allowed by the business entity for product warranty and support purposes, and to report those actions to the independent organization.
SECTION 8. Provides that it is intent of the 88th Legislature, Regular Session, 2023, that the amendments made by this Act be harmonized with another Act of the 88th Legislature, Regular Session, 2023, relating to nonsubstantive additions to and corrections in enacted codes.
SECTION 9. Effective date: upon passage or September 1, 2023.