A major challenge for the US is that the utilities that we depend on are private entities. The government can recommend policies and procedures, but it can't mandate those. The most recent case-in-point is the Colonial Pipeline ransomware attack (which doesn't even seem to have been aimed at the pipeline per. se.) If you look at STUXNET (NASA/Israel designed attack aimed at Iran's uranium centrifuges), that was specifically designed to infect USB drives that might be eventually inserted in 'air-gapped' computers and so cross that gap.

As bad as things are now, it's about to get worse. There are a myriad of internet-connected devices coming (IoT) and for those, by and large, the design emphasis is on low manufacturing cost, not security. For convenience, nearly all of them connect to off-premises servers - and those servers are not necessarily within US borders and could end up under the control of those national actors. It's an issue for home automation, but even more so for office environments that might be inside a firewall that's also protecting an industrial system.