Task $2$ CPS Vulnerability Instances

Cyber$-$physical systems link sensing devices attached to a physical process with control elements that transfer data and commands to and from computational devices. RTU, PLC and MTU combine sensing and control operations in a closed$-$loop cycle, whereas HMI provides the computational interface to moni$-$ toring personnel. Your task is to retrieve the vulnerability instances to cyber$-$ attacks for one of the above cyber$-$physical system assets.

You will shift your vulnerability analysis focus on reported instances relevant to one of the above cyber$-$physical system assets. Besides CVE$5$ and supporting CVE$-$Search$6$ you used earlier, you may also use NVD$7($referring to National Vulnerability Database$).$ NVD is a vulnerability database that is built upon and fully synchronized with CVE so that any updates to CVE appear immediately in NVD$.$ Thus, CVE feeds NVD$,$ which then builds upon the information included in CVE entries to provide enhanced information for each entry such as severity scores $($calculated based on CVSS$8$ standard$),$ and impact ratings. As part of its enhanced information, NVD also provides advanced searching features such as by OS; by vendor name, product name, and$/$or version number; and by vulnerability type and severity.

Task $2\mathrm{.}1$ In your CPS vulnerability report, you must provide a brief summary of retrieved vulnerabilities for one of the above CPS assets. This summary is expected to include the number of vulnerability instances in CVE and in NVD for your chosen CPS asset or product. Are the numbers consistent? If not, attempt an explanation.

Task $2\mathrm{.}2$ Choose three different but CPS$-$related vulnerability reports in CVE, and try to find relevant descriptive sections, followed by a short summary of the report. An illustration of extracted descriptors from a vulnerability report is shown in Figure $1.$

You should thus report on the following descriptors, along with a short sum$-$ mary:

$1.$ ID

$2.$ Component and version $($if any$))$

$3.$ Asset $($or product$)$ and version $($if any$))$

$4.$ Vendor $5.$ Vulnerability

$6.$ Threat

For some additional reference, you can check the reports in ICS$-$CERT$9$ for the vulnerability instance CVE$-2019-1353310$ to evaluate the additional set of analysis information provided by ICS$-$CERT based on a CVE ID report, as an illustration example. Task $2\mathrm{.}3$ Discuss the CVSS base score for the above vulnerability reports. An illustration of extracted descriptors is shown in Figure $2.$ This CVSS version$2$ base score can be found in NVD using CVE$-$ID of the vulnerability instance. In doing so$,$ explain the associated values for any of the reported CVSS base metrics, namely:

$1.$ Access Vector

$2.$ Access Complexity

$3.$ Authentication

$4.$ Confidentiality

$5.$ Integrity

$6.$ Availability