What happens when the military believes an attack is coming from a private citizen? Can they spy on or take action against that person? Can that alleged attacker's computer be seized? On what evidence? What if the military determines that effective security means surveilling a wide area before an attack, or collecting all citizen data to have a source to search for clues in case of an attack? What if they determine, which some already agree, that the best defense is a good offense?

I'm of a mind that the security should be a regulation, and the infrastructure operators have to meet it. The NIST can develop standards and techniques, but the safety of infrastructure is part of the cost of doing business. Your plant can't be a menace to the community due to risk of explosion, pollution, etc. - it seems no different. The operators have gotten away with buying cheap, crappy IT for years. It's time to invest seriously in rigorous, quality engineering.