The water treatment plant instances recently are more worrisome then this pipeline, but NERC CIP (or at least it's goals) is going to apply to a lot more things pretty soon
Ill be interested to see how well the regulations are deployed. I can see companies doing enough to pass audits and then essentially doing no more. That is until something like this happens. The sysadmin reddit has some interesting post when ransome ware incidents popup. There's one about the purchase of a pipeline, and the security that was setup by the original owner was comical at best.
Banks, accountants, etc have some regs on how they can electronically send and receive financial or personal info. Why can't we impose security regulations in a similar manner for certain industries that are super important for the basic function of society? This is what we should do.
This wouldn't be all biz, it would be water, power, gas, etc
My assumption when the dust settles is that someone opened an email that pulled down an executable. That executable probably just inventoried all the installed applications on that computer and any machine that user had access to. Sent a diagnostic to the hackers. Once they knew what exploits were available they had a fair amount of access to start causing chaos. (This is just 1 theory out there, could be someone with a lot of access opened a link they shouldn't have and that's all it took).
And that's where the real concerns come from, employees not being diligent on what they open in emails on company machines. And then third party applications like chrome. You have to keep these updated at a ridiculous pace. And when it's a mission critical app/device they get pushed for as long as humanly possible.
Dax's point about bringing up a 3rd party DC is valid, but if you have a tunnel replicating data to it, you better be damn quick about shutting it off so you don't destroy the all the data in the DR. I highly doubt that this would be the case if the hackers were able to download/retrieve 100 gb of data and nothing sounded alarm bells when that amount of data was leaving the network.
I wouldn't expect the govt to put in stringent regulations on this, and if they do it'll probably have leniency for a decade.