They have multiple networks. One of them is definitely airgapped (red for RD). The medium security one is protected by annoyingly strict network ACLs (yellow for ITAR). Then there's a low security one for stuff like sharepoint (green).
The standard you linked literally talks about: "High Impact BES Cyber Systems with External Routable Connectivity" and "Remote Access Management" for "High Impact BES Cyber Systems". That explicitly indicates non-airgapped critical systems. Furthermore, the proscribed auditing specifically spells out "network diagrams or architecture documents" as good evidence. Obviously, that is a high level document, but I see nothing to indicate robustness against state-level actors which are a expected threat.
Veserv|4 months ago