NY A03904

Defines "critical energy infrastructure" as systems vital to the state whose disruption could jeopardize health, safety, energy reliability, or security, including industrial control systems and customer data.

Requires the Public Service Commission to conduct annual cyber-security audits of gas and electric corporations relating to their policies, protocols, and protections for critical energy infrastructure and customer privacy.

Directs utilities to develop and implement tools to monitor operational control networks and detect unauthorized behavior related to industrial control systems, with compliance reports due to the governor and legislature by December 31, 2023 and every five years thereafter.

Adds "cyber attack" as a consideration in utility emergency response plans and vulnerability assessments of critical infrastructure conducted by state agencies.

Requires advanced metering infrastructure installations to use communications networks shared by at least two meter providers operating in the United States, if cost-effective.