Traditionally they might have been air gapped but from the description of anyone being able to use any station that would not longer possible. They might run on isolated servers, almost definitely since the Armed forces are religious about separation of classified and non-classified systems and data. (This is one reason why sites hosting the Wikileaks and Snowden documents are banned from networks. If classified data, which the leaks still are despite being leaked, appears on an unclassified system there's hell to pay.)

As for the attack surface incoming communication is encrypted a lot these days which severely limits an attackers ability to even get a hook in the system to start with. They also probably isolate the communication systems from an other systems requiring users to input any order, eg vm000123 is running on the gun controllers station relaying firing authorization and targeting which is entered into vm0002020 which manages the gun systems.

From the article, it sounded like each of the systems was running on a stripped down Linux VM, so each of the stations would be logically isolated from each other, running in the same "data center".

"designed for stealth, survivability, and firepower"

I imagine that would take a bit. I also imagine there is a LOT of redundancy.