DETAILED ACTION
1.	Notice of Pre-AIA  or AIA  Status:  The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .


2.	Claims 1-4, 6-11, 13-18 and 20 are presented for allowance. 

3.	Claims 5, 12 and 19 have been canceled, and claims 1, 8, and 15 have been amended.

4.	This allowance of application 16/313459 is in response to Applicant’s claim amendments emailed to USPTO on June 1, 2021.

5.	Application 16/313459 has benefit from provisional 62/353256 filed on June 22, 2016.

Examiner’s Amendment
6.	An Examiner’s Amendment to the record appears below.  Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR § 1.312.  To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the Issue Fee.



8.	The claims have been amended as follows:

1.	(Currently Amended) A network-attack-resilient, intrusion-tolerant electronic
supervisory control and data acquisition (SCADA) system comprising:
at least three centers comprising at least two control centers, the at least three centers situated at different geographic locations, 
wherein the at least three centers comprise at least three SCADA centers, and 
wherein the at least two control centers comprise at least two SCADA control centers;
a plurality of servers situated at the at least three centers, 
wherein the at least three centers each comprise at least two servers of the plurality of servers;
wherein the plurality of servers are communicatively coupled over a computer network to each-other and to at least one remote unit;
wherein the plurality of servers are configured to participate in a replication protocol;
wherein, when servers of the plurality of servers at one center of  a plurality of centers are disconnected from the computer network by a network attack that causes isolation of the one center, and when one server of the plurality of servers at another center of the plurality of centers is the attack that comprises an intrusion of the one server, the system  performs the replication protocol to reach consensus among connected operational servers of the plurality of servers for system updates and to issue instructions to the remote unit.

2.	(Original) The system of claim 1, wherein the replication protocol comprises a
Byzantine replication protocol.

3.	(Currently Amended) The system of claim 1, wherein:
one of the centers of the plurality of centers is disconnected from the computer network and the one server of the plurality of servers at the another center of the plurality of centers is compromised;
wherein the system uses the replication protocol to reach the consensus among the operational servers of the plurality of servers to issue a command to the remote unit; and
wherein the remote unit executes the command within one second of a time of issuance of the command.

4.	(Currently Amended) The system of claim 1,
wherein the at least two control centers comprise the servers of the plurality of servers configured to issue the instructions to the at least one remote unit, and
the servers of the plurality of servers not configured to issue the instructions to the at least one remote unit.

5.	(Currently Amended) The system of claim 4, further comprising a second data center in a second different geographic location than locations of the at least two control centers and the first data center, the second data center comprising at least two servers of the plurality of servers communicatively coupled to the at least one remote unit and not configured to issue the instructions to the at least one remote unit.

6.	(Currently Amended) The system of claim 5, further comprising
a third data center in a third different geographic location than locations of the at least two control centers, the first data center, and the second data center;
wherein the third data center comprises the at least two servers of the plurality of servers communicatively coupled to the at least one remote unit and not configured to issue the instructions to the at least one remote unit;
wherein each of the at least two control centers each comprise at least three servers of the plurality of servers.

7.	(Currently Amended) The system of claim 4, wherein:
each of the at least two control centers each comprise at least four servers of the plurality of servers communicatively coupled to the at least one remote the instructions to the at least one remote unit; and
wherein the first data center comprises the at least four servers of the plurality of servers.

8.	(Currently Amended) The system of claims 5, 6, or 7, wherein, during a time of a fault of a first at most one of the plurality of servers and an ongoing proactive  recovery of a second at most one of the plurality of servers, the system uses the replication protocol to reach the consensus among connected the operational servers of the plurality of servers for system updates and to issue the instructions to the at least one remote unit, whereby the at least one remote unit executes any instruction sent by the server of the plurality of servers within one second of a time of issuance of the command.

9.	(Original) The system of claim 1, wherein the at least one remote unit comprises the at least one remote unit selected from the group consisting of: remote terminal unit (RTU) and programmable logic controller (PLC).

10.	(Original) The system of claim 1, wherein the plurality of servers are configured to undergo proactive recovery on a periodic basis.


accessing at least three centers comprising at least two control centers, the at least three centers situated at different geographic locations, 
wherein the at least three centers comprise at least three SCADA centers, and
wherein the at least two control centers comprise at least two SCADA control centers;
configuring a plurality of servers situated at the at least three centers, 
wherein the at least three centers each comprise at least two servers of the plurality of servers,
wherein the plurality of servers are communicatively coupled over a computer network to each-other and to at least one remote unit, 
wherein the configuring comprises configuring the plurality of servers to participate in a replication protocol;
wherein, when servers of the plurality of servers of one center of  a plurality of centers are disconnected from the computer network by a network attack that causes isolation of the one center, and when one server of the plurality of servers at another center of the plurality of centers is compromised by the attack that comprises an intrusion of the one server, the plurality of servers  perform the replication protocol to reach consensus among connected operational servers of the plurality of servers for system updates and to issue instructions to the remote unit.

12	(Original) The method of claim 11, wherein the replication protocol comprises a
Byzantine replication protocol.

13.	(Currently Amended) The method of claim 11, wherein the one center of the plurality of centers is disconnected from the computer network and the one server of the plurality of servers at the another center of the plurality of centers is compromised, the method further comprising:
using the replication protocol to reach the consensus among the operational servers of the plurality of servers to issue a command to the remote unit,
whereby the remote unit executes the command within one second of a time of issuance of the command.

14.	(Currently Amended) The method of claim 11, 
wherein the at least two control centers comprise servers of the plurality of servers configured to issue the instructions to the at least one remote unit, and 
wherein the plurality of centers further comprise at least a first data center comprising the at least two servers of the plurality of servers not configured to issue the instructions to the at least one remote unit.

15.	(Currently Amended) The method of claim 14, further comprising:
second different geographic location than locations of the at least two control centers and the first data center; and
configuring at least two servers of the plurality of servers at the second data center and communicatively coupled to the at least one remote unit to not issue the instructions to the at least one remote unit.

16.	(Currently Amended) The method of claim 15, further comprising:
accessing a third data center in a third different geographic location than locations of the at least two control centers, the first data center, and the second data center;
configuring at least two servers of the plurality of servers at the third data center communicatively coupled to the at least one remote unit to not issue the instructions to the at least one remote unit;
wherein the first control center comprises a first set of at least three servers of the plurality of servers; and
wherein the second control center comprises a second set of at least three servers of the plurality of servers.

17.	(Currently Amended) The method of claim 14, wherein: 
each of the at least two control centers comprise at least four servers of the plurality of servers communicatively coupled to the at least one remote unit, and
the first data center comprises at least four servers of the plurality of servers; 

configuring the at least four servers of the plurality of servers at each of the at least two control centers to issue the instructions to the at least one remote unit; and
configuring the at least four servers of the plurality of servers at the first data center to not issue the instructions to the at least one remote unit.
18.	(Currently Amended) The method of claims 13, 14, or 15, further comprising, during a time of a fault of at most one of the plurality of servers and an ongoing proactive recovery of the at most one of the plurality of servers, using the replication protocol to reach the consensus among connected the operational servers of the plurality of servers for system updates and to issue the instructions to the remote unit, whereby the remote unit executes any instruction sent by the server of the plurality of servers .

19.	(Currently Amended) The method of claim 11, wherein the at least one remote unit comprises the at least one remote unit selected from the group consisting of:
remote terminal unit (RTU) and programmable logic controller (PLC).

20.	(Original) The method of claim 11, wherein the plurality of servers are further
configured to undergo proactive recovery on a periodic basis.


at least two of the at least two control centers each comprise at least three servers of the plurality of servers;
the first data center comprises a first set of the at least three servers of the plurality of servers; and
the second data center comprises a second set of the at least three servers of the plurality of servers.
22.	(Currently Amended) The method of claim 14, wherein:
each of the at least two control centers each comprise at least six servers of the plurality of servers communicatively coupled to the at least one remote unit;
the first data center comprises a first set of the at least six servers of the plurality of servers; 
the method further comprising:
configuring the at least six servers of the plurality of servers at each of the at least two control centers to issue the instructions to the at least one remote unit; and
configuring the first set of the at least six servers of the plurality of servers at the first data center to not issue the instructions to the at least one remote unit.



Reason for Allowance

9.	Claims 1 and 11 of the present invention is directed towards a network-attack resilient, and intrusion-tolerant electronic Supervisory Control and Data Acquisition (SCADA) system.  The SCADA system comprises at least 3 centers comprising at least 2 Control Centers (CCs).  The at least 3 centers are situated at different geographic locations.  A Plurality of Servers (PoSs) are situated at the at least 3 centers.  The at least 3 centers comprise at least 3 SCADA centers.  The at least 2 CCs comprise at least 2 SCADA CCs.  The at least 3 centers each comprise of at least 2 servers of the PoSs.  The PoSs are communicatively coupled over a Computer Network (CN) to each other and to a Remote Unit(s) (RU(s)).  The PoSs are configured to participate in a Replication Protocol (RP).  When servers of the PoSs at 1 center of a Plurality of Centers (PoCs) are disconnected from the CN, and when 1 server of the PoSs at another center of the PoCs is compromised, the system performs the RP to reach consensus among connected Operational Servers (OSs) of the PoSs for system updates and to issue instructions to the RU.  Independent claims 1 and 11 each identify the uniquely distinct combination of features:
a network-attack-resilient, intrusion-tolerant electronic Supervisory Control and Acquisition (SCADA) system
at least three centers comprising at least two control centers, the at least three centers situated at different geographic locations
wherein the at least three centers comprise at least three SCADA centers
wherein the at least two control centers comprise at least two SCADA control centers
a plurality of servers situated at the at least three centers 
wherein the at least three centers each comprise at least two servers of the plurality of servers
wherein the plurality of servers are communicatively coupled over a computer network to each-other and to at least one remote unit
wherein the plurality of servers are configured to participate in a replication protocol
wherein, when servers of the plurality of servers at one center of a plurality of centers are disconnected from the computer network by a network attack that causes isolation of the one center
when one server of the plurality of servers at another center of the plurality of centers is compromised by the attack that comprises an intrusion of the one server, the system performs the replication protocol to reach consensus among connected operational servers of the plurality of servers for system updates and to issue instructions to the remote unit.

10.	Regarding allowed claims 1 and 11 presented above, the following is an examiner’s statement of reasons for allowance.  The following are the best/closest prior art:



Defago et al. (“Specification of Replication Techniques, Semi-Passive Replication, and Lazy Consensus”, 2001) teach a major problem inherent to distributed systems is their potential vulnerabilities to failures.  Redundancy is usually introduced by the replication of components, or services.  Replicating is a service in a distributed system requires that each replica of the service keeps a consistent state, which is ensured by a specific replication protocol.  There exist two major classes of replication techniques to ensure this consistency:  active and passive application.  With active replication, each request is processed by all replicas.  This technique ensures a fast reaction to failures, and sometimes makes it easier to replicate legacy systems.  With passive replication (also called primary-backup), only one replica (primary) processes the request, and sends update messages to the other replicas (backups).  

Goose et al. (US Pub 20130053986) teach a system for automatically monitoring and controlling an infrastructure process that includes a plurality of remote 

Zhou et al. (US Pub 20020116611) teach a fault-tolerant and secure on-line Certification Authority (CA) that has applicability both in a Local Area Network (LAN) and in Wide Area Networks (WANs) like the Internet.  Replication is used to achieve availability.  An on-line CA is implemented 

Malkihi et al. (“Survivable Consensus Objects’, 1998) teach reaching consensus among multiple processes in a Distributed System (DS) is fundamental to 

Karame et al. (US Pub 20190386829) teach distributed consensus systems that provide strong consistency guarantees.  Financial institutions have begun to investigate the traditional Byzantine Fault Tolerant (BFT) protocols 

Bortnikov et al. (US Pub 20150186229) teach a fault-tolerant Consensus Protocol (CP) and, more specifically, but not exclusively, to a leader re-selection process in a fault tolerant CP.  Systems are provide for efficiently replacing a node set for handling client commands in a Paxos-like protocol, called a leader, by a new leader upon failover.  Paxos is a fault tolerant CP for solving consensus in a network of un-reliable nodes.  In regular Paxos, a configuration is defined where a group of nodes are defined as proposers and one of them is defined as leader and is responsible for handing client requests and commands.  One of the other processors in the group may suspect that the leader is faulty, for example, after no response is received from the leader for a certain period of time indicating a communication failure or when receiving a message indicating a failure of the leader process.  The suspecting node waits a period before concluding the leader is faulty and defining a new configuration with itself as leader.  When the suspicion proves to be false (i.e., the leader is not faulty) and responds during a wait time, a suggested configuration is abandoned and the execution of the protocol resumes under the existing configuration.



MacCormick et al. (US Pub 20060155781) teach Data Servers (DSs) may be responsible for data replication functions and no longer perform re-configuration functions.  The DSs may perform simpler Data Replication Protocols (DRPs) (e.g., two-phase commit protocol) because configuration is no longer wrapped in the replication function.  The DRP may apply updates on all DSs, and if a DS is unavailable (e.g., due to failure), the consensus service may be invoked to remove the unavailable server from the configuration of the replication group.  The infrastructure not only may optimize system performance but also may provide a clean separation between scalability and fault tolerance.  In this way, the consensus function does not grow unnecessarily with the size of the system when scaling out.  Each data object is desirably replicated on multiple servers and a DRP can be used to replicate data.  Data may be read by reference to only one replica of the data without performing any DRP.  In embodiments, if a service is implemented by a single server, failure of that server may cause the service to fail.  A standard approach to achieve fault tolerance is the replicated state machine approach, where the service is implemented by a set of servers, each implementing the same deterministic state machine.  As long as the set of servers executes the same sequence of commands in the same order, the servers may 

Skare (US Pub 20110039237) teaches a system for Cyber Security Management (CSM) of Supervisory Control and Data Acquisition (SCADS) systems is provided to enhance situational awareness and CSM for industrial control systems.  A Control Center Model incudes a replica of the control functions in use in the SCADA.  Replication means that the features in a User Interface has functions which in the SCADA and Operator Training Simulator (OTS) are identical, as seen by a trainee at his console.

11.	In summary, nowhere do the prior art disclose the unique combination of steps/elements listed above.  The teachings of each best prior art is highlighted 

Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

12.	 Any inquiry concerning this communication or earlier communications from the examiner should be directed to O. Charlie Vostal whose telephone number is 571-270-3992.  The examiner can normally be reached on 8:30am to 5:00pm EST Monday thru Friday.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Thu Nguyen can be reached on 571-272-6967.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.





	/ONDREJ C VOSTAL/           Primary Examiner, Art Unit 2452                                                                                                                                                                                             
	June 2, 2021