DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

	Claims 1-6, 8-15, and 17-20 as submitted via preliminary amendments on 12/16/19 were examined.  Claims 7 and 16 were cancelled.

Information Disclosure Statement
	The IDS’s submitted on 12/28/18 and 5/27/20 were considered.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claim 15 is rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
As per claim 15, “The building automation system of claim 18” as recited in line 1 should be “The computer-implemented method of claim 18” as claim 18 is a method claim, not a system claim.

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claim(s) 1-3 and 9-12 is/are rejected under 35 U.S.C. 102(a)(1) and (a)(2) as being anticipated by Hudson et al (US 2014/0373161).
Claims 1 and 10:
	As per claim 1, Hudson discloses a computer-implemented method for performing an electronic security assessment of a controller in a building automation system, the building automation system including a network of electronic devices connected in electronic communication (paragraphs 9, 21, and 56; A power plant having a network of computers protected by a security system is considered the claimed building.  Hudson’s invention implements network security requirements for one or more computers which run the power plant according to the NERC CIP standards.  The security system is considered the claimed controller
Initiating an electronic security scan of the controller (paragraphs 24-25 and 48-49; 
Electronically assessing, by the controller, security vulnerabilities of the controller, including identifying one or more of a validation of whether the controller is protected by a firewall or other network security device, identifying which communication ports are open, identifying and verifying an Ethernet and Wi-Fi configuration of the controller, determining whether any routers communicating with the controller are protected by the firewall or other network security device, determining whether the controller is running an up-to-date software or firmware version, determining a password policy, and determining a listing of software applications and versions installed on the controller (paragraphs 24, 54, and 57; A computing device or network of computing devices are scanned for vulnerabilities, such as firewall vulnerabilities, unnecessarily opened ports, and compliance with NERC CIP specified standards).
Determining a listing of recommendations for resolving security vulnerabilities of the controller based on the electronically assessing security vulnerabilities of the controller (paragraphs 22, 24, 27-28, 52, 54, and 61-62; A security vulnerability report is generated including identifying the necessity of various ports and services and relevant firewall rules.  Also included is a mitigation report which documents how risks can be mitigated).
Electronically assessing, by the controller, security vulnerabilities of the network of the electronic devices connected in electronic communication with the controller (paragraphs 22, 24, 27-28, 52, 54, and 61-62).

The rejection of claim 1 applies, mutatis mutandis, to claim 10.

Claims 2 and 11:
	As per claim 2, Hudson further discloses wherein the controller is a system control unit serving as a master controller for the building automation system (paragraphs 49 and 56; Security system for a computer on a network of the power plant).
The rejection of claim 2 applies, mutatis mutandis, to claim 11.

Claims 3 and 12:
	As per claim 3, Hudson further discloses wherein the controller is a unit controller in the building automation system (paragraphs 49 and 56; Security system for local computer of the power plant).
The rejection of claim 3 applies, mutatis mutandis, to claim 12.

Claim 9: 
	As per claim 9, Hudson further discloses wherein the method is scheduled to be performed on a periodic basis (paragraph 54; Period review of ports and services performed).

Claim Rejections - 35 USC § 103

A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 4-5 and 13-14 is/are rejected under 35 U.S.C. 103 as being unpatentable over Hudson et al (US 2014/0373161) in view of Witter et al (US 9,941,007).

Claims 4 and 13:
	As per claim 4, Hudson further discloses wherein the controller is connected in electronic communication with a network-based service (paragraphs 49, 52, and 54).  Hudson does not disclose, but Witter discloses the network being a cloud and cloud-based services (col 4, lines 56-63).
	Before the effective filing date of applicant’s claimed invention, it would have been obvious to one of ordinary skill in the art to modify Hudson’s invention using Witter’s teachings so that the network was a cloud network and the network-based service was a cloud-based service.  The rationale for why it would be obvious is that clouds are just another type of network and incorporating Witter’s teachings in the manner discussed such that a cloud network and cloud-based service were used in place of a generic network and generic network-based service is nothing more than simple substitution of one known element for another to obtain predicable results, see KSR Int'l Co. v. Teleflex, Inc., 550 U.S. 398 (2007).
The rejection of claim 4 applies, mutatis mutandis, to claim 13.

Claims 5 and 14:
	As per claim 5, the limitation further recited is obvious over the teachings of Hudson and Witter.  Hudson further discloses sending one or more results from the electronic security assessment to the network-based service (paragraphs 49, 52, and 54).  The network-based service being cloud-based is obvious over the additional teachings of Witter (col 4, lines 56-63) as discussed in the rejection of claim 4 above.
The rejection of claim 5 applies, mutatis mutandis, to claim 14.


Claim 8 is/are rejected under 35 U.S.C. 103 as being unpatentable over Hudson et al (US 2014/0373161).
Claim 8:
	As per claim 8, Hudson does not disclose actively attempting to connect to the controller or one of the plurality of electronic devices by a brute force attack.  However, official notice is taken that prior to the effective filing date of applicant’s claimed invention, brute force attacks on a computer systems/networks/components were well known in the art.  Before the effective filing date of applicant’s claimed invention, it would have been obvious to one of ordinary skill in the art to attack Hudson’s invention by actively attempting to connect to the controller or one of the plurality of electronic devices by a brute force attack.  One of ordinary skill in the art would have been motivated to do as brute force attacks is still a common way of attacking a computer .

Claims 6, 17, and 19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Hudson et al (US 2014/0373161) in view of Al-Harbi et al (US 2012/0180133).
Claims 17 and 19:
	As per claim 17, Hudson does not disclose, but Al-Harbi discloses calculating a risk score based on the electronically assessing security vulnerabilities of the controller (paragraphs 10 and 12-13).
	Before the effective filing date of applicant’s claimed invention, it would have been obvious to one of ordinary skill in the art to incorporate Al-Harbi’s teachings with respect to risk score within Hudson’s invention when assessing security vulnerabilities.  One skilled would have been motivated to do so as it would allow one to determine the effect of known threats on vulnerabilities and determine the various costs associated with exploitation of such vulnerabilities by the known threats (Al-Harbi: paragraph 10).
The rejection of claim 17 applies, mutatis mutandis, to claim 19.

Claim 6:
	As per claim 6, Al-Harbi further discloses sending the risk score and the listing of recommendations for resolving security vulnerabilities of the controller to a computer for display on a display device of the computer (paragraphs 10, 12-13, 36, and 43; GUI interface shows risks assessed and scores assigned to those risks).


Claims 18 and 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Hudson et al (US 2014/0373161) in view of Witter et al (US 9,241,007).
Claims 18 and 20:
	As per claim 18, Hudson does not disclose, but Witter discloses wherein the network of electronic devices are connected in electronic communication via a BACnet protocol (col 1, lines 39-60).  Before the effective filing date of applicant’s claimed invention, it would have been obvious to one of ordinary skill in the art to incorporate Witter’s teachings with within Hudson’s invention.  One skilled would have been motivated to do so because the BACnet protocol is a standard networking protocols and standards are meant to be used.  Further, using the BACnet protocol in Hudson’s network to connect the various electronic devices would be nothing more than simple substitution of one known element (i.e. generic network protocol) for another (i.e. BACnet protocol) to obtain predicable results, see KSR Int'l Co. v. Teleflex, Inc., 550 U.S. 398 (2007).
The rejection of claim 18 applies, mutatis mutandis, to claim 20.

Claim 15 is/are rejected under 35 U.S.C. 103 as being unpatentable over Hudson et al (US 2014/0373161) in view of Witter et al (US 9,241,007) in further view of Al-Harbi et al (US 2012/0180133).
Claim 15:
	As per claim 15, Hudson further disclose a computer in electronic communication with the controller (paragraph 28; Networked security system).  
GUI interface shows risks assessed and scores assigned to those risks).
Before the effective filing date of applicant’s claimed invention, it would have been obvious to one of ordinary skill in the art to incorporate Al-Harbi’s teachings with respect to risk scores and displaying the vulnerabilities and risk scores within Hudson’s invention when assessing security vulnerabilities.  One skilled would have been motivated to do so as it would allow one to determine the effect of known threats on vulnerabilities and determine the various costs associated with exploitation of such vulnerabilities by the known threats (Al-Harbi: paragraph 10).


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to PONNOREAY PICH whose telephone number is (571)272-7962. The examiner can normally be reached M-F 9am-5pm EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/PONNOREAY PICH/Primary Examiner, Art Unit 2495