ATC systems are usually air-gapped.
Financial systems aren’t as susceptible as people think.
However, you’re spot on with the electrical grid. Also vulnerable are water treatment plants, manufacturing plants, and transportation, specifically rail. It’s not if, it’s when.
We discuss the “assume breach” mentality with organizations across the country, and it’s troubling how few take it seriously.
Hacking doesn’t necessarily mean someone in China with a laptop, human engineering is the way to get someone on the side to help take it down same for the financial system, I’ve worked for a couple of companies with worldwide networks where I had full administrative access to every device in the network.
We had a guy one time who nearly got fired for opening a company email with a virus attached which would have given someone access to the network, the company had a worldwide network which would have created real panic if it went offline for an extended period of time
Did you ever read about the Stuxnet virus that supposedly was jointly developed by Israel and the USA to penetrate the Iranian nuclear industry, everything was air gapped and the virus was released in the areas that were suspected of actively by infecting Iranian scientists on their home computers and have them carry the virus to the inside air gapped network