Text to be removed highlighted in red.
1 Statement of Findings. The general court hereby finds that:
I. New Hampshire recognizes a duty to exercise reasonable care under all circumstances to prevent foreseeable harms.
II. Certain operational technology systems, if configured or maintained without due care, create foreseeable and unreasonable risks, not only to operators, but to entire communities and our national defense.
III. Public health, safety, and welfare requires heightened attention where failures to certain operational technology systems could cause material disruptions or harms to large numbers of people.
2 New Chapter; Critical Infrastructure Technology Practices. Amend RSA by inserting after chapter 546-C the following new chapter:
CHAPTER 546-D
CRITICAL INFRASTRUCTURE TECHNOLOGY PRACTICES
546-D:1 Definitions.
I. As used in this chapter, "critical infrastructure operational technology" means the control systems, central operator-machine interfaces, and related components that directly support the provision of essential services, including drinking water supply, treatment and distribution systems, wastewater collection and treatment systems, electric power generation, transmission and distribution systems, natural gas transmission and distribution systems, communications systems, emergency response systems, and public transportation systems.
II. For purposes of this chapter, the use of Internet or cloud services solely for logging, telemetry or archival functions, including cybersecurity detection and analysis, shall not constitute "continued safe operation."
546-D:2 Standard of Care.
I. Operators of critical infrastructure operational technology systems serving more than 10,000 people or 3,300 households within this state shall exercise reasonable care under all the circumstances to secure such systems against foreseeable risks, including those arising from:
(a) Direct exposure of controls, interfaces, or human-machine interfaces to the public Internet or other public networks without the interposition of firewall technologies which enforce inbound and outbound access permissions, allowing only specific access for documented reasons and denying all other access by default;
(b) Indirect exposure through remote access solutions, including but not limited to dial-up, cellular modem, and Internet virtual private networks, that do not enforce phishing-resistant multi-factor authentication controls;
(c) Lack of methods to temporarily terminate and disable remote access sessions and capabilities, including interactive and system-to-system remote access;
(d) Failure to reasonably maintain and patch firewalls and remote access systems;
(e) Lack of a cybersecurity incident response and recovery plan; and
(f) Dependence upon uninterrupted access to Internet or cloud services for continued safe operation and function of the supported critical infrastructure service.
II. An operator who fails to exercise reasonable care under this section shall be liable for harms proximately caused by such failure. In determining liability, the magnitude of risk to public health and safety, the burden of taking precautions, and the degree to which the hazard was reasonably foreseeable shall be considered.
3 Effective Date. This act shall take effect January 1, 2027.
Text to be added highlighted in green.
1 Statement of Findings. The general court hereby finds that:
I. New Hampshire recognizes a duty to exercise reasonable care under all circumstances to prevent foreseeable harms.
II. Certain operational technology systems, if configured or maintained without due care, create foreseeable and unreasonable risks, not only to operators, but to entire communities and our national defense.
III. Public health, safety, and welfare requires heightened attention where failures to certain operational technology systems could cause material disruptions or harms to large numbers of people.
2 New Chapter; Critical Infrastructure Technology Practices. Amend RSA by inserting after chapter 546-C the following new chapter:
CHAPTER 546-D
CRITICAL INFRASTRUCTURE TECHNOLOGY PRACTICES
546-D:1 Definitions.
I. As used in this chapter, "critical infrastructure operational technology" means the control systems, central operator-machine interfaces, and related components that directly support the provision of essential services, including drinking water supply, treatment and distribution systems, wastewater collection and treatment systems, electric power generation, transmission and distribution systems, natural gas transmission and distribution systems, communications systems, emergency response systems, and public transportation systems.
II. For purposes of this chapter, the use of Internet or cloud services solely for logging, telemetry or archival functions, including cybersecurity detection and analysis, shall not constitute "continued safe operation."
546-D:2 Standard of Care.
I. Operators of critical infrastructure operational technology systems serving more than 10,000 people or 3,300 households within this state shall exercise reasonable care under all the circumstances to secure such systems against foreseeable risks, including those arising from:
(a) Direct exposure of controls, interfaces, or human-machine interfaces to the public Internet or other public networks without the interposition of firewall technologies which enforce inbound and outbound access permissions, allowing only specific access for documented reasons and denying all other access by default;
(b) Indirect exposure through remote access solutions, including but not limited to dial-up, cellular modem, and Internet virtual private networks, that do not enforce phishing-resistant multi-factor authentication controls;
(c) Lack of methods to temporarily terminate and disable remote access sessions and capabilities, including interactive and system-to-system remote access;
(d) Failure to reasonably maintain and patch firewalls and remote access systems;
(e) Lack of a cybersecurity incident response and recovery plan; and
(f) Dependence upon uninterrupted access to Internet or cloud services for continued safe operation and function of the supported critical infrastructure service.
II. An operator who fails to exercise reasonable care under this section shall be liable for harms proximately caused by such failure. In determining liability, the magnitude of risk to public health and safety, the burden of taking precautions, and the degree to which the hazard was reasonably foreseeable shall be considered.
3 Effective Date. This act shall take effect January 1, 2027.