NIST (the US National Institute of Standards and Technology) has now released the final version of their Cybersecurity Framework for Critical Infrastructures. As requested, this is not a set of new regulations or fundamentally new concepts for security, but, to quote my colleague Prof. Dr. Sachar Paulus, a “well-written summary document incorporating different approaches (lifecycle views, maturity views, communication aspects, risk posture analysis...) that helps getting an operational grasp on the necessary activities, and therefore well-suited as a guideline or education piece for technicians / practitioners. It is by no means sufficient (nor meant) to replace an ISMS (Information Security Management System). So: good that it exists, but in essence nothing new.”
However, it is very likely that it will lead, in consequence, to new regulations. Sector-specific agencies are obliged to engage in a consultative process with various governmental agencies to determine whether current regulations are sufficient for the critical infrastructures sector. This in consequence most likely will lead to new regulations.
When looking at the framework and its Appendix A, the fact that there is nothing really new in this framework becomes obvious. That leads to a simple bit of advice: follow common good practices and standards such as ISO 27001:2013 and CoBIT 5. If there will be a need for new regulations in future, this will happen because too many organizations in critical infrastructures do not follow established good practices.