DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

	Pending and amended claims 1-6, 8-15, and 17-20 were examined.  Applicant’s remarks with respect to the amended claims were considered, but are moot in view new rejections made below in response to the amendments.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-3 and 8-12 is/are rejected under 35 U.S.C. 103 as being unpatentable over Hudson et al (US 2014/0373161) in view of Crosby (US 2014/0337982) or alternatively over Hudson et al (US 2014/0373161) in view of Crosby (US 2014/0337982) in further view of Soderberg et al (US 2008/0235801).
Claims 1 and 10:
	As per claim 1, Hudson discloses a computer-implemented method for performing an electronic security self-assessment of a controller in a building automation system (paragraph 49; A local computer performs a scan of itself using commands found on that local computer, so it performs a security self-assessment), the building automation system including a network of electronic devices connected in electronic communication (paragraphs 9, 21, and 56; A power plant having a network of computers protected by a security system is considered the claimed building.  Hudson’s invention implements network security requirements for one or more computers which run the power plant according to the NERC CIP standards.  The security system, networked computers, and/or local computers that perform self-scanning using commands found on the local computer is/are considered the claimed controller), the method comprising:
Initiating an electronic security scan of the controller (paragraphs 24-25 and 48-49; 
Electronically self-assessing, by the controller, security vulnerabilities of the controller (paragraph 49; Local computer scans itself using local commands), the self-assessing including at least some of: identifying one or more of a validation of whether the controller is protected by a firewall or other network security device, identifying which communication ports are open, identifying and verifying an Ethernet and Wi-Fi configuration of the controller, determining whether any routers communicating with the controller are protected by the firewall or other network security device, determining whether the controller is running an up-to-date software or firmware version, determining a password policy, and determining a listing of software applications and versions installed on the controller (paragraphs 24, 49, 54, and 57; A computing device, local computer, or network of computing devices are scanned for vulnerabilities, such as firewall vulnerabilities, unnecessarily opened ports, and compliance with NERC CIP specified standards).
Determining a listing of recommendations for resolving security vulnerabilities of the controller based on the electronically self-assessed security vulnerabilities of the controller (paragraphs 22, 24, 27-28, 52, 54, and 61-62; A security vulnerability report is generated including identifying the necessity of various ports and services and relevant firewall rules.  Also included is a mitigation report which documents how risks can be mitigated).
Electronically self-assessing, by the controller, security vulnerabilities of the network of the electronic devices connected in electronic communication with the controller (paragraphs 22, 24, 27-28, 52, 54, and 61-62).

Hudson does not disclose, but Crosby discloses wherein the recommendations are based on at least one of industry standards or company guidelines (paragraphs 38-45 and 56).  Cited portions of Crosby show a security system that does risk/vulnerability analysis.  Generated reports are used to generate an input file which is then compared to one or more industry/company standards and guidelines to see if there are any indications from the input file that there are non-compliance with the standards/guidelines.  If any are found, recommendations for repairing are made, as discussed in paragraph 56.  Since the identified risks/vulnerabilities are due to non-compliance with industry/company standards/guidelines, one should appreciate that any recommendations made would be made based on the industry standards and company guidelines.

Note that while Hudson does not explicitly use the terms “self-assessing” or “self-assessment” with respect to the controller and it was discussed above how the local computer in paragraph 39 is a self-assessing controller since it performs scans on itself using local commands.  Further, in the alternative, it is noted that Soderberg teaches self-assessment of a controller and self-assessing by the controller (paragraphs 22 and 28).  
Before the effective filing date of applicant’s claimed invention, it would have been obvious to one of ordinary skill in the art to further utilize Soderberg’s teachings in Hudson’s invention to explicitly have self-assessment of a controller and self-assessing, by the controller.  One of ordinary skill in the art would have been motivated to do so as it would facilitate efficient vulnerability assessment (Soderberg: paragraph 28).

The rejection of claim 1 applies, mutatis mutandis, to claim 10.

Claims 2 and 11:
Security system for a computer on a network of the power plant).
The rejection of claim 2 applies, mutatis mutandis, to claim 11.

Claims 3 and 12:
	As per claim 3, Hudson further discloses wherein the controller is a unit controller in the building automation system (paragraphs 49 and 56; Security system for local computer of the power plant).
The rejection of claim 3 applies, mutatis mutandis, to claim 12.

Claim 8:
	As per claim 8, Hudson does not disclose actively attempting to connect to the controller or one of the plurality of electronic devices by a brute force attack.  However, official notice is taken that prior to the effective filing date of applicant’s claimed invention, brute force attacks on a computer systems/networks/components were well known in the art.  Before the effective filing date of applicant’s claimed invention, it would have been obvious to one of ordinary skill in the art to attack Hudson’s invention by actively attempting to connect to the controller or one of the plurality of electronic devices by a brute force attack.  One of ordinary skill in the art would have been motivated to do as brute force attacks is still a common way of attacking a computer 


Claim 9: 
	As per claim 9, Hudson further discloses wherein the method is scheduled to be performed on a periodic basis (paragraph 54; Periodic review of ports and services performed).


Claims 4-5, 13-14, 18, and 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Hudson et al (US 2014/0373161) in view of Crosby (US 2014/0337982) in further view of in view of Witter et al (US 9,941,007) or alternatively over Hudson et al (US 2014/0373161) in view of Crosby (US 2014/0337982) in further view of Soderberg et al (US 2008/0235801) in further view of Witter et al (US 9,941,007).

Claims 4 and 13:
	As per claim 4, Hudson further discloses wherein the controller is connected in electronic communication with a network-based service (paragraphs 49, 52, and 54).  Hudson does not disclose, but Witter discloses the network being a cloud and cloud-based services (col 4, lines 56-63).
KSR Int'l Co. v. Teleflex, Inc., 550 U.S. 398 (2007).
The rejection of claim 4 applies, mutatis mutandis, to claim 13.

Claims 5 and 14:
	As per claim 5, the limitation further recited is obvious over the teachings of Hudson (and Soderberg) and Witter.  Hudson further discloses sending one or more results from the electronic security self-assessment of vulnerabilities of the controller and of the network electronic devices connected in electronic communication with the controller to the network-based service (paragraphs 49, 52, and 54).  The network-based service being cloud-based is obvious over the additional teachings of Witter (col 4, lines 56-63) as discussed in the rejection of claim 4 above.  (Self-assessment is also alternatively taught by Soderberg as discussed above in the rejection of claims 1 and 14).
The rejection of claim 5 applies, mutatis mutandis, to claim 14.

Claims 18 and 20:
	As per claim 18, Hudson does not disclose, but Witter discloses wherein the network of electronic devices are connected in electronic communication via a BACnet protocol (col 1, lines 39-60).  Before the effective filing date of applicant’s claimed invention, it would have been obvious to one of ordinary skill in the art to incorporate Witter’s teachings with within Hudson’s invention.  One skilled would have been motivated to do so because the BACnet protocol is a standard networking protocols and standards are meant to be used.  Further, using the BACnet protocol in Hudson’s network to connect the various electronic devices would be nothing more than simple substitution of one known element (i.e. generic network protocol) for another (i.e. BACnet protocol) to obtain predicable results, see KSR Int'l Co. v. Teleflex, Inc., 550 U.S. 398 (2007).
The rejection of claim 18 applies, mutatis mutandis, to claim 20.



Claims 6, 15, 17, and 19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Hudson et al (US 2014/0373161) in view of Crosby (US 2014/0337982) in further view of in view of Al-Harbi et al (US 2012/0180133) or alternatively over Hudson et al (US 2014/0373161) in view of Crosby (US 2014/0337982) in further view of Soderberg et al (US 2008/0235801) in further view of Al-Harbi et al (US 2012/0180133).

Claims 17 and 19:
	As per claim 17, Hudson does not disclose, but Al-Harbi discloses calculating a risk score based on the electronically assessing security vulnerabilities of the controller (paragraphs 10 and 12-13).  The electronically assessing being electronically self-assed are obvious over Hudson (and Soderberg’s) teaching as discussed in the rejection of claims 1 and 10.
	Before the effective filing date of applicant’s claimed invention, it would have been obvious to one of ordinary skill in the art to incorporate Al-Harbi’s teachings with respect to risk score within Hudson’s invention when assessing security vulnerabilities.  One skilled would have been motivated to do so as it would allow one to determine the effect of known threats on vulnerabilities and determine the various costs associated with exploitation of such vulnerabilities by the known threats (Al-Harbi: paragraph 10).
The rejection of claim 17 applies, mutatis mutandis, to claim 19.

Claim 6:
	As per claim 6, Al-Harbi further discloses sending the risk score and the listing of recommendations for resolving security vulnerabilities of the controller to a computer for display on a display device of the computer (paragraphs 10, 12-13, 36, and 43; GUI interface shows risks assessed and scores assigned to those risks).

Claim 15:
	As per claim 15, Hudson further disclose a computer in electronic communication with the controller (paragraph 28; Networked security system).  
GUI interface shows risks assessed and scores assigned to those risks).
Before the effective filing date of applicant’s claimed invention, it would have been obvious to one of ordinary skill in the art to incorporate Al-Harbi’s teachings with respect to risk scores and displaying the vulnerabilities and risk scores within Hudson’s invention when assessing security vulnerabilities.  One skilled would have been motivated to do so as it would allow one to determine the effect of known threats on vulnerabilities and determine the various costs associated with exploitation of such vulnerabilities by the known threats (Al-Harbi: paragraph 10).



Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to PONNOREAY PICH whose telephone number is (571)272-7962. The examiner can normally be reached M-F 9am-5pm EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 571-272-3739. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 





/PONNOREAY PICH/Primary Examiner, Art Unit 2495