Section 1. Short Title 

This Act may be cited as the “Critical Infrastructure Protection and Security Act.”  

Section 2. Legislative Findings And Purpose  

The Legislature finds that:  

1. critical infrastructure provides energy, water, communications, transportation, public health, food, and other services essential to public safety, economic activity, and the continuity of government;  
2. physical intrusion, theft, vandalism, sabotage, unauthorized unmanned aircraft activity, and malicious interference with computer and operational-technology systems can endanger human life, disrupt essential services, damage the environment, and impose substantial costs on the public and private sectors;  
3. modern critical infrastructure depends upon integrated physical, digital, and operational systems, and state law should therefore protect both tangible facilities and the electronic systems used to operate, monitor, secure, and control them;  
4. existing generally applicable trespass, theft, property-damage, and computer-crime laws may not fully account for the heightened public danger created when those offenses target critical infrastructure;  
5. lawful labor activity, peaceful advocacy, journalism, emergency response, authorized security research, and other constitutionally protected conduct should not be criminalized merely because they occur near critical infrastructure; and  
6. state protections should complement, and not conflict with, federal authority over aviation safety, interstate pipeline safety, nuclear safety and security, interstate transmission, telecommunications, and other matters committed to exclusive federal jurisdiction.  

Section 3. Definitions  

• (a) As used in this Act:  
  1. “Authorized person” means a person acting with the express or implied consent of the owner or operator of critical infrastructure, under lawful governmental authority, or pursuant to a contract, license, easement, permit, court order, or other legal right.  
  2. “Computer” means an electronic, magnetic, optical, electrochemical, or other high-speed data-processing device or system that performs logical, arithmetic, storage, communication, control, or related functions, including any data-storage or communications facility directly related to or operating in conjunction with the device or system.  
  3. “Critical infrastructure” means any facility, system, site, structure, equipment, network, asset, or property, whether physical or virtual, so vital to this State or the United States that its incapacity, destruction, or material disruption would have a debilitating impact on public health or safety, economic security, national security, or the continuity of essential services. The term includes the property identified in subsection (b).  
  4. “Critical infrastructure information” means information not customarily in the public domain concerning the security, vulnerability, configuration, location, operation, or control of critical infrastructure, including credentials, access codes, schematics, network architecture, security plans, and operational-technology data.  
  5. “Essential service” means electricity, natural gas, petroleum, water, wastewater, communications, emergency services, health care, transportation, food distribution, government operations, or another service necessary to protect life, health, safety, or substantial economic activity.  
  6. “Industrial control system” means a supervisory control and data acquisition system, distributed control system, programmable logic controller, remote terminal unit, safety instrumented system, or related hardware, software, firmware, or network used to monitor or control an industrial process.  
  7. “Maliciously” means with the intent to cause harm, obtain an unlawful benefit, conceal another offense, intimidate or coerce a person or government, or materially interfere with the lawful operation or security of critical infrastructure.  
  8. “Operational technology system” means hardware, software, firmware, communications links, or networks that detect or cause a change through the direct monitoring or control of physical devices, processes, or events.  
  9. “Owner or operator” means a public or private person or governmental entity that owns, leases, manages, controls, maintains, or operates critical infrastructure.  
  10. “Restricted area” means an area of critical infrastructure that is not open to the general public and is identified by fencing, barriers, signage, access-control devices, posted notice, or other measures reasonably calculated to communicate that entry is limited or prohibited.  
  11. “Substantial interruption” means a disruption, degradation, or loss of an essential service that creates a substantial risk to public health or safety, affects a significant number of persons, or causes economic loss exceeding [$AMOUNT].  
  12. “Unmanned aircraft system” means an unmanned aircraft and its associated elements, including communication links and components that control the unmanned aircraft, as defined by applicable federal law.  
  13. “Without authority” means without permission, privilege, license, legal right, or other authorization, or in excess of a person’s authorized access in a manner the person knows is prohibited.  
• (b) “Critical infrastructure” includes, without limitation:  
  1. electric generation facilities, substations, switching stations, transmission and distribution facilities, control centers, energy-storage facilities, and associated equipment;  
  2. oil and natural-gas wells, fields, drilling and completion sites, gathering systems, processing facilities, refineries, terminals, compressor stations, pipelines, storage facilities, liquefied-natural-gas facilities, petroleum-product facilities, and equipment, roads, yards, and mobile assets primarily used in such operations;  
  3. nuclear power facilities and nuclear-fuel facilities, subject to Section 14 of this Act;  
  4. water-intake structures, public drinking-water systems, wells, reservoirs, dams, storage structures, pump stations, treatment facilities, transmission lines, wastewater systems, sewer-treatment facilities, and related control systems;  
  5. communications networks, cable landing stations, data centers, internet exchange points, emergency communications systems, broadcast facilities, and telecommunications switching or routing facilities;  
  6. airports, ports, rail facilities, bridges, tunnels, mass-transit systems, freight terminals, and traffic-control systems;  
  7. hospitals, emergency medical facilities, public-health laboratories, blood centers, and facilities used to manufacture, store, or distribute essential medicines or medical supplies;  
  8. food-processing, cold-storage, agricultural, fertilizer, and distribution facilities whose disruption could materially affect the food supply;  
  9. government facilities, emergency-operations centers, law-enforcement facilities, correctional facilities, military installations under state jurisdiction, and facilities essential to the continuity of government; and  
  10. any additional class of facility designated by statute or by rule of the [DESIGNATED STATE AGENCY], provided that the designation is supported by written findings and does not extend beyond the purposes of this Act.  

Section 4. Unauthorized Entry Of Critical Infrastructure     

• (a) A person commits unauthorized entry of critical infrastructure if the person knowingly and without authority:  
  1. enters or remains in a critical infrastructure facility or upon critical infrastructure premises that are completely enclosed or surrounded by a physical barrier;  
  2. enters or remains in a restricted area of critical infrastructure;  
  3. bypasses, defeats, damages, alters, or circumvents a lock, gate, fence, credential, access-control device, alarm, or other security measure for the purpose of entering or facilitating entry; or  
  4. uses false identification, a false pretense, stolen credentials, impersonation, or material misrepresentation to obtain physical access.  
• (b) Unauthorized entry under subsection (a) is a [CLASS ___ MISDEMEANOR].  
• (c) Unauthorized entry is a [CLASS ___ FELONY] if the person:  
  1. enters with intent to commit theft, damage, sabotage, surveillance of nonpublic security measures, or another felony;  
  2. possesses a dangerous weapon, destructive device, incendiary device, or instrument adapted for damaging or disabling infrastructure;  
  3. causes bodily injury, a substantial interruption of an essential service, or pecuniary loss exceeding [$AMOUNT]; or  
  4. has previously been convicted of an offense under this Act.  

Section 5. Prohibited Use Of An Unmanned Aircraft System     

• (a) A person commits prohibited use of an unmanned aircraft system if the person knowingly and without authority operates an unmanned aircraft system for the purpose of:  
  1. entering a physically enclosed or clearly marked restricted area of critical infrastructure;  
  2. conducting surveillance of nonpublic security measures, access points, credentials, industrial processes, or operational systems;  
  3. delivering, dropping, attaching, placing, or retrieving an object or substance within a restricted area;  
  4. interfering with operations, communications, emergency response, security activity, or the movement of personnel or equipment;  
  5. damaging, disabling, or manipulating equipment or systems; or  
  6. facilitating the commission of another offense under this Act.  
• (b) A violation of subsection (a) is a [CLASS ___ MISDEMEANOR].  
• (c) A violation is a [CLASS ___ FELONY] if the conduct creates a substantial risk of death or serious bodily injury, causes a substantial interruption, causes pecuniary loss exceeding [$AMOUNT],or is committed in furtherance of another felony.  
• (d) This section regulates harmful conduct and property-related intrusion. It shall not be construed to regulate aircraft design, pilot certification, flight altitude, flight paths, navigable airspace, or aviation safety, or to authorize any person to detect, track, intercept, disable, destroy, or seize an unmanned aircraft system except as permitted by federal law.  

Section 6. Technological Interference With Critical Infrastructure  

• (a) A person commits technological interference with critical infrastructure if the person intentionally and maliciously, and without authority, uses electronic, digital, electromagnetic, radio-frequency, or other technological means to access, acquire data from, control, disrupt, disable, degrade, manipulate, damage, encrypt, alter, or materially interfere with:
  1.  a camera, alarm, credentialing, access-control, communications, or physical-security system;  
  2. a computer, computer system, computer network, data-storage system, or cloud service;  
  3. an industrial control system or operational-technology system;  
  4. a sensor, actuator, safety system, programmable device, remote terminal, or electronically controlled equipment; or  
  5. critical infrastructure information or credentials used to operate, monitor, secure, or control critical infrastructure.  
• (b) A violation of subsection (a) is a [CLASS ___ FELONY].  
• (c) The offense is a [HIGHER CLASS ___ FELONY] if the conduct:  
  1. causes or attempts to cause death or serious bodily injury;  
  2. causes a substantial interruption of an essential service;  
  3. creates a substantial risk of an environmental release or public-health emergency;  
  4. causes pecuniary loss exceeding [$AMOUNT];  
  5. involves ransomware, extortion, destructive malware, credential theft, or concealment of persistent unauthorized access; or  
  6. is committed on behalf of, at the direction of, or in material coordination with a foreign government, foreign terrorist organization, or other hostile foreign actor, as proved beyond a reasonable doubt.  

Section 7. Theft Of Critical Infrastructure Property Or Information       

• (a) A person commits theft of critical infrastructure if the person knowingly obtains, exerts unauthorized control over, possesses, receives, conceals, transports, or disposes of critical infrastructure property or critical infrastructure information with intent to deprive the owner or operator of its use or benefit, or knowing or having reason to believe the property was stolen.  
• (b) For purposes of grading the offense, value includes the market value of the property, reasonable replacement and restoration costs, labor and emergency-response costs, lost service, environmental remediation, and other reasonably foreseeable consequential losses directly caused by the offense.
• (c) Theft under this section is punishable as follows:  
  1. if the value is less than [$25,000], the offense is a [CLASS ___ FELONY], punishable by imprisonment not exceeding [15] years, a fine not exceeding [$10,000], or both;  
  2. if the value is [$25,000] or more, the offense is a [HIGHER CLASS ___ FELONY], punishable by imprisonment not exceeding [20] years, a fine not exceeding [$50,000], or both; and  
  3. regardless of value, if it is reasonably foreseeable that the theft will threaten human life or cause a substantial interruption of an essential service, the offense is a [HIGHER CLASS ___ FELONY], punishable by imprisonment not exceeding [20] years, a fine not exceeding [$50,000], or both.  
• (d) Amounts and conduct arising from a common scheme or course of conduct may be aggregated for purposes of charging and grading the offense.  

1. Section 8. Damage to or Sabotage of Critical Infrastructure             

• (a) A person commits damage to critical infrastructure if the person knowingly and without authority damages, destroys, defaces, contaminates, alters, disables, removes, or materially impairs critical infrastructure property.  
• (b) A person commits sabotage of critical infrastructure if, with intent to impair, obstruct, disrupt, or defeat the operation, security, or availability of critical infrastructure, the person:  
  1. commits or attempts conduct described in subsection (a);  
  2. introduces or attempts to introduce a contaminant, destructive device, malicious code, false command, counterfeit component, or materially defective item;  
  3. conceals a material defect, vulnerability, unauthorized access mechanism, or compromise;  
  4. interferes with repair, restoration, emergency response, or security operations; or  
  5. provides material assistance to another person knowing that the assistance will be used to commit sabotage.  
• (c) Damage to critical infrastructure is a [CLASS ___ FELONY]. Sabotage is a [HIGHER CLASS ___ FELONY].  
• (d) In imposing sentence, the court shall consider the risk to human life, duration and geographic scope of service interruption, environmental harm, restoration cost, intent, and degree of planning.  

Section 9. Aggravated Offenses And Terrorist Intent               

• (a) An offense under Sections 4 through 8 is aggravated if the conduct:  
  1. causes death or serious bodily injury;  
  2. creates a substantial and foreseeable risk of death or serious bodily injury;  
  3. causes a substantial interruption of an essential service;  
  4. causes an environmental release or public-health emergency;  
  5. is committed during a declared emergency or disaster; or  
  6. is committed on behalf of, at the direction of, or in material coordination with a foreign government, foreign terrorist organization, or other hostile foreign actor.  
• (b) An aggravated offense is punishable as a [HIGHER CLASS ___ FELONY], unless another provision of law provides a greater penalty.  
• (c) An offense under Sections 4 through 8 involves terrorist intent when the prosecution proves beyond a reasonable doubt that the person committed the offense with the specific intent to:  
  1. intimidate or coerce a civilian population;  
  2. influence the policy of a unit of government by intimidation or coercion; or  
  3. affect the conduct of a unit of government by mass destruction, assassination, kidnapping, intimidation, or coercion.  
• (d) An offense involving terrorist intent is punishable as provided by the State’s terrorism statute or, if no applicable penalty exists, by imprisonment for not less than [5] years and not more than [20] years, in addition to any fine authorized by law.  
• (e) Advocacy, protest, civil disobedience, labor activity, reporting, or other expressive conduct does not establish terrorist intent without proof of the specific intent and prohibited conduct required by this section.  

Section 10. Attempt, Conspiracy, Facilitation, And Organizational Liability               

• (a) Attempt and conspiracy to commit an offense under this Act are punishable under otherwise applicable state law.  
• (b) A person is not criminally liable merely because the person provides lawful legal services, medical assistance, news coverage, lodging, transportation, communications services, financial services, or other ordinary goods or services without knowledge that the assistance will be used to commit an offense under this Act.
• (c) Organizational liability shall be governed by otherwise applicable state law and shall require proof that an agent acting within the scope of authority committed the offense for the benefit of the organization, or that a high managerial agent authorized, requested, commanded, ratified, or recklessly tolerated the conduct.  

Section 11. Severability  

If any provision of this Act or its application to any person or circumstance is held invalid, the invalidity does not affect other provisions or applications that can be given effect without the invalid provision or application, and to that end the provisions of this Act are severable.  

Section 12. Effective Date  

This Act takes effect on [DATE].