BILL ANALYSIS

 

 

 

C.S.S.B. 2013

By: Schwertner

State Affairs

Committee Report (Substituted)

 

 

 

BACKGROUND AND PURPOSE

 

In today's climate of cyber and physical attacks on electric grids, it is more important than ever to ensure the state takes the necessary steps to protect the electric grid from hostile foreign actors. Currently, critical grid equipment is not prohibited from having an external connection. Inverters, converters, and similar sensitive equipment are manufactured in other nations around the world, including in nations hostile to the United States' interests and by companies with known connections to hostile intelligence services. Protective relays at substations are also vulnerable to remote manipulation which could cause a cascading grid failure. Additionally, there is no requirement for employment background checks for sensitive positions at ERCOT.

 

C.S.S.B. 2013 seeks to harden the security of the state's power grid and put in place necessary protections to prevent exposure from attacks on the electric grid.

 

CRIMINAL JUSTICE IMPACT

 

It is the committee's opinion that this bill does not expressly create a criminal offense, increase the punishment for an existing criminal offense or category of offenses, or change the eligibility of a person for community supervision, parole, or mandatory supervision.

 

RULEMAKING AUTHORITY

 

It is the committee's opinion that rulemaking authority is expressly granted to the Public Utility Commission of Texas in SECTION 5 of this bill.

 

ANALYSIS

 

C.S.S.B. 2013 amends the Utilities Code to prohibit ERCOT from registering a business entity or maintaining the registration of a business entity to operate in the ERCOT power region unless the business entity attests that it complies with Business & Commerce Code provisions prohibiting a business entity from entering into an agreement with certain foreign-owned companies in connection with critical infrastructure. The bill requires ERCOT to require as a condition of operating in the ERCOT power region that a business entity report to ERCOT the purchase of any critical electric grid equipment or service from a company that is headquartered in China, Iran, North Korea, Russia, or a country designated by the governor as a threat to critical infrastructure or that is owned by or the majority of stock or other ownership interest of the company is held or controlled by:

·         individuals who are citizens of China, Iran, North Korea, Russia, or a designated country; or

·         a company or other entity, including a governmental entity, that is owned or controlled by citizens of or is directly controlled by the government of China, Iran, North Korea, Russia, or a designated country.

The bill requires a business entity operating in the ERCOT power region on the bill's effective date to report to ERCOT any applicable purchase made within the five years preceding the bill's effective date. For any past purchase reported to ERCOT, the business entity must take reasonable and necessary actions to mitigate access to or control of its critical electric grid equipment by an applicable foreign-owned company, excluding access specifically allowed by the business entity for product warranty and support purposes, and must report those actions to ERCOT.

 

C.S.S.B. 2013 requires a business entity, for each purchase reported to ERCOT, to submit an attestation to ERCOT that the purchase will not result in access to or control of its critical electric grid equipment by a company meeting that criteria relating to prohibited foreign-ownership, excluding access specifically allowed by the business entity for product warranty and support purposes. The bill authorizes the attorney general to conduct periodic audits of the required attestations. The attorney general may prioritize the audits as necessary to protect critical infrastructure.

 

C.S.S.B. 2013 authorizes ERCOT to immediately suspend or terminate a company's registration or access to any of ERCOT's systems if ERCOT has a reasonable suspicion that the company meets any of the criteria relating to prohibited foreign-ownership. The bill classifies a contractual provision that limits or contradicts that authorization as contrary to public policy and renders the provision unenforceable and void.

 

C.S.S.B. 2013 authorizes ERCOT to adopt guidelines or procedures relating to the requirements for transactions with certain foreign-owned companies in connection with critical infrastructure, including the qualification of electric grid equipment or services as critical. The bill requires the PUC to adopt any rules necessary to administer those provisions or authorize ERCOT to carry out a duty imposed under those provisions.

 

C.S.S.B. 2013 requires ERCOT, in order to maintain its certification from the Public Utility Commission of Texas (PUC), to identify all employee positions in ERCOT that are critical to the security of the electric grid and, before hiring a person for such a position, obtain from the Department of Public Safety (DPS) or a private vendor criminal history record information relating to the prospective employee and any other background information considered necessary by ERCOT or required by the PUC.

 

C.S.S.B. 2013 amends the Government Code to entitle ERCOT, for security reasons, to obtain from DPS criminal history record information maintained by DPS that relates to a person who has or is seeking employment at or access to ERCOT's systems that affect the security of the electric grid or any other background information maintained by DPS that relates to the person that is considered necessary by ERCOT or required by the PUC. The bill prohibits the information obtained from DPS from being released or disclosed except as needed in protecting the security of the electric grid, as authorized by a court order or a federal or state law or order, or with the consent of the person who is the subject of the criminal history record information.

 

C.S.S.B. 2013 revises statutory provisions prohibiting governmental entities from contracting with certain foreign-owned companies in connection with critical infrastructure to do the following:

·         classify ERCOT as a "governmental entity"; and

·         establish that the term "affiliate," with respect to a company entering into an agreement in which the critical infrastructure is electric grid equipment, has the meaning assigned by ERCOT protocols.

These changes apply only to a contract entered into on or after the bill's effective date.

 

C.S.S.B. 2013 amends the Business & Commerce Code provisions prohibiting a business entity from entering into an agreement with certain foreign-owned companies in connection with critical infrastructure to establish that the term "affiliate," with respect to a company entering into an agreement in which the critical infrastructure is electric grid equipment, has the meaning assigned by ERCOT protocols. This change applies only to an agreement entered into on or after the bill's effective date.

 

EFFECTIVE DATE

 

On passage, or, if the bill does not receive the necessary vote, September 1, 2023.

 

COMPARISON OF SENATE ENGROSSED AND SUBSTITUTE

 

While C.S.S.B. 2013 may differ from the engrossed in minor or nonsubstantive ways, the following summarizes the substantial differences between the engrossed and committee substitute versions of the bill.

 

The engrossed and substitute both entitle ERCOT to obtain criminal history record information maintained by DPS that relates to a person who has or is seeking employment at or access to ERCOT's systems that affect the security of the electric grid, but the substitute also entitles ERCOT to obtain from DPS any other background information maintained by DPS that relates to the person that is considered necessary by ERCOT or required by the PUC.

 

While both the engrossed and the substitute require a business entity, for each purchase reported by ERCOT under the bill, to submit an attestation to ERCOT that the purchase will not result in access to or control of its critical electric grid equipment by an applicable foreign-owned company, the substitute includes language not in the engrossed allowing for access specifically for product warranty and support purposes. The substitute makes the same change to the provision it shares with the engrossed requiring a business entity reporting past purchases to ERCOT to take reasonable and necessary actions to mitigate access to or control of its critical electric grid equipment by an applicable foreign-owned company. The substitute includes a provision absent from the engrossed authorizing the attorney general to conduct periodic audits of the required attestations and to prioritize the audits as necessary to protect critical infrastructure.