Honestly, system user education/awareness goes even further. Iran nuclear facilities used an airgap but it was social engineering that was the weakest attack vector for Stuxnet to exploit. Same with the South Korean Winter Olympics; a phishing email with a macro embedded Word doc got them in there.
A great book on Russian, state-backed hacking group was by a senior Wired writer, Andy Greenberg, called "Sandworm" [0]
A great book on Russian, state-backed hacking group was by a senior Wired writer, Andy Greenberg, called "Sandworm" [0]
[0] https://www.amazon.com/Sandworm-Cyberwar-Kremlins-Dangerous-...