Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Office Action is in response to the reply filed by Applicant on 12/27/2021. Claims 1-24 are pending. This Office Action is Non-Final.

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 5/3/2022 has been entered.
 
Response to Arguments
	A) Applicant’s arguments with respect to claim(s) 1, 10 and 18 have been considered but are moot because the new ground of rejection does not rely on the same exact references applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 2, 10 and 18 is/are rejected under 35 U.S.C. 103 as being unpatentable over Carpenter et al. (US 2016/0050225) in view of Wilkinson et al. (US 2016/0350559) and Greenlee et al. (US 7,418,354).

	As per claim 1, Carpenter teaches a method for monitoring network security of an industrial control system, the method comprising: 
 	selecting at least one first data source related to the industrial control system based on at the network security requirement, the at least one first data source being  for measuring whether the industrial control system meets the network security requirement; 	acquiring first data from the at least one first data source; acquiring second data from at least some of the at least one first data source; determining whether the second data includes features described by the behavior model; determining, upon determining that the second data includes the features described by the behavior model, that behavior of the industrial control system represented by the second data is normal behavior; and determining, upon determining that the second data does not include the features described by the behavior model, that the behavior of the industrial control system represented by the second data is abnormal behavior (Carpenter, Paragraph 0030 recites “ The data collection module 121 scans these devices for known vulnerabilities (e.g., out-of-date WINDOWS patches) to collect vulnerability (and optional event, threat and consequence) data that is loaded into the security database 116. The data collection module 121 can monitor the devices essentially “continuously” (e.g., every few seconds for events with security implications (e.g., virus detection, WINDOWS authentication failures).” Carpenter is effectively teaching the selecting of different sources and determining if there is a behavior issue.  While Carpenter does not explicitly recite a selecting step, Carpenter is teaching the monitoring of the devices connected to the network, which would implicitly teach more than a single data source.  Further it is monitoring for known vulnerabilities, therefore there it has the ability to determine “normal” behavior versus “abnormal” behavior.  As a result Carpenter is effectively teaching the recited limitations. ).
	But fails to teach determining a network security requirement of the industrial control system based on a running environment on the industrial control system and
wherein the network security requirement is determined according to at least one of at least one running indicator of the industrial control system defined by a customer of the industrial control system, or at least one network security policy of the industrial control system defined by the customer of the industrial control system.
	However, in an analogous art Wilkinson teaches determining a network security requirement of the industrial control system based on a running environment on the industrial control system and wherein the network security requirement is determined according to at least one of at least one running indicator of the industrial control system defined by a customer of the industrial control system, or at least one network security policy of the industrial control system defined by the customer of the industrial control system (Wilkinson, Paragraph 0021 recites “Operation 200 may be employed to operate a computing system to facilitate controlling access to objects associated with an industrial automation environment. In some implementations, operation 200 may be performed by computing system 101, although operation 200 could be executed by any system or device having a machine authority associated with machine system 130. As shown in the operational flow of process 200, a policy set associated with an object type is created, wherein the policy set defines one or more actions that are allowed for at least one user group to perform with respect to the object type (201). The policy set is typically created by a security administrator or any other trusted individual within an organization that produces control programs, controller program code, machine system 130, human-machine interface (HMI) content, or any other object used in industrial automation. For example, the security administrator could be associated with an Original Equipment Manufacturer (OEM), solution provider, machine builder, system integrator, or some other entity that owns and/or generates control system content or other objects used in an industrial automation environment. In some examples, the administrator could comprise security personnel, a control engineer, a delegate of the manufacturer, or any other individual with sufficient security clearance to create and define policy sets for various object types.” Wilkinson teaches that an admin creates the policy, but it would be an obvious jump to see that this would be at the request of the customer.).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Wilkinson’s custom security policies for multiple objects with Carpenter’s analyzing cyber-security risks in an industrial control environment because the use being able to set a policy, gives the system flexibility to customizing policies to the preferences of a user/customer.	
	And fails to teach counting time-varying features of the first data to serve as a behavior model for the industrial control system.
	However, in an analogous art Greenlee teaches counting time-varying features of the first data to serve as a behavior model for the industrial control system (Greenlee, Col. 3 Lines 15-28 recites “In particular, the time-varying behavior of flow vectors representative of the steady-state or " normal" operation of the feeder network is compared to that of the flow vectors generated in the presence of a leak within the network. A given flow vector will generally be defined by sets of values corresponding to readings from sensors placed throughout a particular conduit of the feeder network. In certain embodiments the flow vectors characterizing normal operation of the feeder network may be derived from a model of the network predicated upon mass and energy conservation. Alternatively, the flow vectors representative of normal network operation may simply be generated on the basis of historical sensor readings averaged over appropriate periods of time.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Greenlee’s System and method for leak detection based upon analysis of flow vectors with Carpenter’s analyzing cyber-security risks in an industrial control environment because the use to of time-varying features helps with modeling in order to establish a normal baseline.

	As per claim 2, Carpenter in combination with Wilkinson and Greenlee teaches the method of claim 1, Wilkinson further teaches wherein the network security requirement is further determined according to at least one of a normal running process of the industrial control system, configuration information of at least one constituent part of the industrial control system, or a network attack that the industrial control system may be subjected to (Wilkinson, Paragraph 0024 recites “An object of the object type is identified for security configuration (202). There would typically be multiple different objects of the same object type used in an industrial automation environment. For example, there may be several different industrial controllers similar to industrial controller 120 installed in industrial automation environment 100, and an administrator could select one of these controllers for security configuration. The object of the object type could be identified for security configuration in many ways. For example, the object could be identified by the administrator or some other user creating a controller project file, generating an HMI screen, or creating any other content. In at least one implementation, multiple objects of the object type could be selected or otherwise identified for security configuration simultaneously.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Wilkinson’s custom security policies for multiple objects with Carpenter’s analyzing cyber-security risks in an industrial control environment because the use being able to set a policy, gives the system flexibility to customizing policies to the preferences of a user/customer.	

Regarding claims 10 and 18, claims 10 and 18 are directed to a system and a non-transitory readable medium associated with the method of claim 1. Claims 10 and 18 are of similar scope to claim 1, and are therefore rejected under similar rationale.


Claims 3, 9, 11 and 17 is/are rejected under 35 U.S.C. 103 as being unpatentable over Carpenter et al. (US 2016/0050225), Wilkinson et al. (US 2016/0350559) and Greenlee et al. (US 7,418,354) and in further view of Park et al. (US 10,530,749).

	As per claim 3, Carpenter in combination with Wilkinson and Greenlee teaches the method of claim 1, but fails to teach wherein the at least one first data source comprises at least one of: a log of at least one industrial host in the industrial control system, network traffic captured from at least one critical network position in the industrial control system, a security log of at least one security protective device in the industrial control system, or a network log of at least one network switching and routing device in the industrial control system.
	However, in an analogous art Park further teaches wherein the at least one first data source comprises at least one of: a log of at least one industrial host in the industrial control system, network traffic captured from at least one critical network position in the industrial control system, a security log of at least one security protective device in the industrial control system, or a network log of at least one network switching and routing device in the industrial control system (Park, Col. 6 Lines 19-25 recites “Specifically, protections can be embodied in a security device 100 that monitors network traffic within the OT network, such as that between an HMI 315, ICDs 320 (also referred to herein as control devices), and industrial equipment or devices 330 in ICS. The security device can detect and block undesirable control system commands leading to anomalous system behavior.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Park’s Security system, device, and method for operational technology networks with Carpenter’s analyzing cyber-security risks in an industrial control environment because it is essential to block task when the determining task determines that the received control communication contains an undesirable control command.

	As per claim 9, Carpenter in combination with Wilkinson and Greenlee teaches the method of claim 1, but fails to teach wherein at least one of upon determining that behavior of the industrial control system represented by the second data is abnormal behavior, the method further comprises: determining whether the behavior of the industrial control system, represented by the second data, is a network attack; and positioning, upon the determining indicating that the behavior is the network attack, an attack source according to an object targeted by the behavior of the industrial control system represented by the second data.
	However, in an analogous art Park further teaches wherein at least one of upon determining that behavior of the industrial control system represented by the second data is abnormal behavior, the method further comprises: determining whether the behavior of the industrial control system, represented by the second data, is a network attack; and positioning, upon the determining indicating that the behavior is the network attack, an attack source according to an object targeted by the behavior of the industrial control system represented by the second data (Park, Col. 5 Lines 6-14 recites “A determining task determines whether the received control communication contains an undesirable control command. A passing task passes the received control communication to the ICD when the determining task does not determine that the received control communication contains an undesirable control command. A blocking task blocks the received communication to the ICD when the determining task determines that the received control communication contains an undesirable control command.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Park’s Security system, device, and method for operational technology networks with Carpenter’s analyzing cyber-security risks in an industrial control environment because it is essential to block task when the determining task determines that the received control communication contains an undesirable control command.

Regarding claim 11, claim 11 is directed to a system associated with the method of claim 3. Claim 11 is of similar scope to claim 3, and are therefore rejected under similar rationale.

Regarding claim 17, claim 17 is directed to a system associated with the method of claim 9. Claim 17 is of similar scope to claim 9, and are therefore rejected under similar rationale.

Claims 4, 6, 12 and 14 is/are rejected under 35 U.S.C. 103 as being unpatentable over Carpenter et al. (US 2016/0050225), Wilkinson et al. (US 2016/0350559) and Greenlee et al. (US 7,418,354) and in further view of Inbar et al. (US 10,489,711).

	As per claim 4, Carpenter in combination with Wilkinson and Greenlee teaches the method of claim 3, but fails to teach wherein the at least one first data source includes the log of the at least one industrial host in the industrial control system, and the acquiring of the first data from the at least one first data source includes: acquiring, for each industrial host among the at least one industrial host, at least one piece of data from a log of the industrial host to serve as the first data of the industrial host, the at least one piece of data including at least one of: hardware performance data during running of the industrial host; file input/output information during running of the industrial host; a processing flow for an industrial application program running on the industrial host; or resource in the industrial control system accessed by the industrial application program running on the industrial host.
	However, in an analogous art Inbar teaches wherein the at least one first data source includes the log of the at least one industrial host in the industrial control system, and the acquiring of the first data from the at least one first data source includes: acquiring, for each industrial host among the at least one industrial host, at least one piece of data from a log of the industrial host to serve as the first data of the industrial host, the at least one piece of data including at least one of: hardware performance data during running of the industrial host; file input/output information during running of the industrial host; a processing flow for an industrial application program running on the industrial host; or resource in the industrial control system accessed by the industrial application program running on the industrial host (Inbar, Col. 3 Lines 58-65 recites “Example embodiments of the present invention collect, analyze, store, and visualize key performance indicators as well as provide an aggregated health score of network components in a network infrastructure. Further, example embodiments of the present invention fit a behavioral model to both performance metrics and log data, learn the behavior of the system over time, and alert whenever the system is not behaving in a manner that is normal.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Inbar’s Method and apparatus for predictive behavioral analytics for IT operations with Carpenter’s analyzing cyber-security risks in an industrial control environment because the use looking at logs of performance is a holistic approach on understanding network behavior. 

	As per claim 6, Carpenter in combination with Wilkinson and Greenlee teaches the method of claim 3, but fails to teach wherein the at least one first data source comprises: the log of the at least one industrial host in the industrial control system, and the acquiring of the first data from the at least one first data source comprises: acquiring at least one piece of a data from the at least one industrial host to serve as the first data, the at least one piece of a data including at least one of: information for at least one of logging in and logging out of the industrial control system by a user via the at least one industrial host; a control command executed by the user on the at least one industrial host for the industrial control system; or data in the industrial control system accessed by the user via the at least one industrial host.
	However, in an analogous art Inbar teaches wherein the at least one first data source comprises: the log of the at least one industrial host in the industrial control system, and the acquiring of the first data from the at least one first data source comprises: acquiring at least one piece of a data from the at least one industrial host to serve as the first data, the at least one piece of a data including at least one of: information for at least one of logging in and logging out of the industrial control system by a user via the at least one industrial host; a control command executed by the user on the at least one industrial host for the industrial control system; or data in the industrial control system accessed by the user via the at least one industrial host (Inbar, Col. 3 Lines 58-65 recites “Example embodiments of the present invention collect, analyze, store, and visualize key performance indicators as well as provide an aggregated health score of network components in a network infrastructure. Further, example embodiments of the present invention fit a behavioral model to both performance metrics and log data, learn the behavior of the system over time, and alert whenever the system is not behaving in a manner that is normal.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Inbar’s Method and apparatus for predictive behavioral analytics for IT operations with Carpenter’s analyzing cyber-security risks in an industrial control environment because the use looking at logs of performance is a holistic approach on understanding network behavior. 

Regarding claim 12, claim 12 is directed to a system associated with the method of claim 4. Claim 12 is of similar scope to claim 4, and are therefore rejected under similar rationale.

Regarding claim 14, claim 14 is directed to a system associated with the method of claim 6. Claim 14 is of similar scope to claim 6, and are therefore rejected under similar rationale.

Claims 5 and 13 is/are rejected under 35 U.S.C. 103 as being unpatentable over Carpenter et al. (US 2016/0050225), Wilkinson et al. (US 2016/0350559) and Greenlee et al. (US 7,418,354) and in further view of Liu et al. (US 2015/0350232).

	As per claim 5, Carpenter in combination with Wilkinson and Greenlee teaches the method of claim 3, but fails to teach wherein the at least one first data source includes: the network traffic captured from the at least one critical network position in the industrial control system, and the acquiring of the first data from the at least one first data source includes determining, for each critical network position among the at least one critical network position, at least one piece of data of the network traffic to serve as the first data of the critical network position, the at least one piece of data including at least one of: a source address of a data packet in the network traffic; a destination address of the data packet in the network traffic; a function code of an industrial control communication protocol used by the network traffic; or application layer data in the network traffic.
	However, in an analogous art Liu teaches wherein the at least one first data source includes: the network traffic captured from the at least one critical network position in the industrial control system, and the acquiring of the first data from the at least one first data source includes determining, for each critical network position among the at least one critical network position, at least one piece of data of the network traffic to serve as the first data of the critical network position, the at least one piece of data including at least one of: a source address of a data packet in the network traffic; a destination address of the data packet in the network traffic; a function code of an industrial control communication protocol used by the network traffic; or application layer data in the network traffic (Liu, Paragraph 0040 recites “An introduction is made by taking HTTP access as the network behavior. Specifically, among the above steps, the application layer data of the HTTP access behavior are acquired in step S102. In step S104, it is judged that protocols included by the HTTP access behavior are all known protocols according to the format of the HTTP protocol. Then in step S106, the HTTP access behavior is identified as a network behavior of a recognizable program. Then in step S110, feature information in the application layer data of the HTTP access behavior is acquired, such as Host field, Url field, IP address field and etc., and whether the above feature information belongs to feature information in a network behavior of a malicious program is judged according to the blacklist and whitelist in the blacklist and whitelist library, if it belongs to the feature information in the network behavior of the malicious program, the network behavior belongs to the network behavior of the malicious program, and the flow proceeds to step S112; if it does not belong to the feature information in the network behavior of the malicious program, the network behavior belongs to the normal network behavior, and the flow proceeds to step S114.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Liu’s Method, Device and System for Recognizing Network Behavior of Program with Carpenter’s analyzing cyber-security risks in an industrial control environment because the use of identifying a source address, would be helpful to establish which addresses can be trusted.

Regarding claim 13, claim 13 is directed to a system associated with the method of claim 5. Claim 13 is of similar scope to claim 5, and are therefore rejected under similar rationale.


Claims 7, 8, 15, 16 and 19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Carpenter et al. (US 2016/0050225), Wilkinson et al. (US 2016/0350559) and Greenlee et al. (US 7,418,354) and in further view of Justin et al. (US 2014/0277612).

	As per claim 7, Carpenter in combination with Wilkinson and Greenlee teaches the method of claim 1, but fails to teach wherein, after determining that the behavior of the industrial control system represented by the second data is abnormal behavior, the method further comprises: determining a level of an alarm corresponding to the behavior of the industrial control system represented by the second data; and either triggering alarm reporting, upon the level being higher than a preset lowest alarm priority level among a plurality of alarm levels, or skipping the triggering of the alarm reporting, upon the level  not being higher than the lowest alarm priority level among the plurality of alarm levels.
	However, in an analogous art Justin teaches wherein, after determining that the behavior of the industrial control system represented by the second data is abnormal behavior, the method further comprises: determining a level of an alarm corresponding to the behavior of the industrial control system represented by the second data; and either triggering alarm reporting, upon the level being higher than a preset lowest alarm priority level among a plurality of alarm levels, or skipping the triggering of the alarm reporting, upon the level  not being higher than the lowest alarm priority level among the plurality of alarm levels (Justin, Paragraph 0032 recites “Upon the detection of certain alarm types in the checklist, the startup management logic 56 may disable a startup of the industrial automation system 10 until the checklist has been completed (block 106). In some embodiments, the suppression logic 58 enabling skipping lower priority alarms when completing the checklist or omit lower priority alarms from the checklist (block 108). In some embodiments, the controller 38 may simply omit storing low priority alarms when storing alarms in the checklist. Additionally, in some embodiments, the suppression logic 58 may enable skipping of higher priority alarms with increased authorization levels. In certain embodiments, skipping alarms may be performed during an attempted startup of the turbine system or another suitable time whether the industrial automation system 10 is online or offline. In some embodiments, no alarms may be suppressed during a startup and may only be removed when maintenance is performed.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Justin’s Automatic generation of a dynamic pre-start checklist with Carpenter’s analyzing cyber-security risks in an industrial control environment because the use of priority alarms, helps a user customize what alarms and alerts are more important to a system.

	As per claim 8, Carpenter in combination with Greenlee and Justin teaches the method of claim 7, Justin further teaches the plurality of alarm levels, in descending order of priority, sequentially comprise at least two of: a first level, wherein alarms at the first level includes alarms related to an industrial controller in the industrial control system; a second level, wherein alarms at the second level includes alarms in an industrial control network in the industrial control system; a third level, wherein alarms at the third level includes alarms related to an industrial host in the industrial control system; a fourth level, wherein alarms at the fourth level includes alarms related to at least one of a back-end firewall, server and application in a demilitarized zone, and wherein the demilitarized zone is usable for separating the industrial control system from an enterprise network of the industrial control system; or a fifth level, wherein alarms at the fifth level includes alarms related to a front-end firewall in the demilitarized zone (Justin, Paragraph 0032 recites “Upon the detection of certain alarm types in the checklist, the startup management logic 56 may disable a startup of the industrial automation system 10 until the checklist has been completed (block 106). In some embodiments, the suppression logic 58 enabling skipping lower priority alarms when completing the checklist or omit lower priority alarms from the checklist (block 108). In some embodiments, the controller 38 may simply omit storing low priority alarms when storing alarms in the checklist. Additionally, in some embodiments, the suppression logic 58 may enable skipping of higher priority alarms with increased authorization levels. In certain embodiments, skipping alarms may be performed during an attempted startup of the turbine system or another suitable time whether the industrial automation system 10 is online or offline. In some embodiments, no alarms may be suppressed during a startup and may only be removed when maintenance is performed.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Justin’s Automatic generation of a dynamic pre-start checklist with Carpenter’s analyzing cyber-security risks in an industrial control environment because the use of priority alarms, helps a user customize what alarms and alerts are more important to a system.

Regarding claims 15 and 19, claims 15 and 19 are directed to a system and a non-transitory readable medium associated with the method of claim 7. Claims 15 and 19 are of similar scope to claim 7, and are therefore rejected under similar rationale.

Regarding claim 16, claim 16 is directed to a system associated with the method of claim 8. Claim 16 is of similar scope to claim 8, and are therefore rejected under similar rationale.

Claims 20-24 is/are rejected under 35 U.S.C. 103 as being unpatentable over Carpenter et al. (US 2016/0050225), Wilkinson et al. (US 2016/0350559) and Greenlee et al. (US 7,418,354) and in further view of Hutchinson et al. (US 2007/0050777).

	As per claim 20, Carpenter in combination with Wilkinson and Greenlee teaches the non-transitory machine-readable medium of claim 18, but fails to teach wherein, after determining that the behavior of the industrial control system represented by the second data is abnormal behavior, the method comprises: determining whether the behavior of the industrial control system, represented by the second data, is a network attack, and upon determining that the behavior of the industrial control system is the network attack, positioning an attack source according to an object targeted by the behavior of the industrial control system that is represented by the second data; or determining, a network attack phase of the industrial control system represented by the second data, wherein different network attack phases pose different levels of threats to the industrial control system.
	However, in an analogous art Hutchinson teaches wherein, after determining that the behavior of the industrial control system represented by the second data is abnormal behavior, the method comprises: determining whether the behavior of the industrial control system, represented by the second data, is a network attack, and upon determining that the behavior of the industrial control system is the network attack, positioning an attack source according to an object targeted by the behavior of the industrial control system that is represented by the second data; or determining, a network attack phase of the industrial control system represented by the second data, wherein different network attack phases pose different levels of threats to the industrial control system (Hutchinson, Paragraph 0128 recites “In one embodiment, the threat thermostat controller 218 may use one of three different firewall settings from 220 in accordance with one or more inputs. Each of the firewall settings included in 220 may correspond to one of three different threat levels. In the event that a low threat level is detected for example the firewall rule settings corresponding to this condition may allow all traffic between the corporate network 12 and the industrial network 14 as well as other connections into the industrial network 14 to occur. In the event that a medium threat level is determined, a second different set of firewall settings may be selected from 220. These firewall settings may allow, for example, access to the industrial network 14 from one or more particular designated users or systems only within the corporate network 12. If a high threat level is determined by the threat thermostat controller 218, all traffic between the corporate network 12 and industrial network 14 may be denied as well as any other type of connection external into the industrial network 14. In effect, with a high threat level a determination, for example, an embodiment may completely isolate the industrial network 14 from any type of outside computer connection.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Hutchinson’s Duration of alerts and scanning of large data stores with Carpenter’s analyzing cyber-security risks in an industrial control environment because the use of using threat levels is useful in determining which threats need to be addressed first.  

	As per claim 21, Carpenter in combination with Wilkinson and Greenlee teaches the method of claim 1, but fails to teach wherein after determining that the behavior of the industrial control system that is represented by the second data is abnormal behavior, the method further comprises: determining whether the behavior of the industrial control system represented by the second data is a network attack; and determining, upon determining  that the behavior is the network attack, a network attack phase of the behavior of the industrial control system represented by the second data, wherein different network attack phases pose different levels of threat to the industrial control system.
	However, in an analogous art Hutchinson teaches wherein after determining that the behavior of the industrial control system that is represented by the second data is abnormal behavior, the method further comprises: determining whether the behavior of the industrial control system represented by the second data is a network attack; and determining, upon determining  that the behavior is the network attack, a network attack phase of the behavior of the industrial control system represented by the second data, wherein different network attack phases pose different levels of threat to the industrial control system (Hutchinson, Paragraph 0128 recites “In one embodiment, the threat thermostat controller 218 may use one of three different firewall settings from 220 in accordance with one or more inputs. Each of the firewall settings included in 220 may correspond to one of three different threat levels. In the event that a low threat level is detected for example the firewall rule settings corresponding to this condition may allow all traffic between the corporate network 12 and the industrial network 14 as well as other connections into the industrial network 14 to occur. In the event that a medium threat level is determined, a second different set of firewall settings may be selected from 220. These firewall settings may allow, for example, access to the industrial network 14 from one or more particular designated users or systems only within the corporate network 12. If a high threat level is determined by the threat thermostat controller 218, all traffic between the corporate network 12 and industrial network 14 may be denied as well as any other type of connection external into the industrial network 14. In effect, with a high threat level a determination, for example, an embodiment may completely isolate the industrial network 14 from any type of outside computer connection.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Hutchinson’s Duration of alerts and scanning of large data stores with Carpenter’s analyzing cyber-security risks in an industrial control environment because the use of using threat levels is useful in determining which threats need to be addressed first.  

	As per claim 22, Carpenter in combination with Wilkinson and Greenlee teaches the method of claim 9, but fails to teach wherein after determining that the behavior of the industrial control system represented by the second data is abnormal behavior, the method comprises: determining whether the behavior of the industrial control system represented by the second data is a network attack; and determining, upon determining  that the behavior is the network attack, a network attack phase of the behavior of the industrial control system represented by the second data, wherein different network attack phases pose different levels of threat to the industrial control system.
	However, in an analogous art Hutchinson teaches wherein after determining that the behavior of the industrial control system represented by the second data is abnormal behavior, the method comprises: determining whether the behavior of the industrial control system represented by the second data is a network attack; and determining, upon determining  that the behavior is the network attack, a network attack phase of the behavior of the industrial control system represented by the second data, wherein different network attack phases pose different levels of threat to the industrial control system  (Hutchinson, Paragraph 0128 recites “In one embodiment, the threat thermostat controller 218 may use one of three different firewall settings from 220 in accordance with one or more inputs. Each of the firewall settings included in 220 may correspond to one of three different threat levels. In the event that a low threat level is detected for example the firewall rule settings corresponding to this condition may allow all traffic between the corporate network 12 and the industrial network 14 as well as other connections into the industrial network 14 to occur. In the event that a medium threat level is determined, a second different set of firewall settings may be selected from 220. These firewall settings may allow, for example, access to the industrial network 14 from one or more particular designated users or systems only within the corporate network 12. If a high threat level is determined by the threat thermostat controller 218, all traffic between the corporate network 12 and industrial network 14 may be denied as well as any other type of connection external into the industrial network 14. In effect, with a high threat level a determination, for example, an embodiment may completely isolate the industrial network 14 from any type of outside computer connection.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Hutchinson’s Duration of alerts and scanning of large data stores with Carpenter’s analyzing cyber-security risks in an industrial control environment because the use of using threat levels is useful in determining which threats need to be addressed first.  

	As per claim 23, Carpenter in combination with Wilkinson and Greenlee teaches the system of claim 10, but fails to teach wherein upon determining that the behavior of the industrial control system represented by the second data is abnormal behavior, the at least one processor is configured to execute the machine-readable instructions to perform at least: determining whether the behavior of the industrial control system represented by the second data is a network attack; and determining, upon determining that the behavior is the network attack, a network attack phase of the behavior of the industrial control system represented by the second data, wherein different network attack phases pose different levels of threat to the industrial control system.
	However, in an analogous art Hutchinson teaches wherein upon determining that the behavior of the industrial control system represented by the second data is abnormal behavior, the at least one processor is configured to execute the machine-readable instructions to perform at least: determining whether the behavior of the industrial control system represented by the second data is a network attack; and determining, upon determining that the behavior is the network attack, a network attack phase of the behavior of the industrial control system represented by the second data, wherein different network attack phases pose different levels of threat to the industrial control system (Hutchinson, Paragraph 0128 recites “In one embodiment, the threat thermostat controller 218 may use one of three different firewall settings from 220 in accordance with one or more inputs. Each of the firewall settings included in 220 may correspond to one of three different threat levels. In the event that a low threat level is detected for example the firewall rule settings corresponding to this condition may allow all traffic between the corporate network 12 and the industrial network 14 as well as other connections into the industrial network 14 to occur. In the event that a medium threat level is determined, a second different set of firewall settings may be selected from 220. These firewall settings may allow, for example, access to the industrial network 14 from one or more particular designated users or systems only within the corporate network 12. If a high threat level is determined by the threat thermostat controller 218, all traffic between the corporate network 12 and industrial network 14 may be denied as well as any other type of connection external into the industrial network 14. In effect, with a high threat level a determination, for example, an embodiment may completely isolate the industrial network 14 from any type of outside computer connection.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Hutchinson’s Duration of alerts and scanning of large data stores with Carpenter’s analyzing cyber-security risks in an industrial control environment because the use of using threat levels is useful in determining which threats need to be addressed first.  

	As per claim 24, Carpenter in combination with Wilkinson and Greenlee teaches the system of claim 17, but fails to teach wherein upon determining that the behavior of the industrial control system represented by the second data is abnormal behavior, the at least one processor is configured to execute the machine-readable instructions to perform at least: determining whether the behavior of the industrial control system represented by the second data is a network attack; and determining, upon determining that the behavior is the network attack, a network attack phase of the behavior of the industrial control system represented by the second data, wherein different network attack phases pose different levels of threat to the industrial control system.
	However, in an analogous art Hutchinson teaches wherein upon determining that the behavior of the industrial control system represented by the second data is abnormal behavior, the at least one processor is configured to execute the machine-readable instructions to perform at least: determining whether the behavior of the industrial control system represented by the second data is a network attack; and determining, upon determining that the behavior is the network attack, a network attack phase of the behavior of the industrial control system represented by the second data, wherein different network attack phases pose different levels of threat to the industrial control system (Hutchinson, Paragraph 0128 recites “In one embodiment, the threat thermostat controller 218 may use one of three different firewall settings from 220 in accordance with one or more inputs. Each of the firewall settings included in 220 may correspond to one of three different threat levels. In the event that a low threat level is detected for example the firewall rule settings corresponding to this condition may allow all traffic between the corporate network 12 and the industrial network 14 as well as other connections into the industrial network 14 to occur. In the event that a medium threat level is determined, a second different set of firewall settings may be selected from 220. These firewall settings may allow, for example, access to the industrial network 14 from one or more particular designated users or systems only within the corporate network 12. If a high threat level is determined by the threat thermostat controller 218, all traffic between the corporate network 12 and industrial network 14 may be denied as well as any other type of connection external into the industrial network 14. In effect, with a high threat level a determination, for example, an embodiment may completely isolate the industrial network 14 from any type of outside computer connection.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Hutchinson’s Duration of alerts and scanning of large data stores with Carpenter’s analyzing cyber-security risks in an industrial control environment because the use of using threat levels is useful in determining which threats need to be addressed first.  

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to RODERICK TOLENTINO whose telephone number is (571)272-2661.  The examiner can normally be reached on Mon- Fri 8am-4pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on 571-270-5002.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


RODERICK . TOLENTINO
Examiner
Art Unit 2439



/RODERICK TOLENTINO/Primary Examiner, Art Unit 2439