Key Takeaways
- Michigan House Bill 6011 would require operators of qualifying solar farms to establish and maintain a risk‑based cybersecurity and resilience program.
- The program must align with NIST or CISA standards and include risk identification, access controls, network segmentation, supply‑chain risk management, and periodic testing.
- Operators must keep an incident‑response plan that coordinates with emergency responders, but the bill does not create new duties or liabilities for those responders.
- For a “material cybersecurity incident,” notification to the Michigan State Police and local emergency‑management coordinator is required within 24 hours (when practicable), followed by a written high‑level summary within 72 hours that omits sensitive details.
- The Attorney General may request documentation only in connection with a specific incident or complaint; routine or programmatic audits are expressly prohibited.
- Violations can incur civil fines of up to $25,000 per day per violation, after the Attorney General provides notice and up to 30 days to cure the deficiency.
- The bill was introduced by Rep. Reggie Miller (D‑District 31) and has four Democratic co‑sponsors; it has been referred to the House Committee on Communications and Technology.
Introduction to the Proposed Legislation
Michigan House Bill 6011, introduced last Thursday by Representative Reggie Miller (D‑District 31) and co‑sponsored by four other Democrats, seeks to bolster the cybersecurity posture of solar energy facilities operating within the state. The bill has been referred to the Committee on Communications and Technology for further review. Its core purpose is to mandate that operators of qualifying solar farms adopt reasonable security measures designed to protect safety‑critical systems from cyber threats that could impair safe operations. By establishing clear expectations, the legislation aims to reduce the likelihood of successful cyberattacks that could disrupt power generation, jeopardize grid reliability, or pose risks to public safety.
Scope and Definition of Qualifying Facilities
The bill defines “qualifying solar facilities” as those solar energy installations whose operation involves safety‑critical systems—such as supervisory control and data acquisition (SCADA) networks, inverters with grid‑support functions, or any component whose compromise could lead to unsafe conditions. This targeted scope ensures that the cybersecurity requirements apply to installations where a cyber incident could have tangible physical consequences, rather than to smaller, purely commercial arrays that lack such critical infrastructure. By focusing on safety‑critical systems, the legislature attempts to balance regulatory burden with the need to protect essential energy assets.
Core Cybersecurity Program Requirements
Operators would be required to create and implement a risk‑based cybersecurity and resilience program aligned with recognized standards, specifically referencing guidance from the National Institute of Standards and Technology (NIST) or the Cybersecurity and Infrastructure Security Agency (CISA). The program must encompass several key elements: systematic cyber risk identification, robust access‑control mechanisms, network or system segmentation to limit lateral movement, supply‑chain risk management practices, and periodic review and testing of security controls. These components collectively aim to create a defensive‑in‑depth posture that can detect, prevent, and respond to cyber threats effectively.
Incident‑Response Planning and Coordination
In addition to preventive measures, the bill mandates that each operator maintain an incident‑response plan that coordinates with local emergency responders. The plan must outline procedures for detecting, reporting, and mitigating cybersecurity incidents, ensuring that relevant authorities are informed promptly. Importantly, the legislation explicitly states that these notification requirements do not impose new duties or liabilities on emergency responders, preserving their existing statutory obligations while enhancing situational awareness during a cyber event.
Notification Timelines for Material Incidents
For a “material cybersecurity incident”—defined as an event that could significantly affect the safe operation of the facility—operators must notify the Michigan State Police and the local emergency‑management coordinator within 24 hours of discovery, when practicable. Within 72 hours, they must submit a written high‑level summary of the incident that avoids disclosing sensitive security details. This staggered approach allows operators to contain the threat initially while still providing timely information to state and local officials for situational awareness and potential mutual‑aid assistance.
Attorney General’s Oversight and Enforcement
The Attorney General’s role under the bill is limited to requesting documentation only when tied to a specific incident or complaint; routine or programmatic audits are expressly prohibited. This restriction aims to prevent overly burdensome oversight while still enabling the AG to investigate alleged violations. If a violation is found to be knowing or reckless, the Attorney General may pursue civil penalties after providing the operator with notice and up to 30 days to cure the deficiency. The fine structure allows for civil penalties of up to $25,000 per day per violation, creating a strong financial incentive for compliance.
Legislative Sponsorship and Committee Referral
Representative Reggie Miller, a Democrat from District 31, introduced HB 6011 alongside four fellow Democratic co‑sponsors. The bill’s referral to the House Committee on Communications and Technology indicates that legislators intend to examine its technical feasibility, potential impact on the solar industry, and any necessary amendments before it proceeds to a full house vote. The committee’s deliberations will likely involve input from industry stakeholders, cybersecurity experts, and utility regulators to refine the bill’s language and implementation timelines.
Potential Impacts on the Solar Industry
If enacted, HB 6011 would impose new operational costs on solar farm operators, particularly those that have not yet adopted mature cybersecurity programs. Expenses could include hiring or training personnel, acquiring security‑technology solutions, conducting risk assessments, and performing regular testing and audits. However, proponents argue that these investments are justified by the reduced risk of costly downtime, equipment damage, or liability stemming from a successful cyberattack. Moreover, aligning with NIST or CISA frameworks may improve operators’ eligibility for federal grants or incentives aimed at bolstering critical‑infrastructure resilience.
Considerations for Emergency Responders
While the bill enhances communication between solar operators and public‑safety agencies, it deliberately avoids creating new legal obligations for emergency responders. By clarifying that notification requirements do not translate into additional duties or liabilities, the legislation seeks to encourage cooperation without overburdening first‑responder agencies. This approach acknowledges that emergency responders already operate under established protocols for incident management and that the primary responsibility for cybersecurity preparedness remains with the facility operators.
Conclusion and Outlook
Michigan House Bill 6011 represents a targeted effort to strengthen the cybersecurity resilience of the state’s growing solar energy sector. By establishing clear, standards‑based requirements for risk management, incident response, and state‑level reporting—while limiting oversight to incident‑specific inquiries—the bill attempts to strike a balance between regulatory rigor and industry flexibility. As the proposal moves through the Committee on Communications and Technology, stakeholders will have the opportunity to shape its final form, potentially influencing how Michigan integrates renewable energy expansion with robust cybersecurity protections. If passed, the bill could serve as a model for other states seeking to safeguard critical clean‑infrastructure assets against evolving cyber threats.