Trump ran in the idea of limiting government regulation that was burdensome. I'm not trying to make this his fault, because I don't think even before him it was under regulation to that degree. But he ran on that because regulations can be expensive, and doing cybersecurity right is very expensive. Whether there are existing requirements in place to let the government endure standards on them is another question.
At a bare minimum you are probably looking at half a million per year for something like the pipeline (I don't know enough about what they actually have to get specific, but they will need a few people, some with specific knowledge of ICS or cyber). They may be able to cut that in half after the first few years after they get people trained up and a program in place, but that's before they identify any issues that need resources to fix.
Right now, with cleanup, probably a couple of million for a rush job of figuring out what all they even need to fix. Or more... It really depends.
They probably lack in house expertise and will subcontract it. I bet right now that seems cheap to them, but before they were hacked? They would have pushed back on needles overhead. "The stupid inefficient government just trying to make things harder for business."
Now if they enforced it, they would likely use NIST 800-82. https://csrc.nist.gov/publications/detail/sp/800-82/rev-2/final
Caption this Meme
