Other analysts raised concerns. The rules are vague in some areas, they said. In other areas, they’re overly prescriptive, like calling for patching vulnerabilities, according to Dragos CEO Robert M. Lee. And requiring anti-virus scans makes sense on business systems, but they can delete critical files or cause system outages on machines that run the pipes, some experts said.