TX SB1034

Retail public utilities providing water or sewer service are prohibited from connecting their supervisory control and data acquisition (SCADA) systems or equivalent operational technology infrastructure to the Internet, though site-to-site virtual private networks are permitted

The Texas Commission on Environmental Quality must adopt cybersecurity rules requiring employee identity authentication before granting access to utility networks, with mandatory biennial review of these requirements in consultation with the Department of Information Resources and the UTSA Cyber Center for Security and Analytics

Retail public utilities must annually identify employees with computer system access and require them to complete certified cybersecurity training programs

Utilities may be required to conduct security assessments of their information systems, networks, and data storage, with results reported within 90 days to TCEQ, the Public Utility Commission, and the Department of Information Resources; assessment reports are confidential

Utilities must notify regulators within 48 hours of security incidents involving unauthorized data acquisition, ransomware attacks, or system disruptions; compliance with SCADA disconnection requirements is due by September 1, 2027