DETAILED ACTION

1.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
 
 2.	The Office action is in response to the patent application filed on May 29, 2020.  The application contains 20 claims.  Claims 1-20 are directed to a method, and a system for secure remote access to an industrial control system.  Claims 1-20 are pending.

Claim Rejections - 35 USC § 101
3.	35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

4.	Claims 1-10 are rejected under 35 U.S.C. 101 because:
Referring to claims 1-10:
	Claim 1 is directed to a system. However, the claim limitations have not specified any specific hardware components of the system.  Therefore, Claim 1 rejected for being directed to a non-statutory subject matter.
	Claims 2-10 are dependent from Claim 1, and are therefore rejected based on the same rationale.

Claim Rejections - 35 USC § 102

5.	The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:           (a)(1) the claimed invention was patented, described in a printed publication, or in public use, or sale
or otherwise available to the public before the effective filing date of the claimed invention.          6.	Claims 1-2, 4, and 11 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Zhu et al. (U.S. 2018/0316663 A1), hereinafter “Zhu”.
Referring to claims 1, 11:
Zhu teaches:
           A system for secure remote access to an industrial control system using hardware based authentication, comprising (see Zhu, fig. 1, 116 ‘smart card’; [0016] ‘user 108 may gain remote access to those machines’): 
           secure user authentication (see Zhu, [0037] ‘The multi-factor authentication data can include smart card data 272, PIN or password data 274, and it can include a wide variety of different or other data 276.’); 
            secure interactive remote access or secure machine-to-machine remote access or communication (see Zhu, fig. 5, item 502 ‘cloud’, 102 ‘data center computing system’; [0060] ‘elements of data center 102 can disposed in cloud… hosted at a remote site by a service… provided as a service through a cloud’); and 
remote access services (see Zhu, fig. 5, item 502 ‘cloud’, 102 ‘data center computing system’; [0060] ‘elements of data center 102 can disposed in cloud… hosted at a remote site by a service… provided as a service through a cloud’).
Referring to claim 2:
	Zhu further discloses:
	wherein the secure user authentication comprises two-factor authentication (2FA) or three-factor authentication (3FA) based on smart cards (see Zhu, [0020] ‘multi-factor authentication... smart card’).
Referring to claim 4:
	Zhu further discloses:
                           wherein the smart cards comprise secure element (SE) storing of credentials, cryptographic keys, and X.509 certificates (see Zhu, fig. 2, 116 ‘smart card’, 164 ‘digital certificate’, 166 ‘private key’, 168 ‘pin’).

Claim Rejections - 35 USC § 103

7.	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences 

8.	Claims 3, 5-7, 8-10, 12-14,  and 18-20  are rejected under 35 U.S.C. 103 as being unpatentable over Zhu et al. (U.S. 2018/0316663 A1), in view of Ford et al. (U.S. 2017/0041296 A1), hereinafter “Ford”.
Referring to claims 3, 12:
		Zhu discloses multi-factor authentication that includes a smart card, a pin (see Zhu, [0037] ‘The multi-factor authentication data can include smart card data 272, PIN or password data 274, and it can include a wide variety of different or other data 276.’).  However, Zhu does not explicitly disclose biometrics.
		Ford discloses biometrics authentication (see Ford, [0131] ‘biometric authentication’).
	 	It would have been obvious to one of the ordinary skill in the art, before the effective filing date of the claimed invention, to apply the teaching of Ford into the system of Zhu to utilize biometric authentication.  Zhu teaches "A data center operator is authenticated to obtain requested access to a data center by an approval mechanism on the data center that receives an access request that includes authentication information.” (see Zhu, [0006]).  Therefore, Ford’s teaching could enhance the system of Zhu, because Ford teaches “an identity facility, multi-factor authentication, dynamic access authorization, and various enhancements to a customizable exchange system.”(see Ford, [0005]).
Referring to claims 5, 14:
		Zhu and Ford further disclose:
		wherein the smart cards for an administrator, a supervisor, and an end-user have different capabilities (see Ford, [0208] ‘administrator’, ‘a manager’).
           It would have been obvious to one of the ordinary skill in the art, before the effective filing date of the claimed invention, to apply the teaching of Ford into the system of Zhu to utilize different roles, such as administrator, a manager. Zhu teaches "A data center operator is authenticated to obtain requested access to a data center by an approval mechanism on the data center that receives an access request that includes 
Referring to claims 6, 13:
		Zhu and Ford further disclose:
           wherein the secure interactive remote access comprises a managed remote-access appliance (RAA), comprising a virtual machine and software (see Ford, [0265] ‘virtual machine’).
           It would have been obvious to one of the ordinary skill in the art, before the effective filing date of the claimed invention, to apply the teaching of Ford into the system of Zhu to utilize virtual machine. Zhu teaches "A data center operator is authenticated to obtain requested access to a data center by an approval mechanism on the data center that receives an access request that includes authentication information.” (see Zhu, [0006]).  Therefore, Ford’s teaching could enhance the system of Zhu, because virtual machine is well-known and popular in regard to embedded systems.
Referring to claim 7:
	Zhu and Ford further disclose:
                           wherein the managed remote-access appliance (RAA) can only be used with a smart card credential (see Zhu, fig. 2, 104 ‘user machine’, 116 ‘smart card’, 168 ‘pin’).
Referring to claims 8, 16:
		Zhu and Ford further disclose:
	wherein the remote access services comprises technical cyber-security control services that automate security policy and processes for user and token lifecycle management, software configuration management, access control and authorization using layered security, and audit trails of remote access (see Ford, [0094] ‘configuration’; [0108] ‘policy’ ‘audit and access history’; [0250] ‘tokens’; [0553] ‘layered security environment’).
           It would have been obvious to one of the ordinary skill in the art, before the effective filing date of the claimed invention, to apply the teaching of Ford into the system 
Referring to claim 9:
		Zhu and Ford further disclose:
		wherein the remote access services comprises management of users, smart card tokens, and remote-access appliance (RAA) state (see Zhu, [0037] ‘smart card’. And, Ford, [0074] ‘maintaining state and system status’; [0189] ‘management of users and groups’; [0250] ‘tokens’).
            It would have been obvious to one of the ordinary skill in the art, before the effective filing date of the claimed invention, to apply the teaching of Ford into the system of Zhu to utilize state, management of users. Zhu teaches "A data center operator is authenticated to obtain requested access to a data center by an approval mechanism on the data center that receives an access request that includes authentication information.” (see Zhu, [0006]).  Therefore, Ford’s teaching could enhance the system of Zhu, because Ford teaches “improved secure exchange system features” (see Ford, abstract), which could be utilized by Zhu’s system to enhance security.
Referring to claim 10:
		Zhu and Ford further disclose:
	wherein the remote access services comprise management of remote access authorizations and policy, and layered-security controls (see Ford,[0071] ‘authorization’; [0108] ‘policy’; [0553] ‘layered security environment’).
            It would have been obvious to one of the ordinary skill in the art, before the effective filing date of the claimed invention, to apply the teaching of Ford into the system of Zhu to utilize authorization, policy, and layered security. Zhu teaches "A data center operator is authenticated to obtain requested access to a data center by an approval mechanism on the data center that receives an access request that includes authentication information.” (see Zhu, [0006]).  Therefore, Ford’s teaching could enhance 
Referring to claim 18:
		Zhu and Ford further disclose:
           wherein the step of providing remote access services comprises sending system use notifications to a supervisor informing the supervisor of end-user login, logout and workstation access of the end-user (see Ford, [0075] ‘create a notification’).
             It would have been obvious to one of the ordinary skill in the art, before the effective filing date of the claimed invention, to apply the teaching of Ford into the system of Zhu to utilize notification. Zhu teaches "A data center operator is authenticated to obtain requested access to a data center by an approval mechanism on the data center that receives an access request that includes authentication information.” (see Zhu, [0006]).  Therefore, Ford’s teaching could enhance the system of Zhu, because Ford teaches “improved secure exchange system features” (see Ford, abstract), which could be utilized by Zhu’s system to enhance security.
Referring to claims 19-20:
		Zhu and Ford further disclose:
	wherein the step of providing remote access services comprises requiring a supervisor to authorize user access to a workstation (see Ford, [0241] ‘a manager’; [0249] ‘a user authorization facility’).
             It would have been obvious to one of the ordinary skill in the art, before the effective filing date of the claimed invention, to apply the teaching of Ford into the system of Zhu to utilize authorization. Zhu teaches "A data center operator is authenticated to obtain requested access to a data center by an approval mechanism on the data center that receives an access request that includes authentication information.” (see Zhu, [0006]).  Therefore, Ford’s teaching could enhance the system of Zhu, because Ford teaches “improved secure exchange system features” (see Ford, abstract), which could be utilized by Zhu’s system to enhance security.

s 15, and 17  are rejected under 35 U.S.C. 103 as being unpatentable over Zhu et al. (U.S. 2018/0316663 A1), in view of Ford et al. (U.S. 2017/0041296 A1), further in view of Lamb (U.S. 2012/0060030 A1).
Referring to claim 15:
		Zhu and Ford do not disclose RSA cryptosystem digital signature scheme.
	Lamb disclose the RSA cryptosystem digital signature scheme (see Lamb, [0188] ‘RSA Secure ID’).
            It would have been obvious to one of the ordinary skill in the art, before the effective filing date of the claimed invention, to apply the teaching of Lamb into the system of Zhu to utilize RSA digital signature. Zhu teaches "A data center operator is authenticated to obtain requested access to a data center by an approval mechanism on the data center that receives an access request that includes authentication information.” (see Zhu, [0006]).  Therefore, Lamb’s teaching could enhance the system of Zhu, because RSA digital signature provide authentication and data integrity.
Referring to claim 17:
	Zhu, Ford, and Lamb further disclose:
	wherein the step of providing remote access services comprises limiting the number of incorrect PIN entries (see Lamb, [0062] ‘PIN’; [0092] ‘upon failure, to retry the biometric scan 822 a predefined number of times based upon the service provider's policy’).
            It would have been obvious to one of the ordinary skill in the art, before the effective filing date of the claimed invention, to apply the teaching of Lamb into the system of Zhu to set a limit for retrying to enter a PIN. Zhu teaches "A data center operator is authenticated to obtain requested access to a data center by an approval mechanism on the data center that receives an access request that includes authentication information.” (see Zhu, [0006]).  Therefore, Lamb’s teaching could enhance the system of Zhu, because set a limit for failures to enter a PIN could prevent tampering with the system.

Conclusion


(a)	Agrawal; Sunil (US 20210119991 A1) disclose system and method for selecting authentication methods for secure transport layer communication;
(b)	Drake; Christopher Nathan Tyrwhitt (US 20170346851 A1) disclose Mutual authentication security system with detection and mitigation of active man-in-the-middle browser attacks, phishing, and malware and other security improvements;
(c)	Stevenson; John (US 9462010 B1) disclose Threat assessment level determination and remediation for a cloud-based multi-layer security architecture;
(d)	Clark; Peter E. et al. (US 20110138175 A1) disclose managed virtual point to point communication service having verified directory, secure transmission and controlled delivery;
(e)	Constable; Colin (US 20080189776 A1) disclose Method and System for Dynamically Controlling Access to a Network;
(f)	Spoonamore; Stephen (US 20080047016 A1) disclose CCLIF: A quantified methodology system to assess risk of IT architectures and cyber operations;
(g)	Swartz; Alon R. et al. (US 20070180509 A1) disclose Practical platform for high risk applications.

 	11.       Any inquiry concerning this communication or earlier communications from the examiner should be directed to Peiliang Pan whose telephone number is (571) 272-5987.  The examiner can normally be reached on Monday-Friday 8:00 am - 5:00 pm EST.
          If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Saleh Najjar can be reached on (571) 272-4006.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
           Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you 


/PEILIANG PAN/
Examiner, Art Unit 2492

/SALEH NAJJAR/Supervisory Patent Examiner, Art Unit 2492