Defining ACLs in a CSP relies on software-defined networking. Software-defined networking (SDN) is a network architecture that decouples the control plane from the data plane, allowing for centralized and programmable network management. SDN can enable dynamic and flexible network configuration and optimization, as well as improved security and performance. In a CSP, SDN can be used to define ACLs that can apply to virtual networks, subnets, or interfaces, regardless of the physical infrastructure. SDN can also allow for granular and consistent ACL enforcement across different cloud services and regions. Verified References:
https://www.techtarget.com/searchsdn/definition/software-defined-networking-SDN
https://learn.microsoft.com/en-us/azure/architecture/guide/networking/network-security
https://www.techtarget.com/searchcloudcomputing/definition/cloud-networking

WPA3 SAE (Simultaneous Authentication of Equals) is the best option for this scenario. WPA3 is the latest version of the Wi-Fi security standard, and it provides a more secure form of encryption than WPA2 PSK and WEP 128 bit. WPA3 SAE is designed to protect against brute-force attacks and is the most secure choice for this particular situation.

Reviewing video from IP cameras within the facility would be the most likely process to expose an attacker who has compromised an air-gapped system. Since air-gapped systems are isolated from external networks, an attacker would need physical access to the system or use some covert channel to communicate with it. Video surveillance could reveal any unauthorized or suspicious activity within the facility that could be related to the attack. Verified Reference:
https://www.welivesecurity.com/wp-content/uploads/2021/12/eset_jumping_the_air_gap_wp.pdf
https://en.wikipedia.org/wiki/Air-Gap_Malware
https://www.techtarget.com/searchsecurity/essentialguide/How-air-gap-attacks-challenge-the-notion-of-secure-networks

A remote desktop gateway server is a solution that allows users to connect to remote desktops or applications over the internet using the Remote Desktop Protocol (RDP). A remote desktop gateway server can enforce MFA for RDP by integrating with Azure AD MFA using the Network Policy Server (NPS) extension. The NPS extension can send an OTP (one-time password) to the user's phone or mobile app as a second factor of authentication. A remote desktop gateway server can also enforce secure ciphers by configuring the SSL Cipher Suite Order Group Policy setting to specify the preferred order of cipher suites for TLS/SSL connections. Verified Reference:
https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds-plan-access-from-anywhere
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension-rdg
https://docs.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings#ssl-cipher-suite-order