DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Priority
Applicant’s claim to priority to PCT/US2017/034128, filed 05/24/2017, is acknowledged. 

608.01(m)   Form of Claims
Reference characters corresponding to elements recited in the detailed description and the drawings may be used in conjunction with the recitation of the same element or group of elements in the claims. The reference characters, however, should be enclosed within parentheses so as to avoid confusion with other numbers or characters which may appear in the claims. The use of reference characters is to be considered as having no effect on the scope of the claims.
Specification
The abstract of the disclosure is objected to because it is in WIPO format.  Correction is required.  See MPEP § 608.01(b).

Claim Objections
Claim 5 is objected to because of the following informalities: it recites “wherein the” twice.  Appropriate correction is required.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:



Claims 9-12 are rejected under 35 U.S.C. 101 because the claimed invention is directed to the abstract idea of a mathematical concept (i.e., merely collecting data as per any mathematical formula / calculation requiring inputs) without significantly more. The claim(s) recite(s) a PLC monitoring application to collect data (analogous to mathematical inputs) and a forensics application to collect forensic evidence (analogous to mathematical inputs) non-intrusively (which is not further specified in the claim). This judicial exception is not integrated into a practical application because adding the words “apply it” (or an equivalent) with the judicial exception, or mere instructions to implement an abstract idea on a computer, or merely uses a computer as a tool to perform an abstract idea is not considered to be sufficient- see MPEP 2106.05(f). In this case, the claims merely recite a memory and processor for obtaining data which is not further specified. 
	Abstract idea limitations: “A system for monitoring programmable logic controller (PLC) operations, the system comprising: and (601B) configured to: execute the security monitoring application (601C) to collect data indicative of PLC operations; and execute the security forensics application (601D) to perform non-intrusive forensic evidence collection.”
	Other limitations: “a memory (601A) configured to store a security monitoring application and a security forensics application; a processor.”
The claim(s) does/do not include additional elements that are sufficient to amount to significantly more than the judicial exception because adding the words “apply it” (or an equivalent) with the judicial exception, or mere instructions to implement an abstract idea on a computer, or merely uses a computer as a tool to perform an abstract idea is not considered to be sufficient- see MPEP 2106.05(f). In this case, the applications may be computer software programmed to perform a function, while the memory and processor are merely utilized to 
Dependent claims 10-11 specify the configuration of the memory and processor and collecting data from multiple sources. Dependent claim 12 specifies the configuration of the memory and processor and application. However, generally linking the use of the judicial exception to a particular technological environment or field of use is not considered to be sufficient – see MPEP 2106.05(h). 

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 1-8 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention. Claim 1 recites “analyzing (503), by the server in the forensic environment” as well as “a server implementing a forensic environment.” As such, the claim language may be interpreted as comprising both the server hosting a forensic environment as well as being inside the forensic environment it is hosting. This appears to be contradictory, and is therefore indefinite. It is noted that the claim language appears to contradict [0056] of the specification (i.e., the server providing a forensics environment). The dependent claims (2-12) do not rectify this indefiniteness, and are therefore likewise rejected. 

Claim 4 is rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention. Claim 4 recites “wherein the security event of the PLC based is validated,” where it is not clear what “the PLC based” is intended to mean. As such, this claim is indefinite. For purposes of applying prior art, the claim has been interpreted without weight to the “based” language.

Claims 9-12 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention. Claim limitation “processor” invokes 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. However, the written description fails to disclose the corresponding structure, material, or acts for performing the entire claimed function and to clearly link the structure, material, or acts to the function. Since “processor” itself is not considered to be a structural term, the specification is looked to for clarification as to the structure of the claimed processor. For instance, FIG. 6 and paragraphs [0007] and [0053]-[0055] of the specification recite that the processor is part of the instrumentation and may be part of a single computing device or PLC. However, the cited portions comprise exemplary language, and the specification does not appear to define a specific structure for the processor (e.g., a microprocessor or a hardware processor). Therefore, the claim is indefinite and is rejected under 35 U.S.C. 112(b) or pre-AIA  35 U.S.C. 112, second paragraph.
Applicant may:

(b)        Amend the written description of the specification such that it expressly recites what structure, material, or acts perform the entire claimed function, without introducing any new matter (35 U.S.C. 132(a)); or 
(c)        Amend the written description of the specification such that it clearly links the structure, material, or acts disclosed therein to the function recited in the claim, without introducing any new matter (35 U.S.C. 132(a)).
If applicant is of the opinion that the written description of the specification already implicitly or inherently discloses the corresponding structure, material, or acts and clearly links them to the function so that one of ordinary skill in the art would recognize what structure, material, or acts perform the claimed function, applicant should clarify the record by either: 
(a)        Amending the written description of the specification such that it expressly recites the corresponding structure, material, or acts for performing the claimed function and clearly links or associates the structure, material, or acts to the claimed function, without introducing any new matter (35 U.S.C. 132(a)); or 
(b)        Stating on the record what the corresponding structure, material, or acts, which are implicitly or inherently set forth in the written description of the specification, perform the claimed function. For more information, see 37 CFR 1.75(d) and MPEP §§ 608.01(o) and 2181.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-5, 7-8, and 13-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over “PLCloud: Comprehensive Power Grid PLC Security Monitoring with Zero Safety Disruption” (hereinafter “PLCloud”) in view of Wootton (US 2012/0110174 A1).

Regarding claim 1, PLCloud discloses: A method of monitoring a programmable logic controller (PLC), the method comprising: 
receiving (501), by a server implementing a forensic environment (i.e., cloud-based analysis engine—see FIG. 2 of PLCloud) from a PLC monitoring application of the PLC or another PLC (i.e., client agent on PLC—see FIG. 2 and page 813 of PLCloud: Architecture), PLC security data and PLC process data (interpreted as per [0044] of the specification); 
Refer to at least “IV. On-Device Client Agent” on page 813 of PLCloud with respect to logging PLC data such as inputs, traffic, and physical sensor data. 
Refer to at least “Architecture” on page 813 of PLCloud with respect to collecting PLC data. 
analyzing (503), by the server in the forensic environment, the PLC security data and the PLC process data; 
Refer to at least “Safety Redlines Enforcement via Cloud-Based Controller Program Analysis” on page 811 and “Specifications” on page 813 of PLCloud with respect to cloud-based analysis of the collected PLC data; intrusion forensics and detection systems. 
validating (505), by the server in the forensic environment, a security event of the PLC based on the analyzing; 
Refer to at least “Safety Redlines Enforcement via Cloud-Based Controller Program Analysis” on page 811, “Specifications” on page 813, and “V. Cloud-Based Emulation” on pages 813-814 of PLCloud with respect to identifying security compromises based on the analysis. 
initiating (507), by the server with the forensic environment via a PLC forensics application, [remediation]; and 
Refer to at least “B. Operator Notification” on page 814 of PLCloud with respect to remediation and/or alerting.
PLCloud does not specify: initiating (507), by the server with the forensic environment via a PLC forensics application, forensic data collection for the PLC; and receiving (509), by the forensic environment of the server and from the PLC forensics application, forensic data for the security event of the PLC. However, PLCloud in view of Wootton discloses: initiating (507), by the server with the forensic environment via a PLC forensics application, forensic data collection for the PLC; and receiving (509), by the forensic environment of the server and from the PLC forensics application, forensic data for the security event of the PLC. 
Refer to at least FIG. 5 and [0057] of Wootton with respect to a server requesting additional information from a client as part of its analysis. The client provides the additional information which is used for further analysis. 
The teachings of PLCloud and Wootton concern identifying and remediating Malware, and are considered to be within the same field of endeavor and combinable as such. Further, PLCloud discusses integration with multiple security solutions (see “V. Cloud-Based Emulation”) and runs a client PLC and cloud agent, while Wootton’s server may perform emulation as part of its analysis (e.g. , FIG. 18). 


Regarding claim 2, PLCloud-Wootton discloses: The method of claim 1, wherein the PLC security data and PLC process data is received for a plurality of PLCs, and wherein fleet level benchmarks are determined for each of the plurality of PLCs based on the received PLC security data and PLC process data.
Refer to at least “V. Cloud-Based Emulation” of PLCloud with respect to running multiple emulated replicas for multiple respective PLC devices as part of the cloud analysis suite.
Refer to at least [0062], [0065], [0068], and [0085] of Wootton with respect to gathering device data from multiple devices. For example, device battery usage data in [0068]. 
This claim would have been obvious for substantially the same reasons as claim 1 above.

Regarding claim 3, PLCloud-Wootton discloses: The method of claim 2, wherein validating (505) the security event comprises identifying a deviation of received PLC security data or PLC process data from the fleet level benchmarks.
Refer to at least [0069] of Wootton with respect to identifying behaviors deviating from set bounds. 
Refer to at least the abstract of Wootton with respect to identifying changes in assessments.

Regarding claim 4, PLCloud-Wootton discloses: The method of claim 1, wherein receiving (501) PLC security data and PLC process data comprises data for a live process, and wherein the security event of the PLC based is validated (505) in real-time based on analyzing the data for the live process.
Refer to at least “Safety Redlines Enforcement via Cloud-Based Controller Program Analysis” on page 811 and “Specifications” on page 813 of PLCloud with respect to real-time analysis. 

Regarding claim 5, PLCloud-Wootton discloses: The method of claim 1, wherein the wherein the PLC security data and PLC process data comprises PLC firmware data, PLC operating system data and PLC application data.
Refer to at least FIG. 2 and “IV. On-Device Client Agent” on page 813 of PLCloud with respect to logging PLC data such as inputs, traffic, and physical sensor data. 
Refer to at least [0036] of Wootton with respect to device data including firmware version and operating system. Refer to at least [0037] of Wootton with respect to application data. 
Therefore it would have been obvious to one of ordinary skill in the art before the filing date of Applicant’s invention to modify the teachings of PLCloud to further include additional device and application data for at least the purpose of increased detection accuracy due to having more detailed information to assess. 

Regarding claim 7, PLCloud-Wootton discloses: The method of claim 1, further comprising: replicating (511), by the forensic environment using received forensic data, the detected security event in a sandboxed simulation.
Refer to at least “Safety Redlines Enforcement via Cloud-Based Controller Program Analysis” on page 811, “Specifications” on page 813, and “V. Cloud-Based Emulation” on pages 813-814 of PLCloud with respect to emulation for the PLC and collected PLC data. 

Regarding claim 8, PLCloud-Wootton discloses: The method of claim 7, wherein the sandboxed simulation comprises using real-time forensic data received from the PLC forensics application during a live process.
Refer to at least “Safety Redlines Enforcement via Cloud-Based Controller Program Analysis” on page 811 and “Specifications” on page 813 of PLCloud with respect to real-time emulation, analysis, and forensics.


Regarding claim 13, PLCloud discloses:  A method of monitoring a programmable logic controller (PLC), the method comprising: 
defining (201) a plurality of PLC operations for monitoring, the plurality of PLC operations indicative of a security event; 
Refer to at least “IV. On-Device Client Agent” on page 813 of PLCloud with respect to logging PLC data such as inputs, traffic, and physical sensor data. 
monitoring (203) the plurality of PLC operations, the monitoring comprising: 
collecting data representative of the plurality of PLC operations, process data and PLC status; 
Refer to at least “Architecture” on page 813 of PLCloud with respect to collecting PLC data. 
analyzing the data for the security event; and 
Refer to at least “Safety Redlines Enforcement via Cloud-Based Controller Program Analysis” on page 811 and “Specifications” on page 813 of PLCloud with respect to cloud-based analysis of the collected PLC data; intrusion forensics and detection systems. 
validating the security event; and 
Refer to at least “Safety Redlines Enforcement via Cloud-Based Controller Program Analysis” on page 811, “Specifications” on page 813, and “V. Cloud-Based Emulation” on pages 813-814 of PLCloud with respect to identifying security compromises based on the analysis. 
PLCloud does not specify: deploying (205), in response to the detected security event, forensic data collection for the PLC. However, PLCloud in view of Wootton discloses: deploying (205), in response to the detected security event, forensic data collection for the PLC. 
Refer to at least FIG. 5 and [0057] of Wootton with respect to a server requesting additional information from a client as part of its analysis. The client provides the additional information which is used for further analysis. 
The teachings of PLCloud and Wootton concern identifying and remediating Malware, and are considered to be within the same field of endeavor and combinable as such. Further, PLCloud discusses integration with multiple security solutions (see “V. Cloud-Based Emulation”) and runs a client PLC and cloud agent, while Wootton’s server may perform emulation as part of its analysis (e.g. , FIG. 18). 
Therefore it would have been obvious to one of ordinary skill in the art before the filing date of Applicant’s invention to modify the teachings of PLCloud to further include requesting additional information for at least the purpose of increasing detection accuracy (i.e., as per the cited portions of Wootton). 

Regarding claim 14, it is substantially similar to claim 5 above, and is therefore likewise rejected (i.e., the citations and obviousness rationale).

Regarding claim 15, it is rejected for substantially the same reasons as claim 13 above (i.e., the citations to Wootton concerning providing the additional data).

Regarding claim 16, PLCloud-Wootton discloses: The method of claim 15, wherein the collected data representative of the plurality of PLC operations and data of the forensic data collection for the PLC is exported to a remote process historian (interpreted in view of [0045] of the specification: “embedded” historian).
Refer to at least “V. Cloud-Based Emulation” on page 813 of PLCloud with respect to the cloud obtaining collected PLC agent data. 

Regarding claim 17, PLCloud-Wootton discloses: The method of claim 13, further comprising: executing (207), in response to the detected security event, an automated PLC security response operation.
Refer to at least “B. Operator Notification” on page 814 of PLCloud with respect to remediation and/or alerting.

Regarding claim 18, PLCloud-Wootton discloses: The method of claim 17, wherein the automated PLC security response operation comprises setting a production line to a safe speed or stopping the production line in a safe mode.
Refer to at least “Safety Redlines Enforcement via Cloud-Based Controller Program Analysis” on page 811 of PLCloud with respect to terminating execution responsive to detecting a misbehavior. 
Refer to at least “II. Threat Model” of PLCloud with respect to emergency stop.

Regarding claim 19, it is rejected for substantially the same reasons as claim 17 above (i.e., the citations which comprise, e.g., replacing files with a previous version).

. 

Claim 6 is is/are rejected under 35 U.S.C. 103 as being unpatentable over PLCloud-Wootton as applied to claims 1-5, 7-8, and 13-20 above, and further in view of “Guide to Integrating Forensic Techniques into Incident Response,” hereinafter “NIST.”

Regarding claim 6, PLCloud-Wootton does not disclose: wherein the PLC forensics application maintains chain-of-custody for the forensic data for the security event of the PLC. However, PLCloud-Wootton in view of NIST discloses: wherein the PLC forensics application maintains chain-of-custody for the forensic data for the security event of the PLC. 
Refer to at least pages ES-1, ES-2, and 2-8 of NIST with respect to recommendations for maintaining a chain of custody for forensic data. 
The teachings of PLCloud concern forensics and NIST is guidance for forensic data. Accordingly, the teachings are considered to be combinable (i.e., guidance for implementing PLCloud forensics). 
Therefore it would have been obvious to one of ordinary skill in the art before the filing date of Applicant’s invention to modify the teachings of PLCloud to further include NIST guidance concerning maintaining chain of custody for forensic data for at least the reasons discussed in NIST (e.g., integrity). 

Claim Rejections - 35 USC § 102

A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claim(s) 9-12 is/are rejected under 35 U.S.C. 102(a)(1) as being anticipated by “PLCloud: Comprehensive Power Grid PLC Security Monitoring with Zero Safety Disruption,” hereinafter “PLCloud.”

Regarding claim 9, PLCloud discloses: A system for monitoring programmable logic controller (PLC) operations, the system comprising: 
a memory (601A) configured to store a security monitoring application and a security forensics application; 
Refer to at least FIG. 2 on page 812 and “Architecture” on page 813 of PLCloud with respect to a PLC client agent and a cloud-based analysis engine. 
and a processor (601B) configured to: 
execute the security monitoring application (601C) to collect data indicative of PLC operations; and 
Refer to at least “IV. On-Device Client Agent” on page 813 of PLCloud with respect to logging PLC data such as inputs, traffic, and physical sensor data. 
Refer to at least “Architecture” on page 813 of PLCloud with respect to collecting PLC data. 
execute the security forensics application (601D) to perform non-intrusive (e.g., “zero performance overhead” as per paragraph 1 in column 2 of page 811) forensic evidence collection.
Refer to at least “Safety Redlines Enforcement via Cloud-Based Controller Program Analysis” on page 811 and “Specifications” on page 813 of PLCloud with respect to cloud-based analysis of the collected PLC data; intrusion forensics and detection systems. 

Regarding claim 10, PLCloud discloses: The system of claim 9, wherein the memory (601A) and the processor (601B) are configured as one of a plurality of PLCs (601, 601E), wherein executing the security monitoring application (601C) and the security forensics application (601D) comprises collecting data and forensic evidence from each of the plurality of PLCs (601E).
Refer to at least FIG. 2 of PLcloud with respect to PLCs.
Refer to at least “V. Cloud-Based Emulation” of PLCloud with respect to running multiple emulated replicas for multiple respective PLC devices as part of the cloud analysis suite.

Regarding claim 11, it is rejected for substantially the same reasons as claim 10 above (i.e., the citations; see at least the abstract concerning industrial control system networks and PLCs).

Regarding claim 12, PLCloud discloses: The system of claim 9, wherein the memory (601A) and the processor (601B) are configured as a PLC (601), wherein the security monitoring application (601C) and the security forensics application (601D) comprise injectable application code.
Refer to at least “II. Threat Model,” “B. Operator Notification,” and “VI. Evaluations” with respect to updating PLC code.  

Conclusion


Any inquiry concerning this communication or earlier communications from the examiner should be directed to VADIM SAVENKOV whose telephone number is (571)270-5751. The examiner can normally be reached 12PM-8PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey L Nickerson can be reached on (469) 295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/V.S/Examiner, Art Unit 2432                                                                                                                                                                                                        
/DAO Q HO/Primary Examiner, Art Unit 2432