Did a USB drive disrupt a nuclear program? A Defense in Depth (DiD) teaching case

Abstract

Defense in Depth (DiD) has become an industry buzzword. But practicing DiD is easier said than done. While cybersecurity researchers have predominantly focused on securing corporate networks, there remains a serious gap in endpoint-threat awareness. Yet endpoint threats were the progenitor of 68% of breaches and hacks in 2019 (Computers Nationwide, 2022), a vulnerability that increased during the COVID-19 lockdown with relaxed BYOD (Bring Your Own Device) policies, more IoTs, and cheaper and larger USB flash drives. This teaching case uses the 2009 Stuxnet attack on Iran’s nuclear facilities to exemplify how a single USB drive was used as an endpoint threat to disrupt a nuclear infrastructure, drawing attention to the need for and how to practice DiD to counter towering complexities ushered in burgeoning endpoints cyberattacks, from hacks to ransomware. The case shows the need for DiD to simultaneously pay heed toward physical, technical, and processual (administrative) measures to prevent, defend, and mitigate cyberattacks, from hacks to ransomware. The case and its teaching notes highlight the opportunities and challenges of practicing DiD for endpoints, from flash drives to IoTs.