There may be instances where additional direct regulation of an industry that is already highly regulated (nuclear power, electricity, chemical plants, water treatment) may be warranted. Congress should consider carefully targeted directives for limited regulation of particular critical infrastructures to advance the protection of cybersecurity at these facilities using existing regulators. Any additional regulation should consider the burden on the private sector by requiring agencies to conduct a thorough cost/benefit analysis. .