Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Detailed Action
The amendment filed on 11/18/2021 has been entered. Claims 1-4, 6-12 and 14-20 remain pending in the application. Claims 5 and 13 have been canceled. Claims 1-4 and 6-12 are amended. 1 and 12 are independent claims, claims 2-4, 6-11 are dependent on claim 1, and claims 14-20 are dependent on claim 12. 
 
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 09/08/2021 is being considered by the examiner.

Priority
The application claims the benefit of 62/697,542 filed on 07/13/2018.


Specification
The disclosure is objected to because of the following informalities:
¶0067 states “The firewall's policies are made up of includes, conditions, and rules. An include is a reference to another policy to be included in the current policy and allows for breaking policies up into smaller modular units.” It is not clear what is meant by these statements.

Response to Arguments
Applicant’s amendments to the Drawings have overcome the objections previously set forth in the Non-Final Action of 08/31/2021. Applicant’s amendments to the claims have overcome the rejection of the claims under § 112 previously set forth in the Non-Final Action of 08/31/2021. 
On page 17 of Applicant’s response, applicant requests withdrawal of the objection to the specification because the specification has been amended. While most of the objections have been corrected by the amendments, there is still one objection that has not been addressed in paragraph [0067].
Examiner withdraws the rejection of claims 1-20 under 35 U.S.C. 101 as being directed to non-statutory subject matter because the claim invention is directed to an abstract idea. However, the rejection of claims 1-11 as being directed to non-statutory subject matter because the claimed invention is software per se is maintained. 
	Applicant argues that software is not an excluded category of subject matter. While software stored on a physical substrate or executed within a hardware processor is not an excluded category, software per se is non-statutory subject matter. See MPEP 2106.03 (“Non-limiting examples of claims that are not directed to any of the statutory categories include: … Products that do not have a physical or tangible form, such as … computer program per se (often referred to as ‘software per se’)”)
The addition of “process” and “processes” in the claims do not add structural recitation. Absence of any structural recitations serves to support implementation by software. As understood in light of the specification, the broadest reasonable per se which is not within one of the four statutory categories of invention (process, machine, manufacture or composition of matter.
Applicant’s arguments regarding Rayapeta have been fully considered but they are not persuasive.
On page 18-19 of Applicant’s response, applicant argues that the cited paragraphs of Rayapeta only relates to message handling and not a deep packet inspection. Applicant further argues that the cited paragraphs [0028] and [0031] do not disclose ICS protocol packets or meeting ICS protocol conditions. Examiner will deem that Applicant meant that the cited paragraphs are [0028] and [0034].
Paragraph [0028] of Rayapeta discloses “characteristics of the payload or data portion of the messages may also be used for filtering” which is deep packet inspection of messages. For further clarification, paragraphs [0010] and [0011] of Rayapeta discloses that the robustness agent or module of Fig. 1 defends against infected network nodes, i.e. nodes with malware or virus, by analyzing and filtering messages. Note also that while Rayapeta does not explicitly mention ICS protocol packets or meeting ICS protocol conditions, the robustness module is applicable to industrial control systems (Rayapeta paragraph [0001]) and message communications being filtered necessitates a protocol, thereby ICS protocol.
Additionally, Applicant argues that cited paragraphs [0034] and [0055] of Rayapeta does not disclose claim 1 recitation that “firewalls are operable to execute policy rules utilizing the deep packet inspection to validate a data value or value transition of a defined data item. Particularly, applicant argues that paragraph [0034] 
First, the cited paragraphs for the above claim 1 recitation are paragraphs [0034], [0028] and [0057] of Rayapeta. Paragraph [0028] discloses that an in-bound syntax filter 20 analyzes characteristics of the payload or data portion of messages for filtering, which is deep packet inspection of messages, a data value. Paragraph [0034] discloses that the rules used by the in-bound syntax filter module 20 is based on the configurable rule list 42, the Table 1 providing an example list of rules. Accordingly, the in-bound syntax filter 20 executes rules using deep packet inspection to validate a data value. Furthermore, with respect to the rule list 42 discussed in paragraph [0034], Table 1 describes rules, for example, “Discard all packets aimed at a specific port,” and “Discard all packets that have invalid lengths (e.g., … header is too short…).” These rules would require packet inspection to determine whether the message meets conditions such as a source port not being blacklisted and header being a valid length. Thus the in-bound syntax filter inspects and validates a message based on rule list 42 discussed on paragraph [0034]. 
Therefore, the rejection of the claims over Rayapeta is maintained.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


The claim 1 does not fall within at least one of the four categories of patent eligible subject matter because the broadest reasonable interpretation of “firewalls” and “policy engine” of claim 1 encompasses software per se. The instant specification ¶00106 states, referring to FIGS. 15A and 15B, that “any process flow is applicable to software, firmware, hardware, and hybrid implementations.” The further absence of any structural recitations serves to support implementation by software per se. As understood in light of the specification, the broadest reasonable interpretation of claim 1 encompasses software per se which is not within one of the four statutory categories of invention (process, machine, manufacture or composition of matter).
Claims 2-4 and 6-11 are rejected as being dependent on claim 1.

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. 
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claims 1-4, 6-8, 12 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Rayapeta et al. (US Patent Application Publication No 2016/0344754, hereinafter “Rayapeta”).

Regarding claim 1, Rayapeta discloses a system (¶0001 “industrial plant communications system”).
the system includes one or more Industrial Control System (ICS) firewalls (Fig. 1, ¶0027 filter modules 20, 22, 30, 32) in a data network, the ICS firewall processes operable to execute a deep packet inspection among a plurality of ICS systems or among components of an industrial system that use ICS protocols (Fig. 1, ¶0028 “filter module 20” analyzes messages bound for a network, wherein “payload or data portions of the message may also be examined and used for filtering”); and
a dynamic policy engine process (Fig. 1, ¶0027 “robustness module 10” excluding the filter modules 20, 22, 30, 32; note Fig. 2, ¶0038 discloses a robustness module 210 at each node of each network, thereby one or a combination of the robustness modules can be mapped to the dynamic policy engine) comprising a model of the ICS firewalls and of ICS component data (Fig. 1, ¶0034 robustness module 10 includes a “configurable rule list 42” that store rules for each of the filter modules 20, 22, 30 32; here, the rules in the configurable rule list 42, sometimes denoted rules database 42, can be mapped to the model; note ¶0056-¶0058 “rules database 42 may store any desired set of rules” including message metadata, traffic metadata and configuration information, the combination making the model), the dynamic policy engine process ¶0010 “robustness agent analyzes and filters messages coming from or going onto the network”);
wherein the dynamic policy engine process comprises cyber security policies that block the ICS protocol network traffic or transmit an alert when the ICS protocol network traffic traverses an ICS firewall network path that is not defined as a valid data item of a system component (Figs. 1 and 2, ¶0057 “any types of data may be obtained and analyzed for the messages at the robustness modules 10 and 210,” including “information about the message itself, e.g.,… addresses…; communication information,…; and spurious information;” and “any other types of message data or metadata may be obtained and used,” also, Fig. 1, ¶0031 when certain conditions are detected by the filter 22, blocking a message and performing some further action such as “communicat[ing] with the alert generator 46 which may send an alert”)
wherein the dynamic policy engine process uploads ICS protocol-based policies to each ICS firewall network path item (Fig. 1, ¶0034 “configurable rule list 42” may store rules for filters wherein “the rules may be configurable via the rule builder module 44” and wherein the rule builder 44 enables “on-line or on-the fly configuration of the rules stored in the rule list 42”), wherein the ICS firewalls are operable to execute policy rules utilizing the deep packet inspection to validate a data value or value transition of a defined data (¶0028 discloses that an in-bound syntax filter 20 analyzes characteristics of the payload or data portion of messages for filtering, which is deep packet inspection of messages, a data value. ¶0034 discloses that the rules used by the in-bound syntax filter module 20 is based on the configurable rule list 42, the Table 1 providing an example list of rules. Accordingly, the in-bound syntax filter 20 executes rules using deep packet inspection to validate a data value. Furthermore, with respect to the rule list 42 discussed in ¶0034, Table 1 describes rules, for example, “Discard all packets aimed at a specific port,” and “Discard all packets that have invalid lengths (e.g., … header is too short…).” These rules would require packet inspection to determine whether the message meets conditions such as a source port not being blacklisted and header being a valid length. Thus the in-bound syntax filter inspects and validates a message based on rule list 42 discussed on ¶0034);
wherein the dynamic policy engine process monitors an output stream of the ICS firewalls (Fig. 1, ¶0054 “the rules stored in the rules databases 42 may be generated by collecting and analyzing message or traffic metadata from the nodes of the network”) to output alerts when the cyber security policies are violated and to output data item state information when policy logging rules are executed (Fig. 1, ¶0055 “the robustness module 10 may include an alert generator 46 which may generate one or more alerts… based on the results of the analyses performed by the modules 20, 22, 30, and 32;” Fig. 1, ¶0034 the rule builder 44 enables “on-line or on-the fly configuration of the rules stored in the rule list 42”); and
wherein the deep packet inspection comprises checking specific fields within data messaging traffic within ICS protocol packets and blocking ICS protocol packets that do not meet ICS protocol conditions and rules (Fig. 1, ¶0028 “filter module 20” analyzes messages bound for a network, wherein “payload or data portions of the message may also be examined and used for filtering;” ¶0057 “any types of data may be obtained and analyzed for the messages,” including “information about the message itself, e.g.,… addresses…; communication information,…; and spurious information;” and “any other types of message data or metadata may be obtained and used,” also, ¶0031 when certain conditions are detected, blocking a message and performing some further action such as “communicat[ing] with the alert generator 46 which may send an alert”).
Regarding claim 2, Rayapeta discloses system of claim 1 wherein the ICS firewall processes comprise an application programming interface (API) for uploading firewall policies and attaching the firewall policies to the ICS firewall network path (Fig. 1, pp0027 filter modules 20 and 22 “coupled between the driver 14 and the network stack 16 to process messages being sent from the network link 12 to the network device,” note, processing messages being sent, i.e., communicated, between the network link 12 and the network device can be mapped to API). API is a well-known concept as a software interface, thus it would be within the basic knowledge to use API as a communication software for uploading and attaching firewall polices as claimed.
Regarding claim 3, Rayapeta discloses system of claim 1 wherein the ICS firewall processes are configured to function as a sensor and an effector protocols (Fig. 1, ¶0031 when certain conditions are detected , filter module 22 may block a message and may perform some further action such as “communicat[ing] with the alert generator 46 which may send an alert”); and wherein the ICS firewall processes employ a stateful policy enforcement that is specific to ICS operating constraints and ICS (Fig. 1, ¶0028 “filter module 20” analyzes messages bound for a network, wherein “payload or data portions of the message may also be examined and used for filtering”).
Regarding claim 4, Rayapeta discloses system of claim 1 wherein the dynamic policy engine process automates generation, deployment, and monitoring of the cyber robustness module is the security system wherein ¶0023 “security system” “is capable of being configured or updated with rules that regulate specific message traffic patterns on network” and “may automatically create rules to protect against dynamically discovered adverse traffic patterns”); and wherein the dynamic policy engine process is operable to whitelist capabilities of the ICS firewall processes (¶0006 discloses “white listing” to prevent unauthorized applications from running).
Regarding claim 6, Rayapeta discloses system of claim 1 wherein the ICS firewall processes execute policy rules which set and persist variables; wherein the variables comprise one or more of a literal value, a variable value, a value derived from the deep packet inspection, or a mathematical expression utilizing a mathematical operator such as addition, subtraction, division, multiplication, or modulo in combination with any of the literal value, the variable value, or the value derived from the deep packet inspection (Fig. 1, ¶0057 rules in the rules database 42 may pertain to the “message itself, e.g., payload type, length, sources… timing”; “communications information, e.g., message timing…, security errors…, message content” as well as “other types of message data or metadata”) .
Regarding claim 7, Rayapeta discloses system of claim 1 wherein the dynamic policy engine process generates policies which set ICS firewall variables as a state machine which instructs the ICS firewall processes to employ stateful policy enforcement protections that dynamically adjust upon sensing feedback of system state (Fig. 1, ¶0028 “filter module 20” analyzes messages bound for a network, wherein “payload or data portions of the message may also be examined and used for filtering;” robustness module is the security system wherein ¶0023 “security system” “is capable of being configured or updated with rules that regulate specific message traffic patterns on network” and “may automatically create rules to protect against dynamically discovered adverse traffic patterns”).
Regarding claim 8, Rayapeta discloses system of claim 1 wherein the dynamic policy engine process generates one or more ICS protocol specific policies to include submodules of policies with conditions to access different layers of data in the data network, and generates rules to perform actions based on the state of the ICS systems on the data network (robustness module is the security system wherein ¶0023 “security system” “is capable of being configured or updated with rules that regulate specific message traffic patterns on network” and “may automatically create rules to protect against dynamically discovered adverse traffic patterns;” Fig. 1, ¶0028 “filter module 20” analyzes messages to determine one or more characteristics of the messages wherein “the one or more message characteristics may generally be found in or determined from information in the header and/or the trailer or other encapsulation portion of the message”). It would be within the basic knowledge that packet inspection is based on headers of the network and/or transport layers.
Regarding claim 12, Rayapeta discloses a process for providing security for information technology (IT) and operational technology (OT) networks associated with an industrial control system (ICS) (¶0001 “This application relates generally to process or industrial plant communications system… to detecting intrusion into control and maintenance communications network”) comprising:
deploying an initial model for a particular IT and OT network (Fig. 1, ¶0034 rules for each of the filter modules 20, 22, 30 32; here, the rules can be mapped to the model wherein ¶0056-¶0058 “rules database 42 may store any desired set of rules” including message metadata, traffic metadata and configuration information, the combination making the model);
dynamically updating security policies as the particular IT and OT network are used, patched, and modified (¶0023 “security system” “capable of being configured or updated with rules that regulate specific message traffic patterns on network” and “may automatically create rules to protect against dynamically discovered adverse traffic patterns”);
utilizing a deep packet inspection to enforce ICS constraints and ICS behaviors defined by the initial model (¶0028 analyzing messages bound for a network, wherein “payload or data portions of the message may also be examined and used for filtering”); wherein the deep packet inspection comprises checking specific fields within data messaging traffic within ICS protocol packets and blocking ICS protocol packets that do not meet ICS protocol conditions and rules (Fig. 1, ¶0028 “filter module 20” analyzes messages bound for a network, wherein “payload or data portions of the message may also be examined and used for filtering;” ¶0057 “any types of data may be obtained and analyzed for the messages,” including “information about the message itself, e.g.,… addresses…; communication information,…; and spurious information;” and “any other types of message data or metadata may be obtained and used,” also, ¶0031 when certain conditions are detected, blocking a message and performing some further action such as “communicat[ing] with the alert generator 46 which may send an alert”);
reporting a state of the deep packet inspection for situational awareness and debugging purposes (¶0033 “receiv[ing], analyz[ing] and track[ing] discarded messages” to create a log such that “the logging of discarded messages may be configured” and exported); and
transmitting an alert or blocking ICS protocol traffic when anomalies are detected when the ICS protocol traffic traverses ICS firewall network paths that execute ICS policies (¶0031 when certain conditions are detected, blocking a message and performing some further action such as “communicat[ing] with the alert generator 46 which may send an alert”);
wherein the ICS communicates via ICS protocols. It would be within the basic knowledge for ICS to use ICS protocol to communicate.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. 
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 9-11, 14-20 are rejected under 35 U.S.C. 103 as being unpatentable over Rayapeta et al. (US Patent Application Publication No 2016/0344754, hereinafter “Rayapeta”) in view of “Model-Driven design of Industrial Control Systems” by Marga Marcos et al., hereinafter “Marcos.”

Regarding claim 9, Rayapeta discloses system of claim 1 as stated above except for wherein the dynamic policy engine process converts XML models of the ICS systems and the components of the industrial system that uses ICS protocols; and wherein the dynamic policy engine models are associated with deployments of the ICS firewall processes between segments of the data network.
Rayapeta does not explicitly disclose the use of XML models in the Industrial Control Systems. However, XML is a well-known format to describe data, thus it would be within the basic knowledge to use XML to model ICS systems and components for use in the dynamic policy engine.
Particularly, Marcos teaches using XML standards for describing Industrial Control Systems. (Marcos, Page-1256, Section IV).
Rayapeta and Marcos are analogous art to the claimed invention because they are in the same field of Industrial Control System. It would have been obvious to someone of ordinary skilled in the art before the effective filing date of the claimed invention to use the teachings of Marcos in modeling the Industrial Control System using XML to allow “performing model coherency and consistency checks as well as for filtering, processing and formatting part of the information contained in the model.” (Marcos, Page-1256, Section IV).
Regarding claim 10, Rayapeta discloses system of claim 1 wherein the dynamic policy engine process monitors state information produced by logging rules in the ICS protocol-based policies and dynamically regenerates the ICS protocol-based policies and uploads the ICS protocol-based policies to the ICS firewall network path when defined in XML models to react to state transition triggers (defining in XML models will be taught later; Rayapeta: robustness module is the security system wherein ¶0023 “security system” “is capable of being configured or updated with rules that regulate specific message traffic patterns on network” and “may automatically create rules to protect against dynamically discovered adverse traffic patterns;” note also Fig. 1, ¶0034, the robustness module 10 includes a configurable rule list 42 to store rules used by filter modules, wherein the rules are configurable via the rule builder module 44”).
Rayapeta does not explicitly disclose the use of XML models, namely uploading the ICS protocol-based policies to the ICS firewall network path when defined in the XML models to react to state transition triggers. However, XML is a well-known format to describe data, thus it would be within the basic knowledge to use an XML based model in the industrial system.
Particularly, Marcos teaches using XML standards for describing Industrial Control Systems. (Marcos, Page-1256, Section IV).
Rayapeta and Marcos are analogous art to the claimed invention because they are in the same field of Industrial Control System. It would have been obvious to someone of ordinary skilled in the art before the effective filing date of the claimed invention to use the teachings of Marcos in modeling the Industrial Control System using XML to allow “performing model coherency and consistency checks as well as for 
Regarding claim 11, Rayapeta discloses system of claim 1 wherein the industrial system comprises a factory system, a power management system, or shipboard hull, mechanical, and electrical (HM&E) system (Rayapeta: ¶0002 discloses use of industrial control and maintenance system in power generation or other manufacturing processes).
Rayapeta does not explicitly disclose wherein the model of the ICS firewall processes comprises an XML-based model. However, XML is a well-known format to describe data, thus it would be within the basic knowledge to use an XML based model in the industrial system.
Particularly, Marcos teaches using XML standards for describing Industrial Control Systems. (Marcos, Page-1256, Section IV).
Rayapeta and Marcos are analogous art to the claimed invention because they are in the same field of Industrial Control System. It would have been obvious to someone of ordinary skilled in the art before the effective filing date of the claimed invention to use the teachings of Marcos in modeling the Industrial Control System using XML to allow “performing model coherency and consistency checks as well as for filtering, processing and formatting part of the information contained in the model.” (Marcos, Page-1256, Section IV).
Regarding claim 14, Rayapeta discloses process of claim 12 further comprising converting XML models of the ICS constraints and the ICS behaviors into ICS firewall policies comprised of rules and conditions to check and enforce the ICS constraints and use of XML models will be taught later); wherein policies associated with ICS protocol network paths are uploaded to ICS firewalls and are attached to the ICS firewall network paths; and comprising defining ICS component data, thereby reducing exposure and vulnerability of the ICS (Rayapeta: ¶0023 “security system” being “capable of configured or updated with rules that regulate specific message traffic patterns on network”).
Rayapeta does not explicitly disclose converting XML models of the ICS constraints and the ICS behaviors into ICS firewall policies comprised of rules and conditions to check and enforce the ICS constraints and the ICS behaviors of the XML models. However, XML is a well-known format to describe data, thus it would be within the basic knowledge to use XML to model ICS constraints and behaviors into firewall policies comprised of rules.
Particularly, Marcos teaches using XML standards for describing Industrial Control Systems. (Marcos, Page-1256, Section IV).
Rayapeta and Marcos are analogous art to the claimed invention because they are in the same field of Industrial Control System. It would have been obvious to someone of ordinary skilled in the art before the effective filing date of the claimed invention to use the teachings of Marcos in modeling the Industrial Control System using XML to allow “performing model coherency and consistency checks as well as for filtering, processing and formatting part of the information contained in the model.” (Marcos, Page-1256, Section IV).
Regarding claim 15, Rayapeta in view of Marcos discloses process of claim 14 further comprising generating cyber protection policies that instruct ICS firewalls to use of an XML model will be taught later) and to transmit an alert regarding the blocking (Rayapeta: ¶0057 “any types of data may be obtained and analyzed for the messages,” including “information about the message itself, e.g.,… addresses…; communication information,…; and spurious information;” and “any other types of message data or metadata may be obtained and used,” also, ¶0031 when certain conditions are detected, blocking a message and performing some further action such as “communicat[ing] with the alert generator 46 which may send an alert”).
Rayapeta does not explicitly disclose the use of an XML model. However, XML is a well-known format to describe data, thus it would be within the basic knowledge to use XML model and to block an ICS operation if a message data such as addresses are not defined.
Particularly, Marcos teaches using XML standards for describing Industrial Control Systems. (Marcos, Page-1256, Section IV).
Rayapeta and Marcos are analogous art to the claimed invention because they are in the same field of Industrial Control System. It would have been obvious to someone of ordinary skilled in the art before the effective filing date of the claimed invention to use the teachings of Marcos in modeling the Industrial Control System using XML to allow “performing model coherency and consistency checks as well as for filtering, processing and formatting part of the information contained in the model.” (Marcos, Page-1256, Section IV).
Regarding claim 16, Rayapeta in view of Marcos discloses process of claim 14 further comprising generating cyber protection policies that instruct ICS firewalls to use of an XML model will be taught later) and to transmit an alert regarding the blocking (Rayapeta: ¶0057 “any types of data may be obtained and analyzed for the messages,” including “information about the message itself, e.g.,… addresses…; communication information,…; and spurious information;” and “any other types of message data or metadata may be obtained and used,” also, ¶0031 when certain conditions are detected, blocking a message and performing some further action such as “communicat[ing] with the alert generator 46 which may send an alert”).
Rayapeta does not explicitly disclose the use of an XML model. However, XML is a well-known format to describe data, thus it would be within the basic knowledge to use XML model and to block an ICS operation if a message data such as addresses are not valid.
Particularly, Marcos teaches using XML standards for describing Industrial Control Systems. (Marcos, Page-1256, Section IV).
Rayapeta and Marcos are analogous art to the claimed invention because they are in the same field of Industrial Control System. It would have been obvious to someone of ordinary skilled in the art before the effective filing date of the claimed invention to use the teachings of Marcos in modeling the Industrial Control System using XML to allow “performing model coherency and consistency checks as well as for filtering, processing and formatting part of the information contained in the model.” (Marcos, Page-1256, Section IV).
Regarding claim 17, Rayapeta in view of Marcos discloses process of claim 14 further comprising wherein the vulnerability of the ICS is reduced by defining component (¶0057 “any types of data may be obtained and analyzed for the messages,” including “information about the message itself, e.g.,… addresses…; communication information,…; and spurious information;” and “any other types of message data or metadata may be obtained and used;” for example message timing such as the time of day can be defined such that an operation for a component would be blocked if the time of day is invalid).
Regarding claim 18, Rayapeta in view of Marcos discloses process of claim 14 further comprising generating cyber protection policies that instruct ICS firewalls to block an ICS protocol operation for a component that contains an invalid value and transmitting an alert regarding the blocking (¶0057 “any types of data may be obtained and analyzed for the messages,” for example message timing such as the time of day; here, an operation for a component would be blocked if the time of day is invalid; also, ¶0031 when certain conditions are detected, blocking a message and performing some further action such as “communicat[ing] with the alert generator 46 which may send an alert”).
Regarding claim 19, Rayapeta in view of Marcos discloses process of claim 14 further comprising defining valid value transitions of a component of the ICS, thereby reducing exposure and vulnerability of the ICS (¶0057 “any types of data may be obtained and analyzed for the messages,” for example message timing such as the time of day). It would be within the basic knowledge to define valid time of day values to detect anomalies in the ICS traffic.
Regarding claim 20, Rayapeta in view of Marcos discloses process of claim 14 further comprising generating cyber protection policies that instruct ICS firewalls to block an ICS protocol operation of a component of the ICS with a valid value when the system state does not match a value transition criterium and transmitting an alert regarding the blocking (Rayapeta: ¶0057 “any types of data may be obtained and analyzed for the messages,” for example message timing such as the time of day; here, even a component with a valid value would be blocked if the time of day does not match; also, ¶0031 when certain conditions are detected, blocking a message and performing some further action such as “communicat[ing] with the alert generator 46 which may send an alert”);
defining state machine elements in XML models of components of the ICS (use of XML models will be taught later), thereby reducing exposure and vulnerability of the ICS; and generating cyber protection policies that instruct the ICS firewalls to block or alert ICS protocol operations that do not meet criteria of a defined state machine (¶0031 when certain conditions are detected, blocking a message and performing some further action such as “communicat[ing] with the alert generator 46 which may send an alert”).
Rayapeta does not explicitly disclose the use of XML models. However, XML is a well-known format to describe data, thus it would be within the basic knowledge to use XML to model ICS components.
Particularly, Marcos teaches using XML standards for describing Industrial Control Systems. (Marcos, Page-1256, Section IV).


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JAE-HEE CHOI whose telephone number is (571)272-9794. The examiner can normally be reached Monday-Thursday 12:00pm-8:00pm EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey L Nickerson can be reached on (469)295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, 





/JAE-HEE CHOI/Examiner, Art Unit 2432       

/JUNG W KIM/Supervisory Patent Examiner, Art Unit 2494