When the Sun Goes Dark: Why Michigan's Solar Farm Cybersecurity Bill Matters for Everyone

Solar panels generate electricity. They also generate data, run on software, and connect to networks. That makes them a target. Michigan just decided to do something about it.

The Grid Is No Longer Just Wires

There was a time when taking down a power grid required physical sabotage — cutting lines, blowing transformers, sending people into substations. That time is over.

Today, a significant portion of America's energy infrastructure is internet-connected, software-managed, and remotely accessible. Solar farms — increasingly the backbone of state-level clean energy transitions — are no exception. The inverters that convert solar energy into grid-compatible electricity, the SCADA systems that monitor and control operations, the remote management interfaces that allow operators to adjust output from hundreds of miles away: all of these are digital systems. All of them can, in principle, be compromised.

Michigan's House Bill 6011, introduced in the state legislature last week, represents one of the first serious state-level attempts in the United States to address this reality head-on. The bill would require operators of qualifying solar facilities to implement formal cybersecurity programs, maintain incident response plans, and report significant breaches to state authorities within defined timeframes.

It is, in many ways, an overdue conversation.

What the Bill Actually Does

Michigan HB 6011, introduced by Representative Reggie Miller (D-District 31) and co-sponsored by four fellow Democrats, is targeted and technically specific in ways that distinguish it from vague "cybersecurity requirements" that sometimes pass for legislation.

At its core, the bill requires solar facility operators to maintain what it calls "reasonable security measures" to protect "safety-critical systems" — the operational technology that, if compromised, could impair safe functioning of the facility or its connection to the grid.

The security program must be risk-based and aligned with recognised standards. The bill specifically names two frameworks: the National Institute of Standards and Technology (NIST) Cybersecurity Framework, and guidance from the Cybersecurity and Infrastructure Security Agency (CISA). Both are well-established, widely used benchmarks in critical infrastructure security. Naming them explicitly is significant — it means operators cannot claim compliance while following an in-house standard that doesn't meet professional norms.

The specific security measures the program may include are worth examining in detail:

Cyber risk identification — mapping the attack surface: what systems exist, where they connect, what data they handle, and what the consequences of their failure would be. This is the baseline from which everything else follows.

Access controls — ensuring that only authorised personnel can access operational systems, through mechanisms like multi-factor authentication, role-based permissions, and privileged access management. This addresses the most common vector of industrial control system compromise: credential theft.

Network and system segmentation — separating operational technology (OT) networks from information technology (IT) networks and from the public internet. An inverter control system should not share a network with an employee's email. Segmentation limits the blast radius of a breach.

Supply-chain risk management — scrutinising the software, hardware, and services that vendors provide, since compromises often enter through third-party components rather than direct attack. This is particularly significant for solar, where a substantial proportion of inverter hardware comes from Chinese manufacturers operating under Chinese national security laws.

Periodic review and testing — because a cybersecurity program that was adequate two years ago may not be adequate today. Threat landscapes evolve. The bill's insistence on ongoing review rather than one-time compliance is a meaningful distinction.

On the incident response side, the bill requires operators to maintain plans that coordinate with emergency responders — acknowledging that a cyber incident at a solar facility is not just an IT problem but potentially a public safety event. The bill carefully notes that these coordination requirements do not create new duties or liabilities for the emergency responders themselves.

The Reporting Timeline: 24 Hours and 72 Hours

One of the most practically significant elements of the bill is its mandatory reporting timeline for material cybersecurity incidents.

Within 24 hours of discovering a significant incident, operators must notify the Michigan State Police and the local emergency management coordinator. The "when practicable" qualifier acknowledges real-world constraints — a breach discovered at 2am during a weekend may not trigger an immediate call — without creating an indefinite loophole.

Within 72 hours, operators must provide a written high-level summary of the incident. The bill explicitly requires that this summary avoid disclosing sensitive security details — a sensible provision that prevents the reporting requirement from itself creating a vulnerability by forcing operators to document and share the specific nature of a breach.

These timelines mirror those established in comparable frameworks: the EU's NIS2 Directive requires 24-hour early warning and 72-hour formal notification for critical infrastructure incidents. The SEC's cybersecurity disclosure rules for public companies require 4-day reporting of material incidents. Michigan's proposed timeline is consistent with the emerging international norm for critical infrastructure.

The Enforcement Architecture

The bill's enforcement provisions are worth examining because they reflect a specific legislative philosophy: create accountability without creating a compliance nightmare that stifles smaller operators.

Civil fines of up to $25,000 per day per violation are significant. For a large utility-scale solar operator, they are manageable. For a smaller independent power producer running a few megawatts of solar, sustained violations at that rate could be serious. The penalty structure is designed to compel compliance without being disproportionate.

Critically, the Attorney General must provide notice and allow up to 30 days to cure violations before seeking penalties. This grace period is a recognition that cybersecurity compliance is complex and that the goal is improved security, not revenue generation through fines.

The restriction on the Attorney General's access to documentation — limited to specific incidents or complaints, with routine programmatic audits explicitly forbidden — is a provision that larger operators will welcome. It prevents the bill from becoming a vehicle for ongoing regulatory fishing expeditions while preserving meaningful accountability when something actually goes wrong.

Why Solar Specifically? The Threat Landscape

To understand why Michigan's bill focuses on solar, it helps to understand what makes solar infrastructure a distinctive cybersecurity risk.

Solar farms are, at their operational core, collections of inverters — devices that convert direct current from panels into alternating current compatible with the grid. Modern inverters are sophisticated, networked devices. They communicate with grid management systems, respond to remote commands, and in many cases are managed through cloud platforms provided by the inverter manufacturer. That last point is crucial: when a solar operator uses a manufacturer's cloud management system, they are trusting that manufacturer's cybersecurity posture with access to their operational technology.

In 2024, CISA and the Department of Energy issued joint advisories about vulnerabilities in solar inverter management systems from multiple manufacturers. Researchers have demonstrated remote exploitation of inverter systems that could, in theory, allow an attacker to manipulate power output — either suddenly curtailing generation or causing equipment damage through abnormal operating modes. At sufficient scale, coordinated manipulation of solar generation could destabilise grid frequency, with cascading consequences across the interconnected network.

The supply chain dimension adds another layer of risk. A substantial proportion of solar inverters sold in the United States are manufactured by Chinese companies — Huawei, Sungrow, and GROWATT among the most prominent. These companies operate under Chinese national security laws that, in principle, require them to cooperate with Chinese intelligence services. The US has responded with restrictions on federal procurement, but utility-scale and distributed solar installations across the country continue to use Chinese-manufactured equipment. Michigan's bill, by mandating supply-chain risk management, at least requires operators to think about this risk — even if it cannot resolve the underlying policy question.

The Broader Context: A Gap in Critical Infrastructure Protection

Federal critical infrastructure cybersecurity law in the United States has developed unevenly. The electric utility sector — regulated through NERC CIP (North American Electric Reliability Corporation Critical Infrastructure Protection) standards — has had mandatory cybersecurity requirements since 2008. But NERC CIP has historically applied most rigorously to bulk power system assets: large generation units, transmission infrastructure, and high-voltage substations.

Distributed and utility-scale solar has often fallen into regulatory gaps. A solar farm that connects at the distribution level rather than the bulk transmission level may not meet the thresholds that trigger NERC CIP applicability. A microgrid serving a commercial or industrial customer may be entirely outside federal requirements. State-level legislation like Michigan's HB 6011 is, in part, an attempt to close these gaps at the state level while federal regulation catches up.

Several other states have moved in similar directions. Texas, California, and New York have all introduced or passed legislation touching on renewable energy cybersecurity, though the specifics vary considerably. The lack of a uniform national standard means that the cyber resilience of America's solar fleet is patchwork — potentially strong in some states, minimal in others, and the weakest links in that patchwork are where sophisticated adversaries will probe.

The Geopolitical Subtext

Any serious discussion of solar farm cybersecurity in 2025 has to acknowledge the geopolitical context in which it sits.

The US intelligence community has documented, in increasingly explicit terms, the activities of Chinese state-sponsored hacking groups — particularly the group tracked as Volt Typhoon — in penetrating US critical infrastructure and positioning for potential disruption in the event of a military conflict, most plausibly over Taiwan. CISA Director Jen Easterly stated publicly in 2024 that Volt Typhoon had accessed infrastructure in multiple sectors, including energy, and had been present in some systems for years before detection.

Energy infrastructure — including renewable generation — is an explicit target. The combination of Chinese-manufactured hardware with known vulnerabilities, remote management interfaces with uneven security, and regulatory gaps creates an attack surface that state-level adversaries are actively mapping.

Michigan's bill does not name China, and it would be inappropriate for a state-level piece of legislation to do so. But the CISA framework it endorses, and the supply-chain risk management requirements it imposes, are directly responsive to the threat landscape that CISA itself has publicly described.

What the Bill Gets Right — and Where Questions Remain

HB 6011 is a thoughtful piece of legislation in several respects. It references established frameworks rather than inventing new ones. It includes proportionate enforcement with cure periods. It protects sensitive security information from unnecessary disclosure. It acknowledges the limits of what state law can impose on emergency responders. For a bill at this stage of the legislative process, the technical specificity is commendable.

Some questions remain worth watching as it moves through committee:

What qualifies as a "qualifying facility"? The bill's scope — which solar facilities are covered, by size threshold or connection type — will determine how much of Michigan's solar fleet is actually subject to these requirements. If the threshold is set too high, large numbers of smaller facilities escape; too low, and compliance costs fall on operators for whom a formal cybersecurity program is a genuine burden.

How will "reasonable security measures" be interpreted? The reasonableness standard is common in law and flexible in practice. How Michigan regulators interpret it — and whether they provide safe harbour guidance for operators who implement NIST or CISA frameworks — will determine how effectively the bill drives actual security improvement versus paperwork compliance.

What happens to incident notifications? The bill requires notification to Michigan State Police and local emergency management. It is less clear what happens with that information — how it is analysed, aggregated, and fed back into the broader threat intelligence ecosystem. Notification that goes into a drawer is not the same as notification that improves the security of other operators.

Does it address legacy systems? Many operational solar facilities were built without cybersecurity in mind. Retrofitting security onto legacy inverter systems and SCADA infrastructure is technically complex and expensive. The bill does not appear to address how existing facilities transition to compliance.

Why This Bill Matters Beyond Michigan

Michigan is not the largest solar market in the United States. But legislation has a way of travelling, and a well-designed state law often becomes the template for neighbouring states and eventually federal action.

The principle at stake here is significant: clean energy infrastructure is critical infrastructure, and critical infrastructure requires mandatory, verifiable cybersecurity standards. The energy transition that is underway across the United States — and globally — is adding millions of networked devices to grids that were not designed with those devices in mind. Every solar panel connected to a managed inverter, every wind farm with a SCADA system, every battery storage installation with a remote management interface is a potential point of entry.

The choice is not between renewable energy and security. It is between renewable energy with security built in and renewable energy with security as an afterthought. The second option is an invitation — not eventually, but now, given documented adversary interest — to attacks that could do what no physical sabotage campaign could easily achieve: simultaneously impair generation across a geographically distributed fleet.

Michigan's bill asks solar operators to take that threat seriously. Given everything that is known about the threat landscape, that seems like the very least we should be asking.

The Bottom Line

Michigan House Bill 6011 is not perfect legislation. It is early-stage, one chamber, one state. It will be amended in committee, challenged by industry lobbyists, and possibly reshaped before it becomes law — if it becomes law at all.

But it represents something important: the recognition, in a state legislature, that clean energy infrastructure is not immune from the cyber threats that face every other category of critical infrastructure, and that voluntary security measures are not sufficient when the consequence of failure is a darkened grid.

The sun can power a state. The question Michigan is beginning to ask — the question every state with solar ambitions should be asking — is whether the systems that catch and deliver that power are secure enough to be trusted.

The answer, right now, is: not always. HB 6011 is one step toward changing that.

Michigan House Bill 6011 was introduced on May 22, 2025 by Representative Reggie Miller (D-District 31) and referred to the Committee on Communications and Technology. The bill is in early legislative stages and has not yet been voted on.