Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
2. The prior office actions are incorporated herein by reference. In particular, the observations with respect to claim language, and response to previously presented arguments. 
3. No claim has been cancelled.
4. Claims 1-4, 7-11, 14-18 and 21 have been amended. 
5. Claims 1- 21 are pending. 
Examiner’s Amendment
6.         An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in a telephone interview with Mr. Chris Parmelee on February 8, 2022 to amend claims 1-4, 7-11, 14-18 and 21.   
The application has been amended as follows:           
                         CLAIMS: 
               7.      Please replace claims 1-4, 7-11, 14-18 and 21 as follows: 
               1. (Currently amended) A system for threat impact characterization comprising:
at least one replica programmable logic controller (PLC) that corresponds to a production
PLC in a production system that includes a plurality of PLC controlled hardware
components, and which at least one replica PLC is configured to operate at an accelerated
processing speed that is at least two times faster than a processing speed of the
production PLC in the production system, at least one data processing system, including at least one hardware processor configured to: communicating with the at least one replica PLC when executing malware infected PLC firmware; generate a first simulation of the production system based on a virtual model of the production system operating at an accelerated processing speed that is at least two times faster than a processing speed of the physical production system, which first simulation includes accelerated simulation of the production PLC based on communication with the at least one replica PLC threat to at least one
hardware component of the production system caused by the production PLC executing the infected PLC firmware rather than a non-infected PLC firmware; and output data indicative of the at least one threat thorough at least one display device.

2. (currently amended) The system according to claim 1, wherein the at least one replica PLC includes a forensic firmware code injected into the at least one replica PLC, which forensic firmware code is configured to monitor and provide data to the at least one data processing system corresponding to at least one internal operation of the at least one replica PLC, without interfering with the operation of the infected PLC firmware, wherein the at least one hardware processor is configured to use the data provided by the forensic firmware code to determine the at least one threat, wherein the at least one internal operation for which the forensic firmware code provides data to the at least one data processing system includes at least one of scan cycle time, jitter or any combination thereof.

3. (currently amended) The system according to claim 1, wherein the at least one
 hardware processor is configured to determine and output data indicative thereof
through the at least one display device: a cyber-physical impact of the at least one 
threat on the production system; a timeline of the cyber-physical impact; one or more
consequences of the cyber-physical impact; or any combination thereof.

4. (currently amended) The system according to claim 1, wherein the at least one
hardware processor is configured to compare historical process data streams captured from the production system to the data process streams produced by the first simulation to determine differences between the process data streams that are indicative of the at least one threat. 

7. (currently amended) The system according to claim 1, wherein the at least one data processing system is configured to: communicate with the at least one replica PLC when executing non-infected PLC

processing speed that includes accelerated simulations of the production PLC based on
communication with the at least one replica PLC using the non-infected PLC firmware;
carry out at least one comparison including comparing the outputs from at least one of:
the first simulation to the second simulation; the at least one replica PLC when using the
infected PLC firmware and the non-infected PLC firmware; or a combination thereof;
determine at least one difference in which at least one of the simulated production
system, the at least one replica PLC, or a combination thereof operates between the first
and second simulations, based on the at least one comparison; and
determine that the at least one hardware component in the production system is
associated with possible damage caused by the infected PLC firmware, based on the
determined at least one difference, wherein the outputted data indicative of the at least
one threat specifies the at least one hardware component. 

8. (Currently amended) A method for threat impact characterization comprising:
through operation of at least one hardware processor of at least one data
processing system: communicating with at least one replica programmable logic controller (PLC) that corresponds to a production PLC in a production system that includes a plurality
of PLC controlled hardware components, when the at least one replica PLC is
executing malware infected PLC firmware while the at least one replica PLC is
operating at an accelerated processing speed that is at least two times faster than a
processing speed of the production PLC in the production system;
generating a first simulation of the production system based on a virtual model of
the production system operating at an accelerated processing speed that is at least
two times faster than a processing speed of the physical production system, which
first simulation includes accelerated simulation of the production PLC based on
communication with the at least one replica PLC using the malware infected PLC
firmware; monitoring outputs from the at least one replica PLC and the first simulation of
threat to at least one
hardware component of the production system caused by the production PLC
executing the infected PLC firmware rather than a non-infected PLC firmware;
and outputting data indicative of the at least one threat thorough at least
one display device. 

9. (currently amended) The method according to claim 8, further comprising:
injecting a forensic firmware code into the at least one replica PLC, which forensic
firmware code is configured to monitor and provide data to the at least one data
processing system corresponding to at least one internal operation of the at least one
replica PLC, without interfering with the operation of the infected PLC firmware,
wherein the at least one hardware processor uses the data provided by the
forensic firmware code to determine the at least one threat, wherein the at least one
internal operation for which the forensic firmware code provides data to the at least one
data processing system includes at least one of scan cycle time, jitter or any combination
thereof.

10. (currently amended) The method according to claim 8, further comprising:
extracting the infected PLC firmware from the production PLC;
loading the infected PLC firmware in the at least one replica PLC; and
determining and outputting data indicative thereof through the at least one display device:
a cyber-physical impact of the at least one threat on the production system;
a timeline of the cyber-physical impact; one or more consequences of the cyber-physical
impact; or any combination thereof.

11. (currently amended) The method according to claim 8, further comprising through operation of the at least one data processing system comparing historical process data streams captured from the threat. 


14. (currently amended) The method according to claim 8, further comprising through operation of the at least one data processing system:
communicating with the at least one replica PLC when executing non-infected PLC
firmware; generating a second simulation of the production system operating at the accelerated processing speed that includes accelerated simulations of the production PLC based on communication with the at least one replica PLC using the non-infected PLC firmware carrying out at least one comparison including comparing the outputs from at least one of: the first simulation to the second simulation; the at least one replica PLC when using
the infected PLC firmware and the non-infected PLC firmware; or a combination thereof;
determining at least one difference in which at least one of the simulated production
system, the at least one replica PLC, or a combination thereof operates between the first
and second simulations, based on the at least one comparison; and
determining that the at least one hardware component in the production system is
associated with 
determined at least one difference, wherein the outputted data indicative of the at least
one threat specifies the at least one hardware component.

15. (currently amended) A non-transitory computer readable medium encoded with executable instructions that when executed, cause at least one hardware processor to carry out a method for threat impact characterization comprising:
communicating with at least one replica programmable logic controller (PLC) that
corresponds to a production PLC in a production system that includes a plurality of PLC
controlled hardware components, when the at least one replica PLC is executing malware
infected PLC firmware while the at least one replica PLC is operating at an accelerated

PLC in the production system;
generating a first simulation of the production system based on a virtual model of the
production system operating at an accelerated processing speed that is at least two times
faster than a processing speed of the physical production system, which first simulation
includes accelerated simulation of the production PLC based on communication with the
at least one replica PLC using the malware infected PLC firmware;
monitoring outputs from the at least one replica PLC and the first simulation of the
production system to determine at least one threat to at least one hardware
component of the production system caused by the production PLC executing the infected
PLC firmware rather than a non-infected PLC firmware; and
outputting data indicative of the at least one threat thorough at least one
display device.

16. (Currently amended) The non-transitory computer readable medium according to claim 15, further comprising:
injecting a forensic firmware code into the at least one replica PLC, which forensic
firmware code is configured to monitor and provide data to the at least one data
processing system corresponding to at least one internal operation of the at least one
replica PLC, without interfering with the operation of the infected PLC firmware,
wherein the at least one hardware processor uses the data provided by the
forensic firmware code to determine the at least one threat, wherein the at least one
internal operation for which the forensic firmware code provides data to the at least one
data processing system includes at least one of scan cycle time, jitter or any combination
thereof.

17. (Currently amended) The non-transitory computer readable medium according to claim 15, further comprising:

loading the infected PLC firmware in the at least one replica PLC; and
determining and outputting data indicative thereof through the at least one display device:
a cyber-physical impact of the at least one threat on the production system;
a timeline of the cyber-physical impact; one or more consequences of the cyber-physical
impact; or any combination thereof.

18. (Currently amended) The non-transitory computer readable medium according to claim 15, further comprising comparing historical process data streams captured from the production system to the data process streams produced by the first simulation to determine differences between the process data streams that are indicative of the at least one threat.

21. (Currently amended) The non-transitory computer readable medium according to claims 15, further comprising: communicating with the at least one replica PLC when executing non-infected PLC firmware; generating a second simulation of the production system operating at the accelerated processing speed that includes accelerated simulations of the production PLC based on communication with the at least one replica PLC using the non-infected PLC firmware carrying out at least one comparison including comparing the outputs from at least one of: the first simulation to the second simulation; the at least one replica PLC when using the infected PLC firmware and the non-infected PLC firmware; or a combination thereof; determining at least one difference in which at least one of the simulated production system, the at least one replica PLC, or a combination thereof operates between the first and second simulations, based on the at least one comparison; and determining that the at least one hardware component in the production system is associated with 
one threat specifies the at least one hardware component.
            Allowable Subject Matter
8. Claims 1, 8 and 15 are allowed. The following is an examiner’s statement of reasons for allowance: Independent claims 1, 8, and 15 are allowed in view of the examiner’s amendment and 
Arnold (US pat. No US6981279) prior art of record teaches at least one replica programmable logic controller (PLC) that corresponds to a production PLC in a production system that includes a plurality of PLC controlled hardware components, and which at least one replica PLC is configured to operate at an accelerated processing speed that is at least two times faster than a processing speed of the
production PLC in the production system, at least one data processing system, including at least one hardware processor configured to:
The prior arts of record does not teach or suggest individually or in combination the limitation of amended independent claim 1 as similarly recited in independent claims 8 and 15:  
communicating with the at least one replica PLC when executing malware infected PLC firmware; generate a first simulation of the production system based on a virtual model of the production system operating at an accelerated processing speed that is at least two times faster than a processing speed of the physical production system, which first simulation includes accelerated simulation of the production PLC based on communication with the at least one replica PLC using the malware infected PLC
firmware; monitor outputs from the at least one replica PLC and the first simulation of the production system to determine at least one threat to at least one hardware component of the production system caused by the production PLC executing the infected PLC firmware rather than a non-infected PLC firmware; and output data indicative of the at least one threat thorough at least one display device. 
             None of the prior art of record, either taken by itself or in any combination, would have anticipated or made obvious the invention of the present application at or before the time it was filed. 
             Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee. Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.” 
          Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 

Kapoor, US8694296, title “ Method and apparatus for integrated simulation”
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JOSNEL JEUDY whose telephone number is (571)270-7476.  The examiner can normally be reached on M-F 10:00-8:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Arani T Taghi can be reached on (571)272-3787.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.   

Date: 2/9/2022  

/JOSNEL JEUDY/Primary Examiner, Art Unit 2438