Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
This Office Action is in response to the Amendment filed on17/001,896 filed on 08/25/2020. Claims 1, 11, and 17 are independent claims.  Claims 1-20 have been examined and are pending. This Action is made non-FINAL. 
Information Disclosure Statement
The information disclosure statement (IDS), submitted on 02/10/2021, is being considered by the examiner.

	
Drawings
The drawings were received on 08/25/2020.  These drawings are reviewed and accepted by the Examiner.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1-4, 8-11, and 14-16 are rejected under 35 U.S.C. 103 as being unpatentable over Michelle D. Coyle (“Coyle,” US 2021/0067329, filed Nov. 28, 2018) in view of Gavraskar et al. (“Gavraskar,” US 2021/0297416, filed Mar. 19, 2020).
Regarding claim 1, Coyle teaches a system, comprising: 
an intelligent electronic device (IED) configured to perform operations comprising receiving a first user input and deriving a first connectivity association key (CAK) based on the first user input (Coyle: fig. 1, 102a [i.e. an intelligent  electronic device (IED)]; par. 0027,  Authentication of the peer devices 102a-102N and/or 103 can include a logon process to manage the use of authentication credentials, deriving the Connectivity Association Keys (CAK) [i.e. deriving a 1st CAK] from authentication exchange [user credential, user input], deriving the Connectivity Association Key Name (CKN) tuples from PAE results, maintaining pre-shared keys (PSKs), and for managing MKA instances; See also figs. 2, 3; pars. 0022, 0025, 0038; an authentication exchange [i.e. user input] where device A is operating in the authenticator mode); and 
a gateway (Coyle: fig. 1, pars. 0021-0022, a key server 110 [i.e. a gateway], par. 0021 one of dual-mode peer devices 102a-102N also operate as a key server 110.) configured to perform operations comprising: 
receiving a second user input (Coyle: fig.1, par. 0027, Authentication of the peer devices 102a-102N and/or 103 can include a logon process to manage the use of authentication credentials); 
 deriving a second CAK based on the second user input (Coyle: fig.1, par. 0027, Authentication of the peer devices 102a-102N and/or 103 can include a logon process to manage the use of authentication credentials, deriving the Connectivity Association Keys (CAK) [i.e. deriving a 2nd CAK] from authentication exchange [user credential, user input]; pars. 0021-0022, a key server 110 [i.e. a gateway], par. 0021 one of dual-mode peer devices 102a-102N also operate as a key server 110; See also figs. 2, 3; pars. 0022, 0025, 0038; an authentication exchange [i.e. user input] where device A is operating in the authenticator mode); 
identifying the first CAK of the IED (Coyle: par. 0027,  Authentication of the peer devices 102a-102N and/or 103 can include a logon process to manage the use of authentication credentials, deriving the Connectivity Association Keys (CAK) [i.e. deriving a 1st CAK] from authentication exchange [user credential, user input]; See also figs. 2, 3; pars. 0022, 0025, 0038; an authentication exchange [i.e. user input] where device A is operating in the authenticator mode);
generating a third CAK (Coyle: par. 0022, the key server 110 is constructed as a hardware controller and is configured to derive the SAK 111 [i.e. 3rd CAK] from a Connectivity Association Key (CAK) 112); and 
distributing a copy of the third CAK to the IED via the adoption link to establish a Media Access Control security key agreement (MKA) connectivity association with the IED (Coyle: par. 0022, The derived Secure Association Key (SAK) 111 [i.e. third CAK], is then distributed to each authenticated dual-mode peer device 102a-102N [i.e. IED, by communication link [i.e. adoption link]] operating in the group CA 106; par. 0025, To establish the group CA 106, the participating dual-mode peer devices 102a-102N agree to select a dual-mode peer device, e.g., peer device 102b, to operate as a key server peer device [i.e. gateway]. The selected key server peer device 102b is then responsible for generating the CAK 112 and distributing the SAK 111. If a CAK 112 is pair wise and derived directly from an Extensible Authentication Protocol (EAP), the key server peer device 102b will be the MACsec Key Agreement (MKA) participant for the Port Access Entity (PAE) that was the EAP authenticator; par. 0027, managing MKA instances).
Coyle does not explicitly disclose establishing an adoption link with the IED based on a match between the first CAK and the second CAK; 
However, in an analogous art, Gavraskar discloses establishing an adoption link with the IED based on a match between the first CAK and the second CAK (Gavraskar: par. 0018, .. If the pre-shared keys match (e.g., network device A verifies the pre-shared keys received from network device B and/or network device B verifies the pre-shared keys received from network device A), then the MKA session is established.,..  );
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Gavraskar with the method and system of Coyle to include “establishing an adoption link with the IED based on a match”. One would have been motivated to improve security of network device, conserve computing resources and/or network resources, and to provide data confidentiality, data integrity, and data origin authentication (Gavraskar: pars. 0019, 0001).
Regarding claim 2, the combination of Coyle and Gavraskar teaches the system of claim 1. Coyle further teaches wherein the gateway is configured to perform operations comprising: 
generating a secure association key (SAK) (Coyle: par. 0022, the key server 110 is constructed as a hardware controller and is configured to derive the SAK 111 [i.e. 3rd CAK] from a Connectivity Association Key (CAK) 112); 
distributing a copy of the SAK to the IED via the MKA connectivity association to establish a MACsec communication link (Coyle: par. 0022, The derived Secure Association Key (SAK) 111 [i.e. third CAK], is then distributed to each authenticated dual-mode peer device 102a-102N [i.e. IED, by communication link [i.e. adoption link]] operating in the group CA 106;  par. 0025,  … the MACsec Key Agreement (MKA)…; par. 0021, .. that secures the user data (encrypts data and decrypts data) sent over the data routing links 104 [i.e. MACsec communication link] )
encrypting data via the SAK (Coyle: abstract; Each of dual-mode peer device encrypts data using a shared group encryption key (SAK), and exchanges [i.e. transmit and/or receive] the encrypted data with peer devices in the group CA; par. 0006); and 
transmitting the encrypted data to the IED via the MACsec communication link (Coyle: abstract; Each of dual-mode peer device encrypts data using a shared group encryption key (SAK), and exchanges  the encrypted data with peer devices [i.e. IED] in the group CA; par. 0006; par. 0021, The dual-mode peer devices 102a-102N each use a shared traffic key 111 known as a Secure Association Key (SAK) 111, which serves as a shared group encryption key that secures the user data (encrypts data and decrypts data) sent over the data routing links 104 [i.e. MACsec communication link]).
Regarding claim 3, the combination of Coyle and Gavraskar teaches the system of claim 2. Coyle further teaches wherein the IED is configured to perform operations comprising:
receiving the copy of the SAK from the gateway (Coyle: par. 0022, The derived Secure Association Key (SAK) 111 [i.e. third CAK], is then distributed to each authenticated dual-mode peer device 102a-102N [i.e. IED, is received SAK from Gateway [i.e. server];  par. 0025,  … the MACsec Key Agreement (MKA)…; par. 0021, .. that secures the user data (encrypts data and decrypts data) sent over the data routing links 104 [i.e. MACsec communication link]);
receiving the encrypted data from the gateway (Coyle: abstract; Each of dual-mode peer device encrypts data using a shared group encryption key (SAK), and exchanges [i.e. transmit and/or receive] the encrypted data with peer devices [i.e. IED] in the group CA); and
decrypting the encrypted data via the copy of the SAK received from the gateway (Coyle: abstract; par. 0021, The dual-mode peer devices 102a-102N each use a shared traffic key 111 known as a Secure Association Key (SAK) 111, which serves as a shared group encryption key that secures the user data (encrypts data and decrypts data) sent over the data routing links 104 [i.e. MACsec communication link]).
Regarding claim 4, the combination of Coyle and Gavraskar teaches the system of claim 1, wherein:
the gateway is configured to perform operations comprising transmitting a request to establish the adoption link with the IED based on the match between the first CAK and the second CAK (Coyle: abstract; Each of dual-mode peer device encrypts data using a shared group encryption key (SAK), and exchanges the encrypted data with peer devices [i.e. IED] in the group CA; par. 0006; par. 0021, The dual-mode peer devices 102a-102N each use a shared traffic key 111 known as a Secure Association Key (SAK) 111, which serves as a shared group encryption key that secures the user data (encrypts data and decrypts data) sent over the data routing links 104 [i.e. MACsec communication link]; Gavraskar: par. 0018, .. If the pre-shared keys match (e.g., network device A verifies the pre-shared keys received from network device B and/or network device B verifies the pre-shared keys received from network device A), then the MKA session is established.,..  );
the IED is configured to perform operations comprising receiving the request to establish the adoption link and receiving a third user input to verify establishment of the adoption link between the gateway and the IED (Coyle: par. 0022, The derived Secure Association Key (SAK) 111 [i.e. third CAK], is then distributed to each authenticated dual-mode peer device 102a-102N [i.e. IED, is received SAK from Gateway [i.e. server];  par. 0025,  … the MACsec Key Agreement (MKA)…; par. 0021, .. that secures the user data (encrypts data and decrypts data) sent over the data routing links 104 [i.e. MACsec communication link]); and
the gateway is configured to perform operations comprising establishing the adoption link based on the IED receiving the third user input (Coyle:  par. 0025, To establish the group CA 106, the participating dual-mode peer devices 102a-102N agree to select a dual-mode peer device, e.g., peer device 102b, to operate as a key server peer device [i.e. gateway]. The selected key server peer device 102b is then responsible for generating the CAK 112 and distributing the SAK 111. If a CAK 112 is pair wise and derived directly from an Extensible Authentication Protocol (EAP), the key server peer device 102b will be the MACsec Key Agreement (MKA) participant for the Port Access Entity (PAE) that was the EAP authenticator; par. 0027, managing MKA instances).
Regarding claim 8, the combination of Coyle and Gavraskar teaches the system of claim 1. Coyle further discloses wherein the IED comprises a relay, a controller, a meter, a computing platform, an input and output module, or any combination thereof (Coyle: fig. 1, 102a-102N [i.e. input and output module of IED]).
Regarding claim 9, the combination of Coyle and Gavraskar teaches the system of claim 1. Coyle further discloses, wherein the gateway is communicatively coupled to a computing device (Coyle: fig. 1, pars. 0021-0022, a key server 110 [i.e. a gateway]; device 102a-102N [i.e. 102a computing device]), and the gateway is configured to perform operations comprising receiving the second user input from the computing device (Coyle: fig.1, par. 0027, Authentication of the peer devices 102a-102N [i.e. 102 (a computing device), 102b (1st IED)]  and/or 103 can include a logon process to manage the use of authentication credentials [i.e. gateway is couple to a computing device 102a]; pars. 0021-0022, a key server 110 [i.e. a gateway], par. 0021 one of dual-mode peer devices 102a-102N also operate as a key server 110).
Regarding claim 10, the combination of Coyle and Gavraskar teaches the system of claim 19. Coyle further discloses wherein the computing device comprises a first computing device. Coyle further discloses the IED is communicatively coupled to a second computing device, and the IED is configured to perform operations comprising receiving the first user input from the second computing device (Coyle: fig. 1, par. 0027, Authentication of the peer devices 102a-102N [i.e. 102a (1st computing device), 102c (2nd computing), 102b (1st IED)]  and/or 103 can include a logon process to manage the use of authentication credentials [i.e. gateway is couple to a computing device 102a]; pars. 0021-0022, a key server 110 [i.e. a gateway], par. 0021 one of dual-mode peer devices 102a-102N also operate as a key server 110).
Regarding claim 11, Coyle teaches a controller of a gateway for an electric power distribution system, the controller comprising a non-transitory computer readable medium comprising instructions that, when executed by processing circuitry, are configured to cause the processing circuitry to perform operations comprising:
 deriving a first connectivity association key (CAK) based on the first user input (Coyle: fig. 1, 102a [i.e. an intelligent  electronic device (IED)]; par. 0027,  Authentication of the peer devices 102a-102N and/or 103 can include a logon process to manage the use of authentication credentials deriving the Connectivity Association Keys (CAK) [i.e. deriving a 1st CAK] from authentication exchange [user credential, user input],; See also figs. 2, 3; pars. 0022, 0025, 0038; an authentication exchange [i.e. user input] where device A is operating in the authenticator mode)
 deriving a second CAK based on the second user input (Coyle: fig.1, par. 0027, Authentication of the peer devices 102a-102N and/or 103 can include a logon process to manage the use of authentication credentials, deriving the Connectivity Association Keys (CAK) [i.e. deriving a 2nd CAK] from authentication exchange [user credential, user input]; pars. 0021-0022, a key server 110 [i.e. a gateway]; See also figs. 2, 3; pars. 0022, 0025, 0038; an authentication exchange [i.e. user input] where device A is operating in the authenticator mode); 
(Coyle: par. 0022, the key server 110 is constructed as a hardware controller and is configured to derive the SAK 111 [i.e. 3rd CAK] from a Connectivity Association Key (CAK) 112);
distributing a copy of the third CAK to the IED via the adoption link (Coyle: par. 0022, The derived Secure Association Key (SAK) 111 [i.e. third CAK], is then distributed to each authenticated dual-mode peer device 102a-102N [i.e. IED, by communication link [i.e. adoption link]] operating in the group CA 106; par. 0025, To establish the group CA 106, the participating dual-mode peer devices 102a-102N agree to select a dual-mode peer device, e.g., peer device 102b, to operate as a key server peer device [i.e. gateway]. The selected key server peer device 102b is then responsible for generating the CAK 112 and distributing the SAK 111. If a CAK 112 is pair wise and derived directly from an Extensible Authentication Protocol (EAP), the key server peer device 102b will be the MACsec Key Agreement (MKA) participant for the Port Access Entity (PAE) that was the EAP authenticator; par. 0027, managing MKA instances); and
Coyle does not explicitly disclose comparing a first connectivity association key (CAK) with a second CAK of an intelligent electronic device (IED) of the electric power distribution system;
 establishing an adoption link with the IED based on a match between the first CAK and the second CAK;
 establishing a Media Access Control security key agreement (MKA) connectivity association with the IED based on the IED possessing the copy of the third CAK.
(Gavraskar: par. 0018, .. If the pre-shared keys match (e.g., network device A verifies the pre-shared keys received from network device B and/or network device B verifies the pre-shared keys received from network device A), then the MKA session is established.,..  );
establishing an adoption link with the IED based on a match between the first CAK and the second CAK (Gavraskar: par. 0018, .. If the pre-shared keys match (e.g., network device A verifies the pre-shared keys received from network device B and/or network device B verifies the pre-shared keys received from network device A), then the MKA session is established.,..  );
establishing a Media Access Control security key agreement (MKA) connectivity association with the IED based on the IED possessing the copy of the third CAK (Coyle: par. 0022, The derived Secure Association Key (SAK) 111 [i.e. third CAK], , is then distributed to each authenticated dual-mode peer device 102a-102N [i.e. IED, by communication link [i.e. adoption link] operating in the group CA 106;  par. 0025,  … the MACsec Key Agreement (MKA)…; par. 0021, .. that secures the user data (encrypts data and decrypts data) sent over the data routing links 104 [i.e. MACsec communication link]; See also, abstract, pars. 0006, 0021).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Gavraskar with the method and system of Coyle to include “comparing a first connectivity association key (CAK) ..”,  “establishing an adoption link with the IED based on a match ..” and  (Gavraskar: par. 0001).
Regarding claim 14, the combination of Coyle and Gavraskar teaches the controller of claim 11. The combination of Coyle and Gavraskar further discloses, wherein the instructions, when executed by the processing circuitry, are configured to cause the processing circuitry to perform operations comprising:
generating a secure association key (SAK) (Coyle: par. 0022, the key server 110 is constructed as a hardware controller and is configured to derive the SAK 111 [i.e. 3rd CAK] from a Connectivity Association Key (CAK) 112); 
receiving first encrypted data from the IED (Coyle: abstract; Each of dual-mode peer device encrypts data using a shared group encryption key (SAK), and exchanges the encrypted data with peer devices [i.e. IED] in the group CA); and 
decrypting the first encrypted data via the SAK (Coyle: abstract; par. 0021, The dual-mode peer devices 102a-102N each use a shared traffic key 111 known as a Secure Association Key (SAK) 111, which serves as a shared group encryption key that secures the user data (encrypts data and decrypts data) sent over the data routing links 104 [i.e. MACsec communication link]).
Regarding claim 15, he combination of Coyle and Gavraskar teaches the controller of claim 14. Coyle further discloses, wherein the instructions, when executed by 
receiving data from a computing device communicatively coupled to the controller (Coyle: fig. 1; Coyle: abstract; Each of dual-mode peer device encrypts data using a shared group encryption key (SAK), and exchanges [i.e. transmit and/or receive] the encrypted data with peer devices in the group CA; par. 0006);
encrypting, via the SAK, the data received from the computing device (Coyle: abstract; Each of dual-mode peer device encrypts data using a shared group encryption key (SAK), and exchanges [i.e. transmit and/or receive] the encrypted data with peer devices in the group CA; par. 0006); and
transmitting the data to the IED (Coyle: abstract; Each of dual-mode peer device encrypts data using a shared group encryption key (SAK), and exchanges [i.e. transmit and/or receive] the encrypted data with peer devices [i.e. IED] in the group CA; par. 0006; par. 0021, The dual-mode peer devices 102a-102N each use a shared traffic key 111 known as a Secure Association Key (SAK) 111, which serves as a shared group encryption key that secures the user data (encrypts data and decrypts data) sent over the data routing links 104 [i.e. MACsec communication link]).
Regarding claim 16, he combination of Coyle and Gavraskar teaches the controller of claim 14. The combination of Coyle and Gavraskar further discloses
wherein the SAK comprises a first SAK, and the instructions, when executed by the processing circuitry, are configured to cause the processing circuitry to perform operations comprising:
(Coyle: par. 0022, the key server 110 is constructed as a hardware controller and is configured to derive the SAK 111 [i.e. 3rd CAK] from a Connectivity Association Key (CAK) 112);  
distributing a copy of the first SAK to the IED via the MKA connectivity association to establish a MACsec communication link(Coyle: par. 0022, The derived Secure Association Key (SAK) 111 [i.e. third CAK], , is then distributed to each authenticated dual-mode peer device 102a-102N [i.e. IED, by communication link [i.e. adoption link]] operating in the group CA 106;  par. 0025,  … the MACsec Key Agreement (MKA)…; par. 0021, .. that secures the user data (encrypts data and decrypts data) sent over the data routing links 104 [i.e. MACsec communication link]);
encrypting second encrypted data via the first SAK (Coyle: abstract; Each of dual-mode peer device encrypts data using a shared group encryption key (SAK), and exchanges  the encrypted data with peer devices in the group CA; par. 0006); 
transmitting the second encrypted data to the IED via the MACsec  communication link (Coyle: abstract; Each of dual-mode peer device encrypts data using a shared group encryption key (SAK), and exchanges [i.e. transmit and/or receive] the encrypted data with peer devices [i.e. IED] in the group CA; par. 0006; par. 0021, The dual-mode peer devices 102a-102N each use a shared traffic key 111 known as a Secure Association Key (SAK) 111, which serves as a shared group encryption key that secures the user data (encrypts data and decrypts data) sent over the data routing links 104 [i.e. MACsec communication link]); 
Although Coyle and Gavraskar do not explicitly disclose generating a second SAK at a second time; distributing a copy of the second SAK to the IED via the MKA 
However, these additional features above can be easily conceived from the features of combination of Coyle and Gavraskar. It is also obvious to one of ordinary skill in the art because the controller of Coyle is capable to generate a second SAK, distributing a copy the second SAK, encrypted third encrypted data and transmit the third encrypted to data to the IED more than one time.
Claim 5 is rejected under 35 U.S.C. 103 as being unpatentable over Michelle D. Coyle (“Coyle,” US 2021/0067329, filed Nov. 28, 2018) in view of Gavraskar et al. (“Gavraskar,” US 2021/0297416, filed Mar. 19, 2020), further in view of Day et al. (“Day,” US 2014/0280672, published Sept. 18, 2014).
Regarding claim 5, the combination of Coyle and Gavraskar teaches the system of claim 4. Coyle further disclose wherein the third user input comprises a physical interaction with an interface of the IED interface (Coyle: abstract: plurality of dual-mode peer devices in signal communication with one another so as to establish a group connectivity association (CA), fig. 1; par. 0027, Authentication of the peer devices 102a-102N and/or 103 can include a logon process to manage the use of authentication credentials [i.e. receiving a user input]) but does not explicitly disclose interface comprises a button, a touchscreen, a dial, a switch, or any combination thereof.
However, in an analogous art, Day discloses the interface comprising a button, a touchscreen, a dial, a switch, or any combination thereof (Day: par. 0026, the IEDs 126-138 and other network devices (e.g., one or more communication switches or the like) may be communicatively coupled to the communications network through a network communications interface).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Gavraskar with the method and system of Coyle and Gavraskar to include “the interface comprising a button, a touchscreen, a dial, a switch, or any combination thereof.”  One would have been motivated to control data or real time samples used in monitoring, controlling, automating, and/or protecting an electric power generation and delivery system or its components may be particularly valuable for a certain period of time (Day: par. 0017).
Claim 6 is rejected under 35 U.S.C. 103 as being unpatentable over Michelle D. Coyle (“Coyle,” US 2021/0067329, filed Nov. 28, 2018) in view of Gavraskar et al. (“Gavraskar,” US 2021/0297416, filed Mar. 19, 2020), further in view of Ye et al. (“Ye,” US 2019/0068361, published Feb. 28, 2019).
Regarding claim 6, the combination of Coyle and Gavraskar teaches the system of claim 1, wherein the gateway is configured to perform operations comprising generating the third CAK but does not explicitly discloses via a random number generator or a pseudorandom number generator.
However, in an analogous art, Ye discloses a gateway generating key via a random number generator or a pseudorandom number generator (Ye: abstract, The gateway is programmed to distribute keys generated using the random number generator to a plurality of electronic control units (ECUs)..; par. 0003, 0025).
(Ye: abstract, par. 0001).
Claim 7 is rejected under 35 U.S.C. 103 as being unpatentable over Michelle D. Coyle (“Coyle,” US 2021/0067329, filed Nov. 28, 2018) in view of Gavraskar et al. (“Gavraskar,” US 2021/0297416, filed Mar. 19, 2020), further in view of Lobzakov et al. (“Lobzakov,” US 2010/0215177, published Aug. 26, 2010).
Regarding claim 7, the combination of Coyle and Gavraskar discloses the system of claim 1.  The combination of Coyle and Gavraskar further discloses the wherein the gateway is configured to perform operations but does not explicitly disclose blocking establishment of the adoption link with the IED based on a mismatch between the first CAK and the second CAK.
However, in an analogous art, Lobzakov discloses blocking establishment of the adoption link with the IED based on a mismatch between two keys (Lobzakov: par. 0077 two keys are compared and based on the comparison, establishment of the communication session may be authorized or prohibit).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Lobzakov with the method and system of Coyle and Gavraskar to include blocking establishment of the (Lobzakov: abstract, pars. 0001, 0003).
Claims 12-13 are rejected under 35 U.S.C. 103 as being unpatentable over Michelle D. Coyle (“Coyle,” US 2021/0067329, filed Nov. 28, 2018) in view of Gavraskar et al. (“Gavraskar,” US 2021/0297416, filed Mar. 19, 2020), further in view of Hussain et al. (“Hussain,” US 2019/0116183, published Apr. 18, 2019), and Kudchadkar et al. (“Kudchadkar,” US 2021/0288716, filed Mar. 16, 2020).
Regarding claim 12, the combination of Coyle and Gavraskar teaches the controller of claim 11.  The combination of Coyle and Gavraskar further teaches the match between the first CAK and the second CAK but does not explicitly teaches transmitting a request to establish the adoption link with the IED;
However, in an analogous art, Hussain discloses transmitting a request to establish the adoption link with the IED (Hussain: par. 0076, fig. 7, network device 210-1 send a request to establish the MKA session with another network device 210-N).
 (b) establishing the adoption link with the IED in response to  network device is able and the IED based on the request to establish the adoption link (Hussain: par. 0078, determining that the network device is able or unable to establish the fast heartbeat session based on whether a timeout interval expires without receiving a fast heartbeat response message from the network device; par. 0079, performing an action based on whether the network device is able or unable to establish the fast heartbeat session ).
(Hussain: par. 0015).
The combination of Coyle and Hussain discloses establishing the adoption link with the IED in response to network device is able but not explicit disclose in response to the IED based on the request to establish the adoption link but does not explicitly disclose in response to “the IED receiving an additional user input verifying establishment of the adoption link”
However, Kudchadkar discloses “the IED receiving an additional user input verifying establishment of the adoption link” (Kudchadkar: par. 0031, the first device can accept an input by a human user verifying the secure wireless connection after the human user has compared the visible light signal on the second device with the visible light signal displayed on the first device)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Kudchadkar with the method and system of Coyle, Gavraskar, and Hussain to include “the IED receiving an additional user input verifying establishment of the adoption link between the gateway.” One would have been motivated to prevent man-in-the-middle (MITM) attacks on a wireless connection that cannot be observed using a human eye by adding a (Kudchadka: par. 0004).
Regarding claim 13, he combination of Coyle, Gavraskar, Hussain, and Kudchadkar teaches the controller of claim 12. The combination of Coyle, Gavraskar, Hussain, and Kudchadkar further discloses , wherein the instructions, when executed by the processing circuitry, are configured to cause the processing circuitry to perform operations comprising of the adoption link with the IED in response to the IED not receiving the additional user input verifying establishment of the adoption link between the gateway and the IED based on the request to establish the adoption link (Hussain: par. 0078, determining that the network device is able or unable to establish the fast heartbeat session based on whether a timeout interval expires without receiving a fast heartbeat response message from the network device; par. 0079, performing an action based on whether the network device is able or unable to establish); 
Claims 17-20 are rejected under 35 U.S.C. 103 as being unpatentable over Michelle D. Coyle (“Coyle,” US 2021/0067329, filed Nov. 28, 2018) in view of Hussain et al. (“Hussain,” US 2019/0116183, published Apr. 18, 2019).
Regarding claim 17, Coyle discloses an intelligent electronic device (IED) for an electric power distribution system, the IED comprising: 
processing circuitry (Coyle: fig. 1; par. 0020); and 
Coyle: fig. 1; par. 0020); comprising instructions that, when executed by the processing circuitry, are configured to cause the processing circuitry to perform operations comprising: 
(a) receiving a user input (Coyle: fig. 1, 102a [i.e. an intelligent electronic device (IED)]; par. 0027,  Authentication of the peer devices 102a-102N and/or 103 can include a logon process to manage the use of authentication credentials, deriving the Connectivity Association Keys (CAK) [i.e. deriving a 1st CAK] from authentication exchange [user credential, user input]);
(b) deriving a first connectivity association key (CAK) based on the user input (Coyle: fig. 1, 102a [i.e. an intelligent  electronic device (IED)]; par. 0027,  …, deriving the Connectivity Association Keys (CAK) [i.e. deriving a 1st CAK] from authentication exchange [user credential, user input], deriving the Connectivity Association Key Name (CKN) tuples from PAE results, maintaining pre-shared keys (PSKs), and for managing MKA instances; See also figs. 2, 3; pars. 0022, 0025, 0038; an authentication exchange [i.e. user input] where device A is operating in the authenticator mode); 
  establishing an adoption link with an additional component of the electric power distribution system based on the first CAK, wherein the additional component is a gateway, an IED, or both (Coyle: fig. 1 ; par. 0020; device 102a-102N [i.e. IED] establishes a plurality of secured data links 104 between one another, which allows for the exchange of secured user data such as, for example, 802.1X EAPOL and MACsec secured user data. The collection of data links 104 defines a group connectivity association (CA) 106 of service access points secured by a shared group key to form a local area network (LAN) 108 such as, for example, a LAN cloud network; par. 0027, …deriving the Connectivity Association Keys (CAK) [i.e. deriving a 1st CAK] , deriving the Connectivity Association Key Name (CKN) tuples from PAE results, maintaining pre-shared keys (PSKs), and for managing MKA instances ; pars. 0021-0022, a key server 110 [i.e. a gateway]) and 
 receiving a copy of a second CAK from the additional component via the adoption link (Coyle: fig. 1, par. 0020,  plurality of secured data link 104 ; par. 0027, Authentication of the peer devices 102a-102N and/or 103 can include a logon process to manage the use of authentication credentials [i.e. receiving a second user input], initiating use of the PAE's supplicant and or authenticator functionality, deriving the Connectivity Association Keys (CAK) [i.e. deriving a 2nd CAK]; pars. 0021-0022, a key server 110 [i.e. a gateway]) to establish a Media Access Control key agreement (MKA) communication link with the additional component (Coyle: par. 0025, To establish the group CA 106, the participating dual-mode peer devices 102a-102N agree to select a dual-mode peer device, e.g., peer device 102b, to operate as a key server peer device [i.e. gateway]. The selected key server peer device 102b is then responsible for generating the CAK 112 and distributing the SAK 111. If a CAK 112 is pair wise and derived directly from an Extensible Authentication Protocol (EAP), the key server peer device 102b will be the MACsec Key Agreement (MKA) participant; par. 0027, managing MKA instances ; par. 0025, To establish the group CA 106, the participating dual-mode peer devices 102a-102N agree to select a dual-mode peer device, e.g., peer device 102b, to operate as a key server peer device [i.e. gateway]… the key server peer device 102b will be the MACsec Key Agreement (MKA) participant ..).
Coyle discloses establishing an adoption link with an additional component of the electric power distribution system based on the first CAK but does not explicitly disclose broadcasting the first CAK.
However, in an analogous art, Hussain discloses broadcast a first CAK (Hussain: par. 0053, The fast heartbeat messages [i.e. broadcast] includes message frames. For example, the message frames include a destination address field, a source address field, an ether type field, a frame type field, a length field, a secure channel identifier (SCI) field, a member identifier field, a member number field, and/or a connectivity association key (CAK) name (CKN) field).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Hussain with the method and system of Coyle to include “broadcasting the first CAK.” One would have been motivated to rapid detection of a disconnection between MKA devices during an MKA session so as to prevent packet loss, traffic blackholing, device errors/failures, and/or processing downtime (Hussain: par. 0015).
Regarding claim 18, the combination of Coyle and Hussain discloses the IED of claim 17.  Coyle further comprising an interface, where the user input comprises an interaction with the interface (Coyle: abstract: plurality of dual-mode peer devices [i.e.[including interface] in signal communication with one another so as to establish a group connectivity association (CA), fig. 1; par. 0027, Authentication of the peer devices 102a-102N [including interface] and/or 103 can include a logon process to manage the use of authentication credentials [i.e. receiving a user input]).
Regarding claim 19, the combination of Coyle and Hussain discloses the IED of claim 17, wherein the instructions, when executed by the processing circuitry, are configured to cause the processing circuitry to perform operations comprising: 
receiving a secure association key (SAK) from the additional component to establish a MACsec communication link (Coyle: par. 0022, The derived Secure Association Key (SAK) 111 [i.e. third CAK], is then distributed to each authenticated dual-mode peer device 102a-102N [i.e. IED, is received SAK from Gateway [i.e. server]; par. 0025, … the MACsec Key Agreement (MKA)…; par. 0021, .. that secures the user data (encrypts data and decrypts data) sent over the data routing links 104 [i.e. MACsec communication link]); 
receiving encrypted data from the additional component via the MACsec communication link (Coyle: abstract; Each of dual-mode peer device encrypts data using a shared group encryption key (SAK), and exchanges [i.e. transmit and/or receive] the encrypted data with peer devices [i.e. IED] in the group CA); and 
decrypting the encrypted data via the SAK (Coyle: abstract; par. 0021, The dual-mode peer devices 102a-102N each use a shared traffic key 111 known as a Secure Association Key (SAK) 111, which serves as a shared group encryption key that secures the user data (encrypts data and decrypts data) sent over the data routing links 104 [i.e. MACsec communication link]).
Regarding claim 20, the combination of Coyle and Hussain discloses the IED of claim 17. The combination of Coyle and Hussain further discloses wherein the instructions, when executed by the processing circuitry, are configured to cause the processing circuitry to perform operations comprising: 
receiving an SAK from the additional component Coyle: par. 0022, The derived Secure Association Key (SAK) 111 [i.e. third CAK], is then distributed to each authenticated dual-mode peer device 102a-102N [i.e. IED, by communication link [i.e. adoption link]] operating in the group CA 106;  par. 0025,  … the MACsec Key Agreement (MKA)…; par. 0021, .. that secures the user data (encrypts data and decrypts data) sent over the data routing links 104 [i.e. MACsec communication link];
encrypting data using the SAK (Coyle: abstract; Each of dual-mode peer device encrypts data using a shared group encryption key (SAK), and exchanges [i.e. transmit and/or receive] the encrypted data with peer devices in the group CA; par. 0006); and 
transmitting the encrypted data to the additional component (Coyle: abstract; Each of dual-mode peer device encrypts data using a shared group encryption key (SAK), and exchanges [i.e. transmit and/or receive] the encrypted data with peer devices [i.e. IED] in the group CA; par. 0006; par. 0021, The dual-mode peer devices 102a-102N each use a shared traffic key 111 known as a Secure Association Key (SAK) 111, which serves as a shared group encryption key that secures the user data (encrypts data and decrypts data) sent over the data routing links 104 [i.e. MACsec communication link]).
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Canh Le whose telephone number is 571-270-1380. The examiner can normally be reached on Monday to Friday 6:00AM to 3:30PM other Friday off.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on 571-270-5002.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. 
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/Canh Le/
Examiner, Art Unit 2439

January 17th, 2022


/LUU T PHAM/Supervisory Patent Examiner, Art Unit 2439