DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . In communications filed on 04/27/2020. Claims 1-20 are pending in this examination.
 In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.   This examination is in response to US Patent Application No. 16/859,632.
                                                              Examiner note

Applicant is encouraged to review the relevant references mentioned at the conclusion section of this office action and PTO-892 Notice of References Cited filed with this office action.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claim 17 and all of the Claims that depend from Claim 17 (i.e. Claims 18-20) are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter. The body of Claim 17 does not disclose any structural features. Rather the body of the claims is interpreted as purely software. Software is per se not a statutory class of invention. The dependent Claims 17-20 do not correct this issue. Therefore, the claim is rejected under 35 U.S.C. 101 because it is directed to software which is not a statutory class of invention.

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.


First Set of Rejections:

Claims 1-20 are rejected under 35 U.S.C. 102(a) (1) as being anticipated by Mulchandani (US2017/0171235) (corresponds to EP3179696 filed in IDS 01/12/2022).
Regarding claims 1, and 9,  Mulchandani discloses  A method for monitoring and assessing an overall cybersecurity posture level of an operation technology environment to increase said level when the level is determined to be below a setpoint value for the operation technology environment, the method comprising [¶17, this specification describes systems, methods, and computer programs for obtaining, processing, and presenting data related to security events, and for implementing courses of action to protect assets in response to the security events. For example, an industrial internet may be used to manage and administer industrial control systems (ICS), which may communicate over an enterprise network and may include information technology (IT) and operational technology (OT) network domains. Some threat scenarios may include multi-step, multi-domain attacks, and may include attacks that originate in one domain, and proceed to another domain. A connected security system can include multiple components that process data related to the attacks, provide visualization data related to the attacks, and implement courses of action based on the attacks (e.g. to mitigate the attacks). The underlying components may utilize a common framework, or protocol based on a framework or set of standards, to share information. For example, the underlying components may use a predefined data structure that includes multiple different data constructs to share the information] ,and [¶¶18-26], and [¶56, , the event management module 130 generates an incident data construct 135 for each identified anomalous and/or malicious activity path that has a risk score that satisfies a specified threshold (e.g., by meeting or exceeding the threshold)(equated to setpoint)], and [¶¶57-58]; and 
receiving metrics data for a corresponding one of each of a plurality of cybersecurity posture indices (CPI) for the operation technology environment [¶¶45-51, the event management module 130 can receive IT activity data 163 that includes event/alert data from the IT network 161 and can receive operational technology (OT) activity data 167 that includes event/alert data from the OT network 165… The IT activity data 163 and the OT activity data 167 can include event and/or alert data… The event management system 130 can receive the IT activity data 163 and the OT activity data 167, and can standardize, filter, aggregate, and correlate the data to detect anomalies and potentially malicious activity associated with multi-stage, multi-domain attacks…  Upon receiving the IT activity data 163 and the OT activity data 167, the event management module 130 can use a filter 131 to filter the data….  After aggregating the event/alert data, for example, aggregated data can be provided by the aggregator 132 to a correlator 133. In general, the event management module 130 can use the correlator 133 to generate a chain of events/alerts that may correspond to a threat scenario…], and [¶¶56-62, the event management module 130 generates an incident data construct 135 for each identified anomalous and/or malicious activity path that has a risk score that satisfies a specified threshold (e.g., by meeting or exceeding the threshold) … The indicator data constructs 136 can include data describing observable patterns (e.g., attack patterns) identified by the event management module 130… The indicator data construct 136 can include one or more observable data constructs… The actor data constructs 137 can include data describing potential malicious actors that may cause security incidents… The event management module 130 can generate an actor construct for any newly identified actors, e.g., found in the IT activity data 163 and/or the OT activity data 167…  The event management module 130 can transmit the incident data constructs 135, the indicator data constructs 136, and/or the actor data constructs 137 to the threat intelligence module 120…], and [¶¶75-76, determine a risk score]; and
determining a cybersecurity posture index (CPI) value for each of the plurality of cybersecurity posture indices (CPI) based on the metrics data [¶56, , the event management module 130 generates an incident data construct 135 for each identified anomalous and/or malicious activity path that has a risk score that satisfies a specified threshold (e.g., by meeting or exceeding the threshold)(equated to setpoint)], and [¶¶75-76, …Risk scores for a particular kind of risk or particular outcome…The threat intelligence module 120 can use the threat data 175 and the data constructs received from the event management module 130 to determine a risk score for one or more potential outcomes and based on one or more threat paths. The threat intelligence module 120 can use the risk scores and threat data to determine and prioritize courses of action to mitigate the risk(s)…], and [¶¶95-98, …determine the risk associated with particular business processes and outcomes… The summary data 204 includes a risk score that indicates the likelihood of the outcome occurring (i.e. 69%), the top targeted process that could lead to the outcome (i.e., PI Data Store), the top COAs and advisories (i.e., 21), and the number of detected security events (i.e., 237) … The user interface 300 includes a risk score for each actor that contributed to the overall risk score for the outcome operation disruption….]; and
 applying a weight to each of the plurality cybersecurity posture index (CPI) values to calculate a respective weighted cybersecurity posture index (wCPI) value [¶¶98-100, The user interface 300 includes a risk score for each actor that contributed to the overall risk score for the outcome operation disruption. The risk score for each actor indicates the likelihood that the actor will cause the outcome if not mitigated. The overall risk score for the outcome operation disruption is based on each of the risk scores. For example, the overall risk score may be the sum, average, or weighted average of the risk scores for each of the actors…  FIG. 4 depicts a screen shot of an example user interface 400… user interface 400 includes more details related to a particular threat actor (Anonymous) and its risk score for a particular outcome (operational disruption) …  the risk score is based on exploit severity, threat feed trust (e.g., based on the trustworthiness of the source of the threat data), intel age (e.g., based on the amount of time since the threat data was received), targeted asset criticality, and threat activity (e.g., based on the number of security events detected for the actor). In this example, the risk score for Anonymous is based on a weighted average of the sub-scores. In other implementations, the risk score may be based on the sum, simple average of the sub-scores, or another appropriate combination of the sub-scores]; and
 determining an overall cybersecurity posture level of the operation technology environment based on a sum of each weighted cybersecurity posture index (wCPI) value [¶¶98-100, The user interface 300 includes a risk score for each actor that contributed to the overall risk score for the outcome operation disruption. The risk score for each actor indicates the likelihood that the actor will cause the outcome if not mitigated. The overall risk score for the outcome operation disruption is based on each of the risk scores. For example, the overall risk score may be the sum, average, or weighted average of the risk scores for each of the actors…  FIG. 4 depicts a screen shot of an example user interface 400… user interface 400 includes more details related to a particular threat actor (Anonymous) and its risk score for a particular outcome (operational disruption) …  the risk score is based on exploit severity, threat feed trust (e.g., based on the trustworthiness of the source of the threat data), intel age (e.g., based on the amount of time since the threat data was received), targeted asset criticality, and threat activity (e.g., based on the number of security events detected for the actor). In this example, the risk score for Anonymous is based on a weighted average of the sub-scores. In other implementations, the risk score may be based on the sum, simple average of the sub-scores, or another appropriate combination of the sub-scores]; and
 generating a notification message, including image rendering data and commands; and sending the notification message to a computer resource asset to render an image of a snapshot cybersecurity posture level for at least one of the plurality of cybersecurity posture indices (CPIi) [ ¶¶97-101, see FIG3, … The example user interface 200 includes details related to threat actors that contribute to the risk of a particular outcome (operation disruption) … The user interface 300 includes a risk score for each actor that contributed to the overall risk score for the outcome operation disruption. The risk score for each actor indicates the likelihood that the actor will cause the outcome if not mitigated. The overall risk score for the outcome operation disruption is based on each of the risk scores. For example, the overall risk score may be the sum, average, or weighted average of the risk scores for each of the actors…], and [see FIGS 4-7 and corresponding text for more detail, disclosing | the display of a the (overall) risk scores, presented on a screen of a display].

Regarding claims 2, and 10, Mulchandani discloses further comprising: effectuating remediation based on the overall cybersecurity posture level of the operation technology environment [ ¶¶17-18, …  an industrial internet may be used to manage and administer industrial control systems (ICS), which may communicate over an enterprise network and may include information technology (IT) and operational technology (OT) network domains. Some threat scenarios may include multi-step, multi-domain attacks, and may include attacks that originate in one domain, and proceed to another domain…. The threat intelligence module may also determine and recommend courses of action based on the identified threat outcomes. A course of action module of the connected security system may implement the courses of action. For example, the course of action implementation may be automated (e.g., implemented by the system in response to detecting a particular attack), semi-automated (e.g., the system recommends courses of action for selection by a security administrator), and/or manual (e.g., implemented by a security administrator)], and [¶¶77-78, The threat intelligence module 120 can also determine courses of action based on business processes of an organization…. The threat intelligence module 120 can use the threat data and data constructs to determine which business processes may be at risk and/or what assets may be at risk… The threat intelligence module 120 can also prioritize courses of action based on the business processes that are determined to be at risk…].
Regarding claims 3, and 11, Mulchandani discloses further comprising: effectuating remediation based on the snapshot cybersecurity posture level [ ¶¶17-18, …  an industrial internet may be used to manage and administer industrial control systems (ICS), which may communicate over an enterprise network and may include information technology (IT) and operational technology (OT) network domains. Some threat scenarios may include multi-step, multi-domain attacks, and may include attacks that originate in one domain, and proceed to another domain…. The threat intelligence module may also determine and recommend courses of action based on the identified threat outcomes. A course of action module of the connected security system may implement the courses of action. For example, the course of action implementation may be automated (e.g., implemented by the system in response to detecting a particular attack), semi-automated (e.g., the system recommends courses of action for selection by a security administrator), and/or manual (e.g., implemented by a security administrator)], and [¶¶77-78, The threat intelligence module 120 can also determine courses of action based on business processes of an organization…. The threat intelligence module 120 can use the threat data and data constructs to determine which business processes may be at risk and/or what assets may be at risk… The threat intelligence module 120 can also prioritize courses of action based on the business processes that are determined to be at risk…].
Regarding claims 4, and 12, Mulchandani discloses wherein the snapshot cybersecurity posture level includes a near-real-time (NRT) snapshot cybersecurity posture level [ See FIGS 4-7 and corresponding text for more details, ¶¶99-107, The graph 502 presents the number of security events detected over time. In this example, the graph 502 presents the number of security event detected for an IT network, e.g., the IT network 161 of FIG. 1, and the number of security events detected for an OT network, e.g., the OT network 165 of FIG. 1…The example user interface 600 includes a graph 602 that presents the relative number of security events detected for particular sources over time. In this example, the size of the graph 600 covered by a particular source indicates the number of security events detected for a particular time period. The user interface 600 includes a selectable timeline 604 that allows a security administrator to select the time period for which data should be presented in the graph 600].
Regarding claims 5, and 13, Mulchandani discloses wherein the overall cybersecurity posture level of the operation technology environment includes a near-real-time (NRT) snapshot overall cybersecurity posture level [ See FIGS 4-7 and corresponding text for more details, ¶¶99-107, The graph 502 presents the number of security events detected over time. In this example, the graph 502 presents the number of security event detected for an IT network, e.g., the IT network 161 of FIG. 1, and the number of security events detected for an OT network, e.g., the OT network 165 of FIG. 1…The example user interface 600 includes a graph 602 that presents the relative number of security events detected for particular sources over time. In this example, the size of the graph 600 covered by a particular source indicates the number of security events detected for a particular time period. The user interface 600 includes a selectable timeline 604 that allows a security administrator to select the time period for which data should be presented in the graph 600].
Regarding claims 6, and 14, Mulchandani discloses wherein said snapshot cybersecurity posture level comprises a near-real-time (NRT) snapshot cybersecurity posture level for at least one of: a number of users authorized access to the operation technology environment; a network security level for the operation technology environment; a number cyber awareness sessions performed on the operation technology environment; a number of cyber drills performed on the operation technology environment; a number of cybersecurity incidents in the operation technology environment; a patch compliance ratio for computer resource assets in the operation technology environment; a backup availability ratio for computer resource assets in the operation technology environment; and an endpoint security compliance ratio for computer resource assets in the operation technology environment [¶60-70, The actor data constructs 137 can include data describing potential malicious actors that may cause security incidents. For example, the actor data constructs 137 can include fields for data identifying the actor and/or data that characterize the actor. The actor data constructs 137 can also include data regarding the suspected motivation of the actor, the suspected intended effect of security incidents or attack patterns caused by the actor, historically observed tactics, techniques, and procedures (TTPs) used by the actor historical campaigns believed to be associated with the actor, other actors believed to be associated with the actor, confidence in the characterization of the actor, the source of the data regarding the actor, and/or other appropriate data regarding the actor. The event management module 130 can generate an actor construct for any newly identified actors, e.g., found in the IT activity data 163 and/or the OT activity data 167. For example, when the event management module 130 identifies a security event in the IT activity data 163 and/or the OT activity data 167, the event management module 130 may generate an actor data construct 137 for the actor associated with the security event…], and [¶91,The Sankey diagram 202 shows a visual representation of the magnitude of flow between nodes in a network, such as the IT network 161 and/or the OT network 165 of FIG. 1. In particular, the Sankey diagram 202 illustrates the flow between particular threats to particular outcomes for an organization. Going from right to left, the Sankey diagram 202 illustrates IT assets and OT assets of the organization that the particular threats, and threat actors, can affect. A link between a particular threat and/or threat actor and a particular asset indicates that the particular threat may affect the particular asset. For example, the Sankey diagram 202 includes links between NetTraveler and a SCADA, a PI Historian, and an Asset Management system…].
Regarding claims 7, and 15, Mulchandani discloses wherein effectuating remediation comprises fixing a vulnerability on a computer resource asset in the operation technology environment [ ¶¶17-18, …  an industrial internet may be used to manage and administer industrial control systems (ICS), which may communicate over an enterprise network and may include information technology (IT) and operational technology (OT) network domains. Some threat scenarios may include multi-step, multi-domain attacks, and may include attacks that originate in one domain, and proceed to another domain…. The threat intelligence module may also determine and recommend courses of action based on the identified threat outcomes. A course of action module of the connected security system may implement the courses of action. For example, the course of action implementation may be automated (e.g., implemented by the system in response to detecting a particular attack), semi-automated (e.g., the system recommends courses of action for selection by a security administrator), and/or manual (e.g., implemented by a security administrator)], and [¶¶77-78, The threat intelligence module 120 can also determine courses of action based on business processes of an organization…. The threat intelligence module 120 can use the threat data and data constructs to determine which business processes may be at risk and/or what assets may be at risk… The threat intelligence module 120 can also prioritize courses of action based on the business processes that are determined to be at risk…].
Regarding claims 8, and 16, Mulchandani discloses wherein effectuating remediation comprises guiding, on said computer resource asset, mitigation of a vulnerability on a different computer resource asset in the operation technology environment [ ¶¶17-18, …  an industrial internet may be used to manage and administer industrial control systems (ICS), which may communicate over an enterprise network and may include information technology (IT) and operational technology (OT) network domains. Some threat scenarios may include multi-step, multi-domain attacks, and may include attacks that originate in one domain, and proceed to another domain…. The threat intelligence module may also determine and recommend courses of action based on the identified threat outcomes. A course of action module of the connected security system may implement the courses of action. For example, the course of action implementation may be automated (e.g., implemented by the system in response to detecting a particular attack), semi-automated (e.g., the system recommends courses of action for selection by a security administrator), and/or manual (e.g., implemented by a security administrator)], and [¶¶77-78, The threat intelligence module 120 can also determine courses of action based on business processes of an organization…. The threat intelligence module 120 can use the threat data and data constructs to determine which business processes may be at risk and/or what assets may be at risk… The threat intelligence module 120 can also prioritize courses of action based on the business processes that are determined to be at risk…].
Regarding claim17, this claim is interpreted and rejected for the same rational set forth in claim 1.
Regarding claim 18, Mulchandani discloses wherein the cybersecurity assessment and remediation (CPAR) stack comprises at least one of: SA430600501/008305-USO a cybersecurity incidence level metrics (CILM) unit; a backup Availability Ratio Metrics (BARM) unit; a Patch Compliance Ratio Metrics (PCRM) unit; an Endpoint Compliance Ratio Metrics (ECRM) unit; a Network Security Level Metrics (NSLM) unit; a Security Awareness Level Metrics (SALM) unit; and a Drill Compliance Level Metrics (DCLM) unit[ ¶¶97-101, see FIG3, … The example user interface 200 includes details related to threat actors that contribute to the risk of a particular outcome (operation disruption) … The user interface 300 includes a risk score for each actor that contributed to the overall risk score for the outcome operation disruption. The risk score for each actor indicates the likelihood that the actor will cause the outcome if not mitigated. The overall risk score for the outcome operation disruption is based on each of the risk scores. For example, the overall risk score may be the sum, average, or weighted average of the risk scores for each of the actors…], and [see FIGS 4-7 and corresponding text for more detail, disclosing | the display of a the (overall) risk scores, presented on a screen of a display].
Regarding claim 19, Mulchandani discloses the system further comprising: an operation technology key performance index mitigation unit arranged to effectuate remediation of a vulnerability on a computer resource asset in the operation technology environment to increase said snapshot cybersecurity posture level for the at least one of the plurality of cybersecurity posture indices (CPi) [ ¶¶17-18, …  an industrial internet may be used to manage and administer industrial control systems (ICS), which may communicate over an enterprise network and may include information technology (IT) and operational technology (OT) network domains. Some threat scenarios may include multi-step, multi-domain attacks, and may include attacks that originate in one domain, and proceed to another domain…. The threat intelligence module may also determine and recommend courses of action based on the identified threat outcomes. A course of action module of the connected security system may implement the courses of action. For example, the course of action implementation may be automated (e.g., implemented by the system in response to detecting a particular attack), semi-automated (e.g., the system recommends courses of action for selection by a security administrator), and/or manual (e.g., implemented by a security administrator)], and [¶¶77-78, The threat intelligence module 120 can also determine courses of action based on business processes of an organization…. The threat intelligence module 120 can use the threat data and data constructs to determine which business processes may be at risk and/or what assets may be at risk… The threat intelligence module 120 can also prioritize courses of action based on the business processes that are determined to be at risk…]
Regarding claim 20, Mulchandani discloses, wherein the effectuate remediation comprises guiding remediation of the vulnerability on the computer resource asset [ ¶¶17-18, …  an industrial internet may be used to manage and administer industrial control systems (ICS), which may communicate over an enterprise network and may include information technology (IT) and operational technology (OT) network domains. Some threat scenarios may include multi-step, multi-domain attacks, and may include attacks that originate in one domain, and proceed to another domain…. The threat intelligence module may also determine and recommend courses of action based on the identified threat outcomes. A course of action module of the connected security system may implement the courses of action. For example, the course of action implementation may be automated (e.g., implemented by the system in response to detecting a particular attack), semi-automated (e.g., the system recommends courses of action for selection by a security administrator), and/or manual (e.g., implemented by a security administrator)], and [¶¶77-78, The threat intelligence module 120 can also determine courses of action based on business processes of an organization…. The threat intelligence module 120 can use the threat data and data constructs to determine which business processes may be at risk and/or what assets may be at risk… The threat intelligence module 120 can also prioritize courses of action based on the business processes that are determined to be at risk…].

Second Set of Rejections:

Claims 1-3, 6-11, and 14-20 are rejected under 35 U.S.C. 102(a) (1) as being anticipated by Chiu (US2016/0359895) (filed in IDS 01/12/2022).
Regarding claims 1, and 9, Chiu discloses  a method for monitoring and assessing an overall cybersecurity posture level of an operation technology environment to increase said level when the level is determined to be below a setpoint value for the operation technology environment, the method comprising [¶42,  FIG. 1 illustrates an example scenario 100 in which cybersecurity analysis can be provided for operational technologies and information technologies, in accordance with an embodiment of the present disclosure. It should be understood that all examples herein are provided for illustrative purposes and that many variations are possible. In the example scenario 100, an example cybersecurity analysis module 102 can be configured to acquire data from operational technologies and information technologies in an energy delivery network or system. Based on the acquired data, the cybersecurity analysis module 102 can facilitate providing cybersecurity analysis based on operational technologies and information technologies in the energy delivery network], and [Abstract, ¶¶18-20, …  a supervisory control and data acquisition (SCADA) command and control service… the collection of services can include at least one of a phone service, a meter data management service, a customer information service, a geographic information service, a work management service, an enterprise asset management service, a smart meter head end service, an energy management service, a demand management service, an outage management service, a customer care and billing service, an enterprise communications service, or a threat and vulnerability detection library service], and [¶68, impact metrics are generated with regards to threshold of reliability]; and
receiving metrics data for a corresponding one of each of a plurality of cybersecurity posture indices (CPI) for the operation technology environment[ ¶4,  acquire sets of data, from a plurality of energy delivery network components, permitting the generation of a first and a  second metric of cybersecurity], and[ [¶41,  A first metric indicating a likelihood that a particular network component, from the plurality of network components, is affected (i.e., is currently affected, has been affected, may be affected, and/or will be affected, etc.) by one or more cyber vulnerabilities can be generated based on the first set of data. A second set of data can be acquired from a second group of data sources including a collection of services associated with the energy delivery network. A second metric indicating a calculated impact to at least a portion of the energy delivery network when the one or more cyber vulnerabilities affect the particular network component can be generated based on the second set of data. A third metric indicating an overall level of cybersecurity risk associated with the particular network component can be generated based on the first metric and the second metric], and ¶¶51-52, 58-60]; and
 determining a cybersecurity posture index (CPI) value for each of the plurality of cybersecurity posture indices (CPI) based on the metrics data [ ¶¶4-5, acquire a first set of data from a first group of data sources including a plurality of network components within an energy delivery network. A first metric indicating a likelihood that a particular network component, from the plurality of network components, is affected by one or more cyber vulnerabilities can be generated based on the first set of data. A second set of data can be acquired from a second group of data sources including a collection of services associated with the energy delivery network. A second metric indicating a calculated impact to at least a portion of the energy delivery network when the one or more cyber vulnerabilities affect the particular network component can be generated based on the second set of data. A third metric indicating an overall level of cybersecurity risk associated with the particular network component can be generated based on the first metric and the second metric. A plurality of third metrics including the third metric indicating the overall level of cybersecurity risk associated with the particular network component can be generated. Each third metric in the plurality of third metrics can indicate a respective overall level of cybersecurity risk associated with a respective network component in the plurality of network components. The plurality of network components can be ranked based on the plurality of third metrics to produce a ranked list of network components. At least a portion of the ranked list of network components can be provided to an energy provider that utilizes the energy delivery network], and [¶¶41. 52-59, 61-62 cyber vulnerability matric)]; and
 applying a weight to each of the plurality cybersecurity posture index (CPI) values to calculate a respective weighted cybersecurity posture index (wCPI) value [¶55, the cybersecurity risk module 208 can generate the third metric from a defined combination of the first metric and the second metric. In one example, in order to generate the third metric, the cybersecurity risk module 208 can apply a first weight value to the first metric to produce a first weighted metric. The cybersecurity risk module 208 can further apply a second weight value to the second metric to produce a second weighted metric. The cybersecurity risk module 208 can then combine the first weighted metric and the second weighted metric to produce the third metric. In another example, the energy provider (e.g., the utility company) can define how the first and second metrics are to be combined to produce the third metric. In a further example, the third metric can be generated based on utilizing one or more machine learning processes to determine how the first metric and the second metric are to be combined to produce the third metric]; and
 determining an overall cybersecurity posture level of the operation technology environment based on a sum of each weighted cybersecurity posture index (wCPI) value [¶55, the cybersecurity risk module 208 can generate the third metric from a defined combination of the first metric and the second metric. In one example, in order to generate the third metric, the cybersecurity risk module 208 can apply a first weight value to the first metric to produce a first weighted metric. The cybersecurity risk module 208 can further apply a second weight value to the second metric to produce a second weighted metric. The cybersecurity risk module 208 can then combine the first weighted metric and the second weighted metric to produce the third metric. In another example, the energy provider (e.g., the utility company) can define how the first and second metrics are to be combined to produce the third metric. In a further example, the third metric can be generated based on utilizing one or more machine learning processes to determine how the first metric and the second metric are to be combined to produce the third metric]; and
 generating a notification message, including image rendering data and commands; and sending the notification message to a computer resource asset to render an image of a snapshot cybersecurity posture level for at least one of the plurality of cybersecurity posture indices (CPIi)[¶¶71-73, FIG. 5 illustrates an example screenshot 500 associated with providing cybersecurity analysis based on operational technologies and information technologies, in accordance with an embodiment of the present disclosure. The example screenshots 500 shows an example interface for providing cybersecurity analysis based on operational technologies and information technologies…  a set of visualizations (e.g., graphical elements) for a set of network components identified in the ranked list of network components can be generated. The example interface can further provide an interface portion 508 that presents the generated set of visualizations for the set of network components identified in the ranked list of network components. Each visualization in the set of visualizations can represent a corresponding network component in the set of network components. In some instances, each visualization can be presented in association with a particular color determined based on at least one of a ranking for the corresponding network component or a corresponding overall level of cybersecurity risk associated with the corresponding network component. Again, the example screenshot 500 and other examples herein are provided for illustrative purposes and it is contemplated that many variations are possible].
Regarding claims 2, and 10, Chiu discloses further comprising: effectuating remediation based on the overall cybersecurity posture level of the operation technology environment [ ¶56, Furthermore, in some implementations, the cybersecurity risk module 208 can be configured to generate a plurality of third metrics, including the third metric indicating the overall level of cybersecurity risk associated with the particular network component, as discussed previously. Each third metric in the plurality of third metrics can indicate a respective overall level of cybersecurity risk associated with a respective network component in the plurality of network components. The cybersecurity risk module 208 can further rank the plurality of network components based on the plurality of third metrics to produce a ranked list of network components. Additionally, the cybersecurity risk module 208 can provide at least a portion of the ranked list of network components (e.g., at least a specified number of highest ranked network components) to the energy provider that utilizes the energy delivery network. Accordingly, the ranked list (and/or the plurality of third metrics) can help the energy provider determine priorities for examining the network components, repairing the network components, recording actions taken on the network components, recording the state of cybersecurity policy compliance of the network components, or otherwise addressing cybersecurity concerns at the network components. In some cases, the ranked list (and/or the plurality of third metrics) can be provided in association with a large amount of information, such as information that indicates which network components have been attacked, are currently being attacked, and/or will be attacked by cyber threats, which customers are affected, and so forth. Many variations are possible].
Regarding claims 3, and 11, Chiu discloses further comprising: effectuating remediation based on the snapshot cybersecurity posture level [ ¶56, Furthermore, in some implementations, the cybersecurity risk module 208 can be configured to generate a plurality of third metrics, including the third metric indicating the overall level of cybersecurity risk associated with the particular network component, as discussed previously. Each third metric in the plurality of third metrics can indicate a respective overall level of cybersecurity risk associated with a respective network component in the plurality of network components. The cybersecurity risk module 208 can further rank the plurality of network components based on the plurality of third metrics to produce a ranked list of network components. Additionally, the cybersecurity risk module 208 can provide at least a portion of the ranked list of network components (e.g., at least a specified number of highest ranked network components) to the energy provider that utilizes the energy delivery network. Accordingly, the ranked list (and/or the plurality of third metrics) can help the energy provider determine priorities for examining the network components, repairing the network components, recording actions taken on the network components, recording the state of cybersecurity policy compliance of the network components, or otherwise addressing cybersecurity concerns at the network components. In some cases, the ranked list (and/or the plurality of third metrics) can be provided in association with a large amount of information, such as information that indicates which network components have been attacked, are currently being attacked, and/or will be attacked by cyber threats, which customers are affected, and so forth. Many variations are possible].
Regarding claims 6, and 14, Chiu discloses wherein said snapshot cybersecurity posture level comprises a near-real-time (NRT) snapshot cybersecurity posture level for at least one of: a number of users authorized access to the operation technology environment; a network security level for the operation technology environment; a number cyber awareness sessions performed on the operation technology environment; a number of cyber drills performed on the operation technology environment; a number of cybersecurity incidents in the operation technology environment; a patch compliance ratio for computer resource assets in the operation technology environment; a backup availability ratio for computer resource assets in the operation technology environment; and an endpoint security compliance ratio for computer resource assets in the operation technology environment[ ¶¶62-64,  analyzing the detected network traffic can include utilizing at least one of a syntax (or rule-based) indicator, a computed (or analytical) indicator, and/or an advanced behavioral indicator, etc. Moreover, the likelihood that the particular network component is affected by the one or more cyber vulnerabilities can be calculated, by the vulnerability metric module 306, based on the at least one of the syntax indicators, the computed indicator, or the advanced behavioral indicator…  the cyber vulnerability module 302 can identify patterns and develop rules or syntax indicators for detecting illegitimate activities…, the cyber vulnerability module 302 can perform analytics and/or detect computed indicators. For example, if the cyber vulnerability module 302 detects protocol anomalies, unexpected device appearances, unexpected MAC addresses, unauthorized access attempts, and/or unexpected privilege escalations (e.g., a user unexpectedly attempting to perform an unpermitted task), etc…, the cyber vulnerability module 302 can detect advanced behavior indicators. For example, if the cyber vulnerability module 302 detects unexpected bandwidth spikes, unexpected CPU usage spikes, a command received at an unexpected time, and/or a trust boundary violation, then the first metric can be increased….  the syntax indicator can be based on analysis of at least one of an Internet Protocol (IP) address associated with the detected network traffic or an email address associated with the detected network traffic…], and [¶¶69-70], and see claim 15,  wherein the first group of data sources further includes at least one of a supervisory control and data acquisition (SCADA) command and control service, an enterprise firewall service, a log service, an intrusion prevention service, a security information and event management service (SIEM), or an intrusion protection service].
Regarding claims 7, and 15, Chiu discloses wherein effectuating remediation comprises fixing a vulnerability on a computer resource asset in the operation technology environment [ ¶56, Furthermore, in some implementations, the cybersecurity risk module 208 can be configured to generate a plurality of third metrics, including the third metric indicating the overall level of cybersecurity risk associated with the particular network component, as discussed previously. Each third metric in the plurality of third metrics can indicate a respective overall level of cybersecurity risk associated with a respective network component in the plurality of network components. The cybersecurity risk module 208 can further rank the plurality of network components based on the plurality of third metrics to produce a ranked list of network components. Additionally, the cybersecurity risk module 208 can provide at least a portion of the ranked list of network components (e.g., at least a specified number of highest ranked network components) to the energy provider that utilizes the energy delivery network. Accordingly, the ranked list (and/or the plurality of third metrics) can help the energy provider determine priorities for examining the network components, repairing the network components, recording actions taken on the network components, recording the state of cybersecurity policy compliance of the network components, or otherwise addressing cybersecurity concerns at the network components. In some cases, the ranked list (and/or the plurality of third metrics) can be provided in association with a large amount of information, such as information that indicates which network components have been attacked, are currently being attacked, and/or will be attacked by cyber threats, which customers are affected, and so forth. Many variations are possible].
Regarding claims 8, and 16,  Chiu discloses wherein effectuating remediation comprises guiding, on said computer resource asset, mitigation of a vulnerability on a different computer resource asset in the operation technology environment[ ¶56,  Furthermore, in some implementations, the cybersecurity risk module 208 can be configured to generate a plurality of third metrics, including the third metric indicating the overall level of cybersecurity risk associated with the particular network component, as discussed previously. Each third metric in the plurality of third metrics can indicate a respective overall level of cybersecurity risk associated with a respective network component in the plurality of network components. The cybersecurity risk module 208 can further rank the plurality of network components based on the plurality of third metrics to produce a ranked list of network components. Additionally, the cybersecurity risk module 208 can provide at least a portion of the ranked list of network components (e.g., at least a specified number of highest ranked network components) to the energy provider that utilizes the energy delivery network. Accordingly, the ranked list (and/or the plurality of third metrics) can help the energy provider determine priorities for examining the network components, repairing the network components, recording actions taken on the network components, recording the state of cybersecurity policy compliance of the network components, or otherwise addressing cybersecurity concerns at the network components. In some cases, the ranked list (and/or the plurality of third metrics) can be provided in association with a large amount of information, such as information that indicates which network components have been attacked, are currently being attacked, and/or will be attacked by cyber threats, which customers are affected, and so forth. Many variations are possible].
Regarding claim17, this claim is interpreted and rejected for the same rational set forth in claim 1.
Regarding claim 18,  Chiu discloses wherein the cybersecurity assessment and remediation (CPAR) stack comprises at least one of: SA430600501/008305-USO a cybersecurity incidence level metrics (CILM) unit; a backup Availability Ratio Metrics (BARM) unit; a Patch Compliance Ratio Metrics (PCRM) unit; an Endpoint Compliance Ratio Metrics (ECRM) unit; a Network Security Level Metrics (NSLM) unit; a Security Awareness Level Metrics (SALM) unit; and a Drill Compliance Level Metrics (DCLM) unit[¶¶71-73, FIG. 5 illustrates an example screenshot 500 associated with providing cybersecurity analysis based on operational technologies and information technologies, in accordance with an embodiment of the present disclosure. The example screenshot 500 shows an example interface for providing cybersecurity analysis based on operational technologies and information technologies…  a set of visualizations (e.g., graphical elements) for a set of network components identified in the ranked list of network components can be generated. The example interface can further provide an interface portion 508 that presents the generated set of visualizations for the set of network components identified in the ranked list of network components. Each visualization in the set of visualizations can represent a corresponding network component in the set of network components. In some instances, each visualization can be presented in association with a particular color determined based on at least one of a ranking for the corresponding network component or a corresponding overall level of cybersecurity risk associated with the corresponding network component. Again, the example screenshot 500 and other examples herein are provided for illustrative purposes and it is contemplated that many variations are possible]. 
Regarding claim 19,  Chiu discloses the system further comprising: an operation technology key performance index mitigation unit arranged to effectuate remediation of a vulnerability on a computer resource asset in the operation technology environment to increase said snapshot cybersecurity posture level for the at least one of the plurality of cybersecurity posture indices (CPi)[ ¶56,  Furthermore, in some implementations, the cybersecurity risk module 208 can be configured to generate a plurality of third metrics, including the third metric indicating the overall level of cybersecurity risk associated with the particular network component, as discussed previously. Each third metric in the plurality of third metrics can indicate a respective overall level of cybersecurity risk associated with a respective network component in the plurality of network components. The cybersecurity risk module 208 can further rank the plurality of network components based on the plurality of third metrics to produce a ranked list of network components. Additionally, the cybersecurity risk module 208 can provide at least a portion of the ranked list of network components (e.g., at least a specified number of highest ranked network components) to the energy provider that utilizes the energy delivery network. Accordingly, the ranked list (and/or the plurality of third metrics) can help the energy provider determine priorities for examining the network components, repairing the network components, recording actions taken on the network components, recording the state of cybersecurity policy compliance of the network components, or otherwise addressing cybersecurity concerns at the network components. In some cases, the ranked list (and/or the plurality of third metrics) can be provided in association with a large amount of information, such as information that indicates which network components have been attacked, are currently being attacked, and/or will be attacked by cyber threats, which customers are affected, and so forth. Many variations are possible].
Regarding claim 20, Chiu discloses, wherein the effectuate remediation comprises guiding remediation of the vulnerability on the computer resource asset [ ¶56, Furthermore, in some implementations, the cybersecurity risk module 208 can be configured to generate a plurality of third metrics, including the third metric indicating the overall level of cybersecurity risk associated with the particular network component, as discussed previously. Each third metric in the plurality of third metrics can indicate a respective overall level of cybersecurity risk associated with a respective network component in the plurality of network components. The cybersecurity risk module 208 can further rank the plurality of network components based on the plurality of third metrics to produce a ranked list of network components. Additionally, the cybersecurity risk module 208 can provide at least a portion of the ranked list of network components (e.g., at least a specified number of highest ranked network components) to the energy provider that utilizes the energy delivery network. Accordingly, the ranked list (and/or the plurality of third metrics) can help the energy provider determine priorities for examining the network components, repairing the network components, recording actions taken on the network components, recording the state of cybersecurity policy compliance of the network components, or otherwise addressing cybersecurity concerns at the network components. In some cases, the ranked list (and/or the plurality of third metrics) can be provided in association with a large amount of information, such as information that indicates which network components have been attacked, are currently being attacked, and/or will be attacked by cyber threats, which customers are affected, and so forth. Many variations are possible].

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 4-5, and 12-13 are rejected under 35 U.S.C. 103 as being unpatentable over US Patent No. (US2016/0359895)) issued to Lerner Chiu (filed in IDS 01/12/2022) and in view of US Patent No. (US10,210,470) issued to Datta(filed in IDS 04/27/2020).

Regarding claims 4, and 12, Chiu discloses wherein the snapshot cybersecurity posture level includes a near-real-time (NRT) snapshot cybersecurity posture level
Even though Chiu discloses this limitation as: [¶¶71-73, FIG. 5 illustrates an example screenshot 500 associated with providing cybersecurity analysis based on operational technologies and information technologies, in accordance with an embodiment of the present disclosure. The example screenshot 500 shows an example interface for providing cybersecurity analysis based on operational technologies and information technologies…  a set of visualizations (e.g., graphical elements) for a set of network components identified in the ranked list of network components can be generated. The example interface can further provide an interface portion 508 that presents the generated set of visualizations for the set of network components identified in the ranked list of network components. Each visualization in the set of visualizations can represent a corresponding network component in the set of network components. In some instances, each visualization can be presented in association with a particular color determined based on at least one of a ranking for the corresponding network component or a corresponding overall level of cybersecurity risk associated with the corresponding network component. Again, the example screenshot 500 and other examples herein are provided for illustrative purposes and it is contemplated that many variations are possible].
Chiu does not explicitly disclose near-real-time snapshot , however, Datta discloses:

[Abstract, Real time security, integrity, and reliability postures of operational (OT), information (IT), and security (ST) systems, as well as slower changing security and operational blueprint, policies, processes, and rules governing the enterprise security and business risk management process, dynamically evolve and adapt to domain, context, and situational awareness, as well as the controls implemented across the operational and information systems that are controlled. Embodiments of the invention are systematized and pervasively applied across interconnected, interdependent, and diverse operational, information, and security systems to mitigate system-wide business risk, to improve efficiency and effectiveness of business processes and to enhance security control which conventional perimeter ], and [COL.15, lines 46-60 FIG. 4 shows an embodiment (400) of the invention in terms of the control hierarchy (401, 402, 403, 404, 405) associated with the monitored and controlled elements (MCE) of the enterprise-wide network. At each MCE (401, 402, 403, 404, 405), all of the messages relevant to that MCE are monitored and analyzed and control posture information is sent to all subscribing MCEs. This capability for monitoring, analyzing, and adjusting security and control postures is pervasively implemented for each MCE as a set of conceptually and structurally self-similar components (415).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Chiu with the teaching of Datta in order to implement enterprise business risk management. More particularly, the invention relates to pervasive, domain and situational-aware, adaptive, automated, and coordinated analysis and control of enterprise-wide computers, networks, and applications for mitigation of business and operational risks, including efficiency and effectiveness of business processes and enhancement of cyber security [Datta, COL. 1 lines 22-28].

Regarding claims 5, and 13, Chiu discloses wherein the overall cybersecurity posture level of the operation technology environment includes a near-real-time (NRT) snapshot overall cybersecurity posture level
Even though Chiu discloses this limitation as: [¶¶71-73, FIG. 5 illustrates an example screenshot 500 associated with providing cybersecurity analysis based on operational technologies and information technologies, in accordance with an embodiment of the present disclosure. The example screenshot 500 shows an example interface for providing cybersecurity analysis based on operational technologies and information technologies…  a set of visualizations (e.g., graphical elements) for a set of network components identified in the ranked list of network components can be generated. The example interface can further provide an interface portion 508 that presents the generated set of visualizations for the set of network components identified in the ranked list of network components. Each visualization in the set of visualizations can represent a corresponding network component in the set of network components. In some instances, each visualization can be presented in association with a particular color determined based on at least one of a ranking for the corresponding network component or a corresponding overall level of cybersecurity risk associated with the corresponding network component. Again, the example screenshot 500 and other examples herein are provided for illustrative purposes and it is contemplated that many variations are possible].
Chiu does not explicitly disclose near-real-time snapshot, however, Datta discloses:
[Abstract, Real time security, integrity, and reliability postures of operational (OT), information (IT), and security (ST) systems, as well as slower changing security and operational blueprint, policies, processes, and rules governing the enterprise security and business risk management process, dynamically evolve and adapt to domain, context, and situational awareness, as well as the controls implemented across the operational and information systems that are controlled. Embodiments of the invention are systematized and pervasively applied across interconnected, interdependent, and diverse operational, information, and security systems to mitigate system-wide business risk, to improve efficiency and effectiveness of business processes and to enhance security control which conventional perimeter ], and [COL.15, lines 46-60 FIG. 4 shows an embodiment (400) of the invention in terms of the control hierarchy (401, 402, 403, 404, 405) associated with the monitored and controlled elements (MCE) of the enterprise-wide network. At each MCE (401, 402, 403, 404, 405), all of the messages relevant to that MCE are monitored and analyzed and control posture information is sent to all subscribing MCEs. This capability for monitoring, analyzing, and adjusting security and control postures is pervasively implemented for each MCE as a set of conceptually and structurally self-similar components (415).
 It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Chiu with the teaching of Datta in order to implement enterprise business risk management. More particularly, the invention relates to pervasive, domain and situational-aware, adaptive, automated, and coordinated analysis and control of enterprise-wide computers, networks, and applications for mitigation of business and operational risks, including efficiency and effectiveness of business processes and enhancement of cyber security [Datta, COL. 1 lines 22-28].

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Berger(US11271961) [Real-time Cybersecurity Status System With Event Ticker, (33)  Status indicator 302 presents a snapshot summary of overall cybersecurity status after the cybersecurity assessment system 120 has analyzed the current state of target network 100 with respect to a cybersecurity assessment framework…While FIG. 3 illustrates a snapshot of the target network's cybersecurity posture, it will be appreciated that the interface 300 may change dynamically to reflect changes to the user system in real-time.]. 
Sweeney(US2018/0124091) [Method For The Continuous Calculation Of A Cyber Security Risk Index,  cybersecurity risk index score ].
Yumer (US10410158) [Systems And Methods For Evaluating Cybersecurity Risk, A computer-implemented method for evaluating cybersecurity risk may include (i) identifying telemetry data collected from endpoints of an entity, (ii) calculating a cybersecurity risk score for the entity by searching the telemetry data for information indicative of cybersecurity risk exposure of the entity and performing an actuarial analysis on the information indicative of the cybersecurity risk exposure to quantize a potential consequence of the cybersecurity risk exposure, and (iii) performing, based on the cybersecurity risk score, a security action to protect the entity from the potential consequence of the cybersecurity risk exposure].
Lin(US10841338)[ Dynamic Rule Risk Score Determination In  Cybersecurity Monitoring System, The present disclosure relates to a cybersecurity-monitoring system, method, and computer program for dynamically determining a rule's risk score based on the network and user for which the rule triggered…].
Volkov(US20220159034)[ ¶127, if the first cybersecurity incident originates from the privileged user account, the processor 401 can further be configured to compare the detection confidence level associated with the first cybersecurity incident (Confidence) (148) to a predetermined confidence level threshold (e.g. 80%). Further, if the processor 401 has determined that the detection confidence level is below the predetermined confidence level threshold, and also if the number of blocked privileged user accounts for the predetermined time is less than the N.sub.1 predetermined threshold number, the processor 401 can be configured to determine the respective automated incident response as blocking the privileged user account (143) at the corporate network level, in accordance with step 140 of the method 100 described above. However, if the number of blocked privileged user accounts for predetermined time exceeds the N.sub.1 predetermined threshold number, the processor 401 can be configured to cease to analyze the incident data associated with the first cybersecurity incident without determining the respective automated incident response thereto].
GILL(US20110126111)[ Method And Apparatus For Risk Visualization And Remediation].
Gilmore(US20180020021)[ COMPUTERIZED SYSTEM AND METHOD FOR PROVIDING CYBERSECURITY DETECTION AND RESPONSE FUNCTIONALITY].
Heckman(US20190207968)[ Methods And Systems For Providing An Integrated Assessment Of Risk Management And Maturity For An Organizational Cybersecurity/Privacy Program].

Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHAHRIAR ZARRINEH whose telephone number is (571)272-1207. The examiner can normally be reached Monday-Friday, 8:30am-5:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jorge Ortiz-Criado can be reached on 571-272-7624. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/SHAHRIAR ZARRINEH/Examiner, Art Unit 2496