The Obama executive order says that the "critical infrastructure" of concern is "where a cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security." OK, you got me at "catastrophic ... effects." According to the dictionary that came with my Mac, "catastrophic" means "involving or causing sudden great damage or suffering." The type of things that Joel Brenner wrote about in his book "America the Vulnerable." Lots of people dying, the economy collapsing -- fun things like that.
Right now there is no actual legal requirement that the controls for a power company's plants be secure from hacking. There is also no personal liability for anyone working at the power company if they do not exercise common sense to try to protect against vendor stupidity that builds in security vulnerabilities. Nor is there any liability for a vendor that purposefully decides to make its products insecure and fails to tell customers.
There are regulations that require hospitals to protect medical records and universities to protect student educational records, but there are none that require a power company to protect its generating capacity or a hospital to protect its physical plant -- which is just as important to patient care as are the records. Imagine, if you will, what might happen to critically ill patients in a hospital in Dallas if the AC was turned off in mid-August. In this case the hacker went to jail, but what about the hospital engineers who installed the AC controllers in such a way that they were accessible over the Internet? In my opinion, they should share the blame.
The Obama effort bows to those in Congress who care less about protecting our health and safety than they do about protecting the pocketbooks of their campaign donors. That is not only sad, but it is a clear and present danger to us all. Prediction: Real requirements and liability will be established in law only after a major example of why it has been needed for years -- i.e., the Federal Aviation Administration style of fatality-based regulating.