The bill amends the Clean and Renewable Energy and Energy Waste Reduction Act by adding a new section, 112a, which addresses the unique cyber-physical safety risks associated with large-scale solar energy facilities. It establishes reasonable, scalable, risk-based cybersecurity and resilience obligations specifically for operators of these facilities, without mandating specific technologies or compliance frameworks. The bill clarifies that it does not regulate cybersecurity in general, nor does it create a new regulatory program or expand the oversight authority of state agencies. Operators are required to maintain security measures, implement a risk-based cybersecurity program aligned with national standards, and maintain an incident response plan.

Additionally, the bill outlines the requirements for notifying authorities in the event of a material cybersecurity incident, including timelines for reporting to the Michigan state police and local emergency management. It also specifies that records related to security measures are exempt from public disclosure under the Freedom of Information Act. Violations of the section can result in civil fines, and the bill clarifies that ordinary mechanical failures or weather-related damages do not constitute cybersecurity incidents unless they involve unauthorized access to safety-critical systems. Overall, the bill aims to enhance the safety and security of large-scale solar energy operations while ensuring that local governments and workforce structures are not adversely affected.

Statutes affected:
House Introduced Bill: 460.1001, 460.1232