| ||||||||||||||||||||||
| ||||||||||||||||||||||
| ||||||||||||||||||||||
| 1 | AN ACT concerning regulation. | |||||||||||||||||||||
| 2 | Be it enacted by the People of the State of Illinois, | |||||||||||||||||||||
| 3 | represented in the General Assembly: | |||||||||||||||||||||
| 4 | Section 5. The Public Utilities Act is amended by changing | |||||||||||||||||||||
| 5 | Section 4-101 and by adding Section 4-102 as follows: | |||||||||||||||||||||
| 6 | (220 ILCS 5/4-101) (from Ch. 111 2/3, par. 4-101) | |||||||||||||||||||||
| 7 | Sec. 4-101. The Commerce Commission shall have general | |||||||||||||||||||||
| 8 | supervision of all public utilities, except as otherwise | |||||||||||||||||||||
| 9 | provided in this Act, shall inquire into the management of the | |||||||||||||||||||||
| 10 | business thereof and shall keep itself informed as to the | |||||||||||||||||||||
| 11 | manner and method in which the business is conducted. It shall | |||||||||||||||||||||
| 12 | examine those public utilities and keep informed as to their | |||||||||||||||||||||
| 13 | general condition, their franchises, capitalization, rates and | |||||||||||||||||||||
| 14 | other charges, and the manner in which their plants, equipment | |||||||||||||||||||||
| 15 | and other property owned, leased, controlled or operated are | |||||||||||||||||||||
| 16 | managed, conducted and operated, not only with respect to the | |||||||||||||||||||||
| 17 | adequacy, security and accommodation afforded by their service | |||||||||||||||||||||
| 18 | but also with respect to their compliance with this Act and any | |||||||||||||||||||||
| 19 | other law, with the orders of the Commission and with the | |||||||||||||||||||||
| 20 | charter and franchise requirements. | |||||||||||||||||||||
| 21 | Whenever the Commission is authorized or required by law | |||||||||||||||||||||
| 22 | to consider some aspect of criminal history record information | |||||||||||||||||||||
| 23 | for the purpose of carrying out its statutory powers and | |||||||||||||||||||||
| |||||||
| |||||||
| 1 | responsibilities, then, upon request and payment of fees in | ||||||
| 2 | conformance with the requirements of Section 2605-400 of the | ||||||
| 3 | Illinois State Police Law, the Illinois State Police is | ||||||
| 4 | authorized to furnish, pursuant to positive identification, | ||||||
| 5 | such information contained in State files as is necessary to | ||||||
| 6 | fulfill the request. | ||||||
| 7 | The Commission shall require all public utilities to | ||||||
| 8 | establish a security policy that includes on-site safeguards | ||||||
| 9 | to restrict physical or electronic access to critical | ||||||
| 10 | infrastructure and computerized control and data systems. The | ||||||
| 11 | Commission shall maintain a record of and each regulated | ||||||
| 12 | entity shall provide to the Commission an annual affidavit | ||||||
| 13 | signed by a representative of the regulated entity that | ||||||
| 14 | states: | ||||||
| 15 | (1) that the entity has a security policy in place; | ||||||
| 16 | (2) that the entity has conducted at least one | ||||||
| 17 | practice exercise based on the security policy within the | ||||||
| 18 | 12 months immediately preceding the date of the affidavit; | ||||||
| 19 | and | ||||||
| 20 | (3) with respect to any entity that is an electric | ||||||
| 21 | public utility, that the entity follows, at a minimum, the | ||||||
| 22 | most current security standards set forth by the North | ||||||
| 23 | American Electric Reliability Council. | ||||||
| 24 | A water public utility's security policy shall also meet | ||||||
| 25 | the requirements set forth in Section 4-102. | ||||||
| 26 | (Source: P.A. 102-538, eff. 8-20-21.) | ||||||
| |||||||
| |||||||
| 1 | (220 ILCS 5/4-102 new) | ||||||
| 2 | Sec. 4-102. Cybersecurity policy for water purveyors. | ||||||
| 3 | (a) As used in this Section: | ||||||
| 4 | "Cybersecurity incident" means an event occurring on or | ||||||
| 5 | conducted through a computer network that jeopardizes the | ||||||
| 6 | integrity, confidentiality, or availability of computers, | ||||||
| 7 | information systems, communications systems, networks, | ||||||
| 8 | physical or virtual infrastructure controlled by computers or | ||||||
| 9 | information systems, or information residing on such computers | ||||||
| 10 | or information systems. | ||||||
| 11 | "Cybersecurity insurance policy" means an insurance policy | ||||||
| 12 | designed to mitigate losses from cybersecurity incidents, | ||||||
| 13 | including, but not limited to, data breaches, business | ||||||
| 14 | interruption, and network damage. | ||||||
| 15 | "Department" means the Department of Natural Resources. | ||||||
| 16 | "Industrial control system" means an information system | ||||||
| 17 | used to control industrial processes such as manufacturing, | ||||||
| 18 | product handling, production, or distribution. | ||||||
| 19 | "Industrial control system" includes supervisory control | ||||||
| 20 | and data acquisition systems used to control geographically | ||||||
| 21 | dispersed assets, and distributed control systems and smaller | ||||||
| 22 | control systems using programmable logic controllers to | ||||||
| 23 | control localized processes. | ||||||
| 24 | "Information resource" means information and related | ||||||
| 25 | resources, such as personnel, equipment, funds, and | ||||||
| |||||||
| |||||||
| 1 | information technology. | ||||||
| 2 | "Information system" means a discrete set of information | ||||||
| 3 | resources organized for the collection, processing, | ||||||
| 4 | maintenance, use, sharing, dissemination, or disposition of | ||||||
| 5 | information. | ||||||
| 6 | "Public community water system" means a public water | ||||||
| 7 | system which serves at least 15 service connections used by | ||||||
| 8 | year-round residents or regularly serves at least 25 | ||||||
| 9 | year-round residents. | ||||||
| 10 | "Public water system" means a system for the provision to | ||||||
| 11 | the public of water for human consumption through pipes or | ||||||
| 12 | other constructed conveyances, if such system has at least 15 | ||||||
| 13 | service connections or regularly serves an average of at least | ||||||
| 14 | 25 individuals daily at least 60 days out of the year. "Public | ||||||
| 15 | water system" includes (i) any collection, treatment, storage | ||||||
| 16 | and distribution facilities under control of the operator of | ||||||
| 17 | such system and used primarily in connection with such system, | ||||||
| 18 | and (ii) any collection or pre-treatment storage facilities | ||||||
| 19 | not under such control which are used primarily in connection | ||||||
| 20 | with such system. | ||||||
| 21 | "Water purveyor" means any person that owns a public | ||||||
| 22 | community water system with more than 500 service connections. | ||||||
| 23 | (b) Within 120 days after the effective date of this | ||||||
| 24 | amendatory Act of the 104th General Assembly, each water | ||||||
| 25 | purveyor shall develop a cybersecurity program that defines | ||||||
| 26 | and implements organizational accountabilities and | ||||||
| |||||||
| |||||||
| 1 | responsibilities for cyber risk management activities, and | ||||||
| 2 | establishes policies, plans, processes, and procedures for | ||||||
| 3 | identifying and mitigating cyber risk to the water purveyor's | ||||||
| 4 | public community water system. As part of the cybersecurity | ||||||
| 5 | program, a water purveyor shall do the following: | ||||||
| 6 | (1) identify the individual directly responsible for | ||||||
| 7 | ensuring that the policies, plans, processes, and | ||||||
| 8 | procedures established pursuant to this Section are | ||||||
| 9 | executed in a timely manner; | ||||||
| 10 | (2) conduct risk assessments and implement appropriate | ||||||
| 11 | controls to mitigate identified risks to the public | ||||||
| 12 | community water system; | ||||||
| 13 | (3) maintain situational awareness of cyber threats | ||||||
| 14 | and vulnerabilities to the public community water system; | ||||||
| 15 | and | ||||||
| 16 | (4) create and exercise incident response and recovery | ||||||
| 17 | plans. | ||||||
| 18 | A water purveyor shall submit a copy of the cybersecurity | ||||||
| 19 | program developed pursuant to this subsection (b) to the | ||||||
| 20 | Commission in a form and manner as determined by the | ||||||
| 21 | Commission. | ||||||
| 22 | (c) Within 60 days after developing the cybersecurity | ||||||
| 23 | program required pursuant to subsection (b) of this Section, | ||||||
| 24 | each water purveyor shall create a cybersecurity incident | ||||||
| 25 | reporting process. | ||||||
| 26 | (d) No later than 180 days after the effective date of this | ||||||
| |||||||
| |||||||
| 1 | amendatory Act of the 104th General Assembly, each water | ||||||
| 2 | purveyor shall obtain a cybersecurity insurance policy that | ||||||
| 3 | meets any applicable standards adopted by the Commission. | ||||||
| 4 | (e) No later than 180 days after the effective date of this | ||||||
| 5 | amendatory Act of the 104th General Assembly, each water | ||||||
| 6 | purveyor shall update its cybersecurity program developed | ||||||
| 7 | pursuant to this Section to apply to all of the public | ||||||
| 8 | community water system's industrial control systems and to | ||||||
| 9 | reasonably conform to the most recent version of one or more of | ||||||
| 10 | the following industry-recognized cybersecurity frameworks: | ||||||
| 11 | (1) the Framework for Improving Critical | ||||||
| 12 | Infrastructure Cybersecurity developed by the National | ||||||
| 13 | Institute of Standards and Technology; | ||||||
| 14 | (2) the Center for Internet Security Critical Security | ||||||
| 15 | Controls for Effective Cyber Defense; or | ||||||
| 16 | (3) the International Organization for Standardization | ||||||
| 17 | and International Electrotechnical Commission 27000 family | ||||||
| 18 | of standards for an information security management | ||||||
| 19 | system. | ||||||
| 20 | Whenever a final revision to one or more of the frameworks | ||||||
| 21 | listed in this subsection (e) is published, a water purveyor | ||||||
| 22 | whose cybersecurity program conformed to that framework shall | ||||||
| 23 | revise its cybersecurity program to reasonably conform to the | ||||||
| 24 | revised framework, and submit a copy of the revised | ||||||
| 25 | cybersecurity program to the Commission, no later than 180 | ||||||
| 26 | days after publication of the revised framework. | ||||||
| |||||||
| |||||||
| 1 | (f) No later than one year after the effective date of this | ||||||
| 2 | amendatory Act of the 104th General Assembly, and each year | ||||||
| 3 | thereafter, each water purveyor shall submit to the Department | ||||||
| 4 | and the Commission a certification demonstrating that the | ||||||
| 5 | water purveyor is in compliance with the requirements of this | ||||||
| 6 | Section. The certification shall be made in a form and manner | ||||||
| 7 | as determined by the Department, in consultation with the | ||||||
| 8 | Commission. The certification shall be signed by a senior | ||||||
| 9 | executive responsible for security of the regulated entity. | ||||||
| 10 | (g) The Commission shall cause to be audited any public | ||||||
| 11 | community water system that fails to submit a cybersecurity | ||||||
| 12 | program, a revision, or a certification pursuant to this | ||||||
| 13 | Section. Any audit shall be conducted by a qualified and | ||||||
| 14 | independent cybersecurity company, at the water purveyor's | ||||||
| 15 | expense. Following the audit, the water purveyor shall submit | ||||||
| 16 | the audit and any corrective action plans derived from the | ||||||
| 17 | audit to the Commission. | ||||||
| 18 | (h) A water purveyor shall, upon the request of the | ||||||
| 19 | Department or the Commission, provide proof of compliance with | ||||||
| 20 | the requirements of this Section, in a form and manner as | ||||||
| 21 | determined by the Department or by the Commission. | ||||||
| 22 | (i) On and after 90 days after the effective date of this | ||||||
| 23 | amendatory Act of the 104th General Assembly, a water purveyor | ||||||
| 24 | shall inform the Commission, in a written or oral report, | ||||||
| 25 | within 48 hours or as soon as practicable after the discovery | ||||||
| 26 | or occurrence of any notable, unusual, or significant | ||||||
| |||||||
| |||||||
| 1 | cybersecurity incident or any cybersecurity incident that must | ||||||
| 2 | be reported to another regulatory agency, including the | ||||||
| 3 | following: | ||||||
| 4 | (1) any cybersecurity incident that results in the | ||||||
| 5 | compromise of the confidentiality, integrity, | ||||||
| 6 | availability, or privacy of the water purveyor's utility | ||||||
| 7 | billing, communications, data management, or business | ||||||
| 8 | information systems, or the information on such systems; | ||||||
| 9 | and | ||||||
| 10 | (2) any cybersecurity incident against the water | ||||||
| 11 | purveyor's industrial control systems, including | ||||||
| 12 | monitoring, operations, and centralized control systems, | ||||||
| 13 | that adversely impacts, disables, or manipulates | ||||||
| 14 | infrastructure, resulting in loss of service, | ||||||
| 15 | contamination of finished water, or damage to | ||||||
| 16 | infrastructure. | ||||||
| 17 | (j) No later than 30 days after receiving a report of a | ||||||
| 18 | cybersecurity incident from a water purveyor pursuant to | ||||||
| 19 | subsection (i), the Commission shall cause to be audited the | ||||||
| 20 | water purveyor's cybersecurity program and any actions the | ||||||
| 21 | water purveyor took in response to the cybersecurity incident. | ||||||
| 22 | The audit shall identify cyber threats and vulnerabilities to | ||||||
| 23 | the public community water system, weaknesses in the public | ||||||
| 24 | community water system's cybersecurity program, and strategies | ||||||
| 25 | to address those weaknesses so as to protect the public | ||||||
| 26 | community water system from the threat of future cybersecurity | ||||||
| |||||||
| |||||||
| 1 | incidents. Any audit shall be conducted by a qualified and | ||||||
| 2 | independent cybersecurity company at the water purveyor's | ||||||
| 3 | expense. After the completion of the audit, the water purveyor | ||||||
| 4 | shall submit the audit and any corrective action plans derived | ||||||
| 5 | from the audit to the Commission. | ||||||
| 6 | (k) By July 31 of each year, a water purveyor shall provide | ||||||
| 7 | to the Commission a report that identifies the following: | ||||||
| 8 | (1) an overview of the water purveyor's approach to | ||||||
| 9 | cybersecurity awareness and protection; | ||||||
| 10 | (2) a description of cybersecurity awareness training | ||||||
| 11 | efforts for the water purveyor's staff members, | ||||||
| 12 | specialized cybersecurity training for cybersecurity | ||||||
| 13 | personnel, and participation by the water purveyor's | ||||||
| 14 | cybersecurity staff in emergency preparedness exercises in | ||||||
| 15 | the previous calendar year; | ||||||
| 16 | (3) an organizational diagram of the water purveyor's | ||||||
| 17 | cybersecurity organization, including positions and | ||||||
| 18 | contact information for primary and secondary | ||||||
| 19 | cybersecurity emergency contacts; | ||||||
| 20 | (4) a description of the water purveyor's internal and | ||||||
| 21 | external communications plan regarding unauthorized | ||||||
| 22 | actions that result in interruption, degradation of | ||||||
| 23 | service, financial harm, or breach of sensitive business | ||||||
| 24 | or customer data, including the water purveyor's plan for | ||||||
| 25 | notifying the Commission and customers; | ||||||
| 26 | (5) a redacted summary of any unauthorized actions | ||||||
| |||||||
| |||||||
| 1 | that resulted in material interruption, financial harm, or | ||||||
| 2 | breach of sensitive business or customer data, including | ||||||
| 3 | the parties that were notified of the unauthorized action | ||||||
| 4 | and any remedial actions undertaken; | ||||||
| 5 | (6) key performance indicators and other metrics | ||||||
| 6 | related to physical security and cybersecurity; | ||||||
| 7 | (7) any notable cybersecurity information not included | ||||||
| 8 | in paragraphs (1) through (6); and | ||||||
| 9 | (8) any other information as directed by the | ||||||
| 10 | Commission. | ||||||
| 11 | (l) The Department or the Commission shall create a | ||||||
| 12 | centralized portal allowing for electronic submittal of the | ||||||
| 13 | report required under this Section. The lack of a centralized | ||||||
| 14 | portal pursuant to this subsection (l) shall not negate the | ||||||
| 15 | requirement for a water purveyor to submit a report. | ||||||
| 16 | (m) Any person who violates the provisions of this | ||||||
| 17 | Section, or any rule or regulation adopted pursuant thereto, | ||||||
| 18 | shall be subject to the penalties and other remedies set forth | ||||||
| 19 | in Sections 4-202 and Section 4-203. No later than 18 months | ||||||
| 20 | after the effective date of this amendatory Act of the 104th | ||||||
| 21 | General Assembly, the Department shall adopt a schedule of | ||||||
| 22 | civil administrative penalties for specific violations of this | ||||||
| 23 | Section. | ||||||
| 24 | (n) Reports and other submissions made under this Section | ||||||
| 25 | shall not be open to public inspection unless otherwise | ||||||
| 26 | ordered by the Commission. Regulated entities shall not report | ||||||
| |||||||
| |||||||
| 1 | information otherwise required under this Section if | ||||||
| 2 | prohibited by law or court order or instructed otherwise by | ||||||
| 3 | law enforcement personnel. | ||||||
| 4 | (o) The Department or the Commission may adopt rules to | ||||||
| 5 | implement this Section. | ||||||