DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This written action is responding to the amendment dated on 04/20/2022.
Claims 1 and 19 have been amended and all other claims are previously presented.
Claim 20 has been added.
Claims 1-20 are submitted for examination.
Claims 1-20 are pending.
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.

Response to Arguments
Applicant’s amendment filed on April 20, 2022 has claims 1 and 19 amended, claim 20 has been added and all other claims are previously presented. 
Applicant’s remark, filed on April 20, 2022 at page 5, indicates, “Claim 7 has been objected to because Claim 7 recites "... wherein the authenticity indication is forwarded by the industrial control device to the external control system to confirm that the industrial control device has access to the authentication device." The Examiner stated that the claim should recite: "... wherein the authenticity indication is forwarded by the industrial control device to the external control system to confirm that the industrial control device has access to an authentication device." Applicants amended Claim 1 as will be introduced in further sections of this response, resolving this issue without amending Claim 7.”
Applicant’s argument has been considered and is found persuasive. Therefore, claim objection to Claim 7 has been withdrawn.
Applicant’s remark, filed on April 20, 2022 at page 5, indicates, “In the Office Action, the Examiner asserted that this application includes one or more claim limitations that do not use the word "means," but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier. The Examiner stated that such claim limitation(s) is/are: key storing module and connection module in claim 19. The Examiner pointed to paragraphs [0053] and [0045] when referring to the key storing module, and to paragraphs [0072] and [0056] when referring to the connection module. Applicants amended Claim 19 according to these paragraphs.”
Applicant’s argument has been considered and is found persuasive. Therefore, claim interpretation under USC 112(f) to Claim 19 has been withdrawn.
 Applicant’s remark, filed on April 20, 2022 at pages 6-8, indicates, “Applicants respectfully disagree with the rejection of Claim 1. In the Office Action, the Examiner asserted that Claim 1 is taught by a combination of Markovic and Hummel. In particular, the Examiner stated that although Markovic does not teach "an authentication key coupled to a matching key of an external control system" but Hummel teaches this claim limitation and cited column 10 lines 58-63. … Applicants contend that the Examiner failed to indicate and identify where is the claimed "external control system" which is claimed along Claim 1 in the following claim limitation "calculating, by a processor, an authenticity indication of communication between an industrial control device and the external control system using the authentication key;" Applicants contend that picking up the feature of checking a private key against a public key of Hummel and detaching it from its context and purpose, is improper. The Examiner cannot just "stitch together an obviousness finding from discrete portions of prior art references without considering the references as a whole." In re Enhanced Security Research, LLC, 739 F.3d 1347, 1355 (Fed. Cir. 2014). The Examiner cannot take a statement in the reference out of context and give it a meaning it would not have had to a person skilled in the art. Nor can the Examiner take a single aspect of a reference out of context and use it with hindsight to find obviousness. A prior art reference must be read as a whole; the entire disclosure of the reference must be considered, including its teachings away from the claimed invention. See, MPEP §2145. … Thus, it is respectfully submitted that Claim 1 is new and non-obvious in view of Markovic and Hummel and should be allowed.”
Applicant’s arguments, filed April 20, 2022, have been fully considered, but found not persuasive. The arguments are not found persuasive, as follows:
The reference by Markovic clearly teaches a method for secured or authenticated communication through an input/output module that includes a plurality of communication channels, where each channel is configured to connect to one or more field devices; as shown in Figure 2. In addition, Parag. [0077-0078] discloses an authenticator device connected physically to an industrial element using the I/O module or ports in order to prevents unauthorized action requests from valid user profiles and further secures the system from unauthorized action requests coming from invalid (e. g., hacked) profiles. Finally, Markovic discloses that the action authenticator includes a storage medium with a private key stored thereon and a processor configured to sign and/or encrypt (i.e. encode) the action request generated by the action originator 302 with the private key. The private key is stored in a memory that cannot be accessed via standard operator login. Examiner submits that the limitation regarding the external control system is connected to said industrial control device through a communication network, wherein said connection between said authentication device and said industrial control device is conducted through an input and output (I/0) port of the industrial control device, disconnected from said communication network is described in Parag. [0054], [0077-0078] and in Fig. 2 and 10 as: “One or more of the communications/control modules 214 may include a network interface 228 for connecting the industrial control system 200 to a controller 226 via a network 230.”and “As shown in FIGS. 10 and 11, the I/O module 100 or any other industrial element/controller 306 (e. g., communications/control module 214, field devices 217, physical interconnect devices, switches, power modules 232, etc.) can be at least partially operated according to requests/commands from an action originator 302. … In the authentication path 300 illustrated in FIGS. 10 and 11, the industrial element/controller 306 (e. g., the I/O module 100) processes an action request (e. g., request for data, control command, firmware/software update, set point control, application image download, or the like) only when the action request has been signed and/or encrypted by an action authenticator 304.” …; “The action authenticator 304 can either be on-site with the action originator 302 (e.g., directly connected device lifecycle management system (“DLM") 322 or secured workstation 326) or remotely located (e. g., DLM 322 connected via the network 318.”
The reference by Hummel discloses a method to protect data for industrial devices. Examiner respectfully disagree with the Applicant. The teaching from Hummel is applicable to the field of industrial devices and the described components perform similar functions as the one claimed in the instant application. The safekeeping device carry out the proposed method by Hummel and is analogous to the external control device and a delivering device, that store a private cryptographic key (i.e. authentication key), is analogous to the authentication device. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Markovic to have the matching private key stored in the external control device of Hummel.  Such modification is made without deviating from the concept of the presented teaching since it is simple substitution of one known element for another to obtain predictable results based on the KSR rationale.
Finally, Examiner respectfully disagree that the applied references does not teach the new feature limitations. See Markovic, Parag. [0054], [0077-0078] and Fig. 2 and 10.
The combination of Markovic in view of Hummel would render the claimed limitations of the amended independent claim 1 obvious. See rejection below.
Applicant’s remark, filed on April 20, 2022 at page 9, indicates, “Applicants respectfully disagree with the rejection of Claim 19. In the Office Action, the Examiner asserted that Claim 19 is an apparatus claim that recites similar limitations as Claim 1. Therefore, as the Examiner stated, it is rejected using the same rationale applied to Claim 1. Applicants contend that the arguments provided above against the rejection of Claim 1, apply, mutatis mutandis, against the rejection of Claim 19. Also, Applicants amended Claim 19 in substantially similar manner as Claim 1, and therefore respectfully submit that Claim 19, at least in its amended form, is new and non- obvious in view of Markovic and Hummel and should be allowed as well.”
Regarding amended independent claim 19, has been considered and is addressed based on the same rationale presented for the amended independent claim 1. Please refer to the rejection to the claim in details below.
Applicant’s remark, filed on April 20, 2022 at page 9, indicates, “Applicants respectfully disagree with the rejection of Claim 2. In the Office Action, the Examiner asserted that paragraph [0050] of Markovic allegedly teaches "wherein the connection module is physically and electronically connected to the I/O port". The Examiner recited the paragraph stating that "Each I/O module 100 can include one or more ports 222 furnishing a physical connection to hardware and circuitry included with the I/O module 100, such as a Printed Circuit Board (PCB) 224, and so forth." Applicants contend that this interpretation is improper, as Markovic actually teaches ports of the I/O module but this is different from the feature claimed in Claim 2 - the connection module is physically and electronically connected to the I/O port where the I/0 port is of the industrial control device, as defined in Claim 1, which is not taught this way in the recited paragraph which refers to the I/O module, not to an industrial control device. Thus, Applicants respectfully submit that Markovic does not teach the above claim limitation of Claim 2.
 Applicant’s arguments, filed April 20, 2022, have been fully considered, but found not persuasive. The arguments are not found persuasive, as follows:
As shown in Fig. 10, the authenticator is physically connected to the industrial element/controller (i.e. industrial control system). Markovic teaches that every device in the system is capable to be connected through an I/O module or a communication channel. In addition to Parag. [0050]; Markovic teaches on Parag. [0039], “the industrial control system 200 uses a communications control architecture to implement a distributed control system that includes one or more industrial elements (e. g., input/output modules, power modules, field devices, switches, workstations, and/or physical interconnect devices) that are controlled or driven by one or more control elements or subsystems distributed throughout the system. For example, one or more I/O modules 100 may be connected to one or more communications/control modules 214. Thus, Examiner submits that one of the possible ways that the authenticator could reach or be in communication with the industrial control device is through a communication module and/or and I/O port module of the industrial control device.
Regarding dependent claims 3-18 please refer to the aforementioned response, which addresses how the combination of prior-art references by Markovic and Hummel would render the claimed limitations obvious along with Bowness, Shulz and Juels.
Regarding dependent claim 20 a new prior art by Simonsen et al. (US 2020/0193000) has been added to the combination of Markovic and Hummel.  Simonsen discloses an industrial device configured to implement a file authentication. The industrial device has an analog port capable or configure to process analog signals received or transmitted to other devices. See rejection below.

Claim Objections
Claim 1 is objected to because of the following informalities:  Amended claim 1 recites “storing, by a key storing module of an authentication device connected in a non- intrusive integration to an industrial control device, an authentication key coupled to a matching key of an external control system, the external control system is connected to said industrial control device through a communication network …”.  The terms “an industrial control device” and “an external control system” are objected for an improper antecedent basis. The amended claim should recite “storing, by a key storing module of an authentication device connected in a non- intrusive integration to the industrial control device, an authentication key coupled to a matching key of the external control system, the external control system is connected to said industrial control device through a communication network …”. Appropriate correction is required.

Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.

Claim 20 is rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA  35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention. The Applicant’s remarks indicates at page 5, that the new claimed limitation “… wherein said I/O port is an analog port and wherein the authenticity indication is encoded into an analog signal” has support on page 10 lines 14-23 and on page 12 lines 2-6. The specification, at best, discloses, according to page 10 lines 14-23, “I/0 port 111 may be a discrete port or an analog port. These ports read and write 15discrete or analog electrical signals, and are otherwise used to connect industrial control device 110 to sensors and actuators. Discrete signals behave as binary switches with only two states, yielding an On or Off signal (1 or 0, True or False, respectively), and are sent using either voltage or current, where a specific range is designated as On and another as Off. Analog signals have a range of values between zero and full-scale, and 20may be interpreted as integer values (counts) by industrial control device 110, with various ranges of accuracy. An analog I/0 port may use voltage or current with a magnitude proportional to the value of the signal. I/0 port 111 may read and/or write multiple discrete levels by using digital-to-analog and/or analog-to-digital converter.”, and page 12 lines 2-6, “When I/O port 111 is an analog port, the message may be sent by using any kind of communication methods, for example, by encoding several bits in a single reading of the analog port. For example, when I/O port 111 is an analog port that may reliably display 256 different values, and the analog-to-digital may reliably read them, 8 bits may be encoded in each port value.” That is, Examiner submits the support in the context presented in the specification only describes an analog port capable of receive or transmit analog signals, like electrical signals or a message encoded, but not the limitation, “… authenticity indication is encoded into an analog signal”, presented in new claim 20. For examination purpose, the feature limitation of claim 20 will be treated as, “a message or signal encoded or encrypted into an analog signal”.

The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.



Claim 1 is rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention. The term “connected in a non- intrusive integration” in claim 1 is a relative term which renders the claim indefinite. The term “connected in a non- intrusive integration” is not defined by the claim, the specification does not provide a standard for ascertaining the requisite degree, and one of ordinary skill in the art would not be reasonably apprised of the scope of the invention. The term does not clearly point out how does this non-intrusive integration is done; for example, the device is a plug and play or the like. Appropriate correction is required.
Claim 1 is rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention. The term “disconnected from said communication network” in claim 1 renders the claim indefinite. The claim does not clearly point out what device(s) are going to be disconnected from the said network. Appropriate correction is required.
 
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-2, 5-11 and 16-19 are rejected under 35 U.S.C. 103 as being unpatentable over Markovic et al. (US 2018/0046592) hereinafter Markovic in view of Hummel et al. (US 11,126,750) hereinafter Hummel.
As per Claim 1, A method for authenticating communication between an industrial control device and an external control system (Markovic, Parag. [0028]; “Switch fabric 104 within the I/O module can be configured to selectively facilitate connectivity (e. g., transfer of information/data) between an external control module (e.g., communications/control module 214) and the one or more field devices 217 via the plurality of communication channels 102.” … Parag. [0063]; “In some embodiments, communications between the control elements/subsystems and/or industrial elements including the sensors and/or actuators and so forth, of the industrial control system 200 includes an authentication process.”), comprising: 
storing, by a key storing module of an authentication device connected in a non- intrusive integration to an industrial control device, an authentication key (Markovic, Parag. [0078]; “the action authenticator 304 includes a storage medium with a private key stored thereon and a processor configured to sign and/or encrypt the action request generated by the action originator 302 with the private key. The private key is stored in a memory that cannot be accessed via standard operator login.” See Figure 10 that shows the authenticator device connected directly to the industrial control system.) [coupled to a matching key of an external control system], the external control system is connected to said industrial control device through a communication network (Markovic, Parag. [0054]; “One or more of the communications/control modules 214 may include a network interface 228 for connecting the industrial control system 200 to a controller 226 via a network 230.” See Fig. 2), wherein said connection between said authentication device and said industrial control device is conducted through an input and output (I/0) port of the industrial control device, disconnected from said communication network (Markovic, Parag. [0077]; “As shown in FIGS. 10 and 11, the I/O module 100 or any other industrial element/controller 306 (e. g., communications/control module 214, field devices 217, physical interconnect devices, switches, power modules 232, etc.) can be at least partially operated according to requests/commands from an action originator 302. … In the authentication path 300 illustrated in FIGS. 10 and 11, the industrial element/controller 306 (e. g., the I/O module 100) processes an action request (e. g., request for data, control command, firmware/software update, set point control, application image download, or the like) only when the action request has been signed and/or encrypted by an action authenticator 304.” … Parag. [0078]; “The action authenticator 304 can either be on-site with the action originator 302 (e. g., directly connected device lifecycle management system (“DLM") 322 or secured workstation 326) or remotely located (e. g., DLM 322 connected via the network 318).” See Figure 10 that shows the authenticator device connected directly to the industrial control system, thus is not connected to same network as the industrial device and the external controller.); 
calculating, by a processor of said authentication device, an authenticity indication of communication between the industrial control device and the external control system using the authentication key (Markovic, Parag. [0078]; “the action authenticator 304 includes a storage medium with a private key stored thereon and a processor configured to sign and/or encrypt the action request generated by the action originator 302 with the private key.” … Parag. [0081]; “The I/O module 100 or any other industrial element/controller 306 being driven by the action originator 302 is configured to receive the signed action request, verify the authenticity of the signed action request, and perform a requested action when the authenticity of the signed action request is verified.”); and 
providing, by a connection module of said authentication device, the authenticity indication to the industrial control device via said input and output (I/O) port of the industrial control device (Markovic, Parag. [0085]; “the action authenticator 304 can initiate the handshake, in which case the authentication sequence implemented by the I/O module 100 or any other industrial element/controller 306 can include: receiving a request datagram from the action authenticator 304, the request datagram including a first nonce, a first device authentication key certificate, and a first identity attribute certificate.” … Parag. [0033]; “The I/O module 100 further includes one or more connection ports (e. g., I-core connection ports) that facilitate interconnectivity with at least one communications/control module 214 via a communications backplane (e. g., switch fabric 202). In some embodiments, the I/O module 100 includes at least one serial communications port 114 and at least one parallel communications port 116.” Examiner submits that Fig. 11 shows the I/O module, which includes one or more connection ports, is part of the industrial element/controller 306 and the authenticator device sends the authenticity indication in communication to the industrial element/controller through an available I/O connection port.).
However, Markovic does not expressly teach:
an authentication key coupled to a matching key of an external control system;
But, Hummel teaches:
an authentication key coupled to a matching key of an external control system (Hummel, Col. 10, lines 58-63; “The safekeeping device 6 (i.e. external control device) comprises a logic unit 64 that checks, for data records 10 obtained from the delivering device 5 (i.e. authentication/control device), using a public key 51' corresponding to the private key 51 of the delivering device 5, whether they carry a correct signature 15. If this is the case, the data records 10 are stored in the reversible memory 3.”).
Markovic and Hummel are from similar field of technology. Prior to the instant application’s effective filling date, there was a need for providing a method for authenticating communication between an industrial control device and an external control system.
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Hummel’s system into Markovic’s system, with a motivation to provide a method of authentication using a key (Hummel, Col. 1, lines 15-18).

As per claim 2, the combination of Markovic and Hummel teaches the method of claim 1. Markovic further teaches wherein the connection module is physically and electronically connected to the I/O port (Markovic, Parag. [0050]; “Each I/O module 100 can include one or more ports 222 furnishing a physical connection to hardware and circuitry included with the I/O module 100, such as a Printed Circuit Board (PCB) 224, and so forth.”).

As per claim 5, the combination of Markovic and Hummel teaches the method of claim 1. Hummel teaches wherein the authentication key is a private key that is coupled to a matching public key that is stored in a memory of the external control system (Hummel, Col. 10, lines 58-63; “The safekeeping device 6 (i.e. external control device) comprises a logic unit 64 that checks, for data records 10 obtained from the delivering device 5 (i.e. control device), using a public key 51' corresponding to the private key 51 of the delivering device 5, whether they carry a correct signature 15. If this is the case, the data records 10 are stored in the reversible memory 3.”).

As per claim 6, the combination of Markovic and Hummel teaches the method of claim 1, Hummel teaches wherein the authentication key is a public key that is coupled to a matching private key that is stored in a memory of the external control system (Hummel, Col. 10, lines 58-63; “The safekeeping device 6 (i.e. external control device) comprises a logic unit 64 that checks, for data records 10 obtained from the delivering device 5 (i.e. control device), using a public key 51' corresponding to the private key 51 of the delivering device 5, whether they carry a correct signature 15. If this is the case, the data records 10 are stored in the reversible memory 3.”  Examiner submits that in an asymmetric encryption scheme, public and private key are matching key pair).
it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Hummel to have the matching private key stored in the external control device of Hummel.  Such modification is made without deviating from the concept of the presented teaching since it is simple substitution of one known element for another to obtain predictable results based on the KSR rationale.

As per claim 7, the combination of Markovic and Hummel teaches the method of claim 1. Markovic teaches for authenticating an industrial control device to an external control system, further comprising, before the calculating:
receiving a request signal comprising a request message received by the industrial control device from the external control system (Markovic; Parag. [0089]; “To initiate the authentication sequence, the first I/O module 100A (i.e. external control system) is configured to transmit a request datagram 502 to the second I/O module 100B (i.e. control device). In implementations, the request datagram 502 includes a first plain text nonce (NonceA), a first device authentication key certificate (CertDAKA) containing a first device authentication key (DAKA), and a first identity attribute certificate (IACA).”).
In addition, Hummel teaches:
wherein the authenticity indication is forwarded by the industrial control device to the external control system to confirm that the industrial control device has access to the authentication device (Hummel, Col. 10, lines 31-42; “The sensors 54 and 57 deliver payload data 12 to the logic 58 of the delivering device 5. In the logic unit 58, the payload data 12 is combined with predecessor hash values invention 53, 53' obtained over the first interface 53 and the bidirectional communications link 56 from the safekeeping device 6, and current hash values 11 are formed. The current hash values 11, which are not shown again in FIG. 2, are combined into data records 10 together with the payload data 12, the predecessor hash values 13', 13, and the signature 15 that is also not shown again in FIG. 2. The data records 10 are sent to the safekeeping device over the first interface 53 and the bidirectional communications link 56.”).

As per claim 8, the combination of Markovic and Hummel teaches the method of claim 7. Markovic teaches wherein the request signal is received from the industrial control device via the I/O port (Markovic, Parag. [0091]; “Responsive to a valid request datagram 502, the second I/O module 100B (i.e. control device) is configured to transmit a response datagram 504 to the first I/O module 100A (i.e. external control system).”).

As per claim 9, the combination of Markovic and Hummel teaches the method of claim 7. Markovic teaches wherein the request signal is received directly from the external control system (Markovic, Parag. [0081], “The I/O module 100 or any other industrial element/controller 306 being driven by the action originator 302 is configured to receive the signed action request, verify the authenticity of the signed action request, and perform a requested action when the authenticity of the signed action request is verified.”).

As per claim 10, the combination of Markovic and Hummel teaches the method of claim 7.  Markovic teaches wherein the request message includes a random sequence and the calculating includes signing the random sequence using a private key (Markovic, Parag. [0091]; “Responsive to a valid request datagram 502, the second I/O module 100B is configured to transmit a response datagram 504 to the first I/O module 100A. In implementations, the response datagram 504 includes a second plain text nonce (NonceB), a first signature associated with the first and second nonces (SigB Nonce A Non ceB]) , a second device authentication key certificate (cert DAKB) containing a second device authentication key (DAKB) , and a second identity attribute certificate (IACB). In some embodiments, the second I/O module 100B is configured to generate the second nonce (NonceB) with a TRNG, concatenate or otherwise combine the first nonce (NonceA) and the second nonce (NonceB), and sign the concatenated/combined nonces with a private key (e. g., DAK) that is locally stored by the second I/O module 100B.”).

As per claim 11, the combination of Markovic and Hummel teaches the method of claim 7. Markovic teaches wherein the request message includes a sequence encrypted using a public key (Markovic, Parag. [0090]; “The second I/O module 100B is configured to validate the request datagram by verifying the first device authentication key certificate (CertDAKA) and the first identity attribute certificate (IACA) with public keys that are generated by a device lifecycle management system (DLM) or derived utilizing crypto library functions . In this regard ,the public keys may be stored in SRAM or another local memory of the I/O module 100 and used with crypto library functions to verify or cryptographically sign exchanged data, such as the nonces exchanged between the I/O modules 100.”), and 
In addition, Hummel teaches:
the calculating includes decrypting the sequence using a matching private key (Hummel, Col. 10, lines 58-63; “The safekeeping device 6 comprises a logic unit 64 that checks, for data records 10 obtained from the delivering device 5, using a public key 51' corresponding to the private key 51 of the delivering device 5, whether they carry a correct signature 15. If this is the case, the data records 10 are stored in the reversible memory 3.” Examiner submits that in an asymmetric encryption scheme, when a public key is used to encrypt the data, nonce, etc. (random sequence), a matching key (i.e., private key) will be used for decrypting the data.).

As per Claim 16, the combination of Markovic and Hummel teaches the method of claim 1. Markovic teaches wherein the connection module is transmitting electromagnetic signals that are received by the input and output (I/O) port, and receives electromagnetic signals transmitted by the input and output (I/O) port (Markovic, Parag. [0034]; “In embodiments, one or more ports (e.g., serial communication port 114, parallel communication port 116, power backplane input 112, and/or input jack 118) of the I/O module comprise or are coupled with electromagnetic connectors 207 of connector assemblies 208.” … Parag. [0035]; “Each electromagnetic connector 207 is configured to mate with another electromagnetic connector 207 of a connector assembly 208 for transmitting power and/or communications signals between components that are connected via the electromagnetic connectors 207.”).

As per claim 17, the combination of Markovic and Hummel teaches the method of claim 16. Markovic teaches wherein at least one of the connection module and the input and output (I/O) port is transmitting electromagnetic signals via an electromagnetic transmitter (Markovic, Parag. [0034]; “In embodiments, one or more ports (e.g., serial communication port 114, parallel communication port 116, power backplane input 112, and/or input jack 118) of the I/O module comprise or are coupled with electromagnetic connectors 207 of connector assemblies 208.” … Parag. [0035]; “Each electromagnetic connector 207 is configured to mate with another electromagnetic connector 207 of a connector assembly 208 for transmitting power and/or communications signals between components that are connected via the electromagnetic connectors 207.”).

As per Claim 18, the combination of Markovic and Hummel teaches the method of claim 16. Markovic teaches wherein the at least one of the connection module and the input and output (I/O) port receiving electromagnetic signals via an electromagnetic receiver (Markovic, Parag. [0034]; “In embodiments, one or more ports (e.g., serial communication port 114, parallel communication port 116, power backplane input 112, and/or input jack 118) of the I/O module comprise or are coupled with electromagnetic connectors 207 of connector assemblies 208.” … Parag. [0035]; “Each electromagnetic connector 207 is configured to mate with another electromagnetic connector 207 of a connector assembly 208 for transmitting power and/or communications signals between components that are connected via the electromagnetic connectors 207.”).

As per Claim 19, it is an apparatus claim that recites similar limitations as claim 1.  Therefore, it is rejected using the same rationale applied to claim 1.  In addition, Markovic teaches an authentication device (Markovic, Parag. [0078]; “The action authenticator 304 can either be on-site with the action originator 302 (e. g., directly connected device lifecycle management system (“DLM”) 322 or secured workstation 326) or remotely located (e. g., DLM 322 connected via the network 318).”).


Claims 3 and 4 are rejected under 35 U.S.C. 103 as being unpatentable over Markovic et al. (US 2018/0046592) hereinafter Markovic in view of Hummel et al. (US 11,126,750) hereinafter Hummel, as applied to claim 1 above, and in further view of Bowness (US 2020/0228338).
As per claim 3, the combination of Markovic and Hummel teaches the method of claim 1. 
The combination of Markovic and Hummel does not expressly teaches wherein the authentication indication is a one-time password (OTP). 
However, Bowness teaches wherein the authentication indication is a one-time password (OTP) (Bowness, Parag. [0011]; “FIG. 1 shows authentication system 100 implementing cryptographic device administration functionality utilizing event-based OTPs in an illustrative embodiment. The authentication system 100 comprises a cryptographic device 102 that communicates with an administrative entity device 104 over a network 105. Also coupled to the network 105 is a set of authentication servers 106 each of which controls access to one or more protected resources 107.” … Parag. [0020]; “The cryptographic device 102 in the present embodiment comprises device functional modules 108 that will vary depending upon the type of device. For example, if the cryptographic device 102 comprises a hardware authentication token or a software authentication token, the device functional modules 108 are illustratively configured to generate OTPs for submission to the authentication servers 106 as part of an authentication process for obtaining access to one or more of the protected resources 107.”).
Markovic, Hummel and Bowness are from similar field of technology. Prior to the instant application’s effective filling date, there was a need for providing a method for authenticating communication between an industrial control device and an external control system.
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Bowness system into Markovic-Hummel system, with a motivation to provide a cryptographic device configured to receive an event-based OTP for a given administrative access attempt, to compare the received event-based OTP to an expected event-based OTP determined as a function of a current value of the event counter, and to grant or deny the given administrative access attempt based at least in part on a result of the comparing (Bowness, Parag. [0004]).

As per claim 4, the combination of Markovic, Hummel and Bowness teaches the method of claim 3. Bowness teaches wherein the calculating includes continuously creating the OTP (Bowness, Parag. [0023]; “The administrative entity device 104 further comprises an event-based OTP generator 114 for generating event-based OTPs.” … Parag. [0029]; “The administrative entity device 104 can therefore implement multiple event counters and multiple administrative seed values, with one of the event counters and one of the seed values being used to generate event - based OTPs for obtaining administrative access to a corresponding one of the multiple cryptographic devices.” … Parag. [0050-0051]; “In a typical time-synchronous token, the displayed passcodes are based on a secret value and the time of day. An authentication server with access to the secret value and a time of day clock can determine that a given presented passcode is valid. One particular example of a time-synchronous authentication token is the RSA SecurID® user authentication token …  Accordingly, the tokencode output of the authentication token in this case is updated approximately once every minute. These update time periods are also referred as  “epochs ”.”).

Claims 12-13 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Markovic et al. (US 2018/0046592) hereinafter Markovic in view of Hummel et al. (US 11,126,750) hereinafter Hummel, as applied to claim 1 above, and in further view of Shulz (US 2008/0077976).
As per claim 12, the combination of Markovic and Hummel teaches the method of claim 1, for authenticating an external control system to an industrial control device, further comprising, before the calculating:
However, the combination of Markovic and Hummel does not expressly teaches:
receiving a request signal comprising a passkey received from the external control system; 
wherein the calculating includes verifying authenticity of the passkey.
But, Shulz teaches: 
receiving a request signal comprising a passkey received from the external control system (Shulz, Parag. [0037]; “Proceeding from 530 of FIG. 5, Alice sends a Nonce to Bob at 610. Thus, Alice transmits her Nonce sequence: RSA[NonceALICE, KBOB] & NAMEALICE & DSIGNALICE. At 620, Bob validates Alice and sends a Nonce. In this case, Bob validates the digital signature of Alice's message, its data integrity, and that the NAME matches that in Alice's certificate.” Examiner submits that for examination purposes the passkey is considered as a signature.);
wherein the calculating includes verifying authenticity of the passkey (Shulz, Parag. [0035]; “In general, exchange of an industrial authentication protocol occurs between one or more entities such as between an Entity1 and an Entity2. In the following examples illustrated in FIGS. 4-6, Entity 1 is also referred to as “Alice” and Entity2 is also referred to as “Bob,” where the name Alice refers to a device or application associated with Entity1 and the name “Bob” refers to a device or application associated with Entity2. Thus, the process 400 depicts a generic exchange between Alice and Bob where authentication protocol exchanges are signed and the recipient validates the signature as well as the data integrity of each transmission. The protocol provides a mutual authentication of the parties as follows: At 410, Alice and Bob exchange and validate each other's certificate; at 420, Alice and Bob exchange and validate each other's encrypted nonces; and if the steps of the authentication protocol are sequentially validated, a session is established at 430.”).
Markovic, Hummel and Shulz are from similar field of technology. Prior to the instant application’s effective filling date, there was a need for providing a method for authenticating communication between an industrial control device and an external control system.
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Shulz’s system into Markovic-Hummel system, with a motivation to provide a light-weight industrial protocol to enable authentication between industrial control components and/or users of the components to mitigate network protocol attacks, and to facilitate system performance of the components (Shulz, Parag. [0009]).

As per claim 13, the combination of Markovic, Hummel and Shulz teaches the method of claim 12. Markovic teaches further comprising:
when the authenticity is not verified, sending instruction to stop at least one action of the industrial control device (Markovic, Parag. [0090]; “When the first I/O module 100A fails to validate the response datagram, the first I/O module 100A may generate an error message, partially or completely disable the second I/O module 100B, and/or discontinue or restrict communications to/from the second I/O module 100B.”).

As per Claim 15, the combination of Markovic, Hummel and Shulz teaches the method of claim 12, Hummel teaches wherein the passkey is generated by the external control system using a private key and the calculating is done using a matching public key  (Hummel, Col. 4, lines 35-38; “Herein, the signature created by the delivering device ensures that the payload data may be manipulated neither during the transmission to the safekeeping device or on the safekeeping device itself without being noticed.” … Col. 8, lines 62-64; “The logic unit is further configured to form a signature of the current hash value using the private cryptographic key.” Examiner submits that for examination purposes the passkey is considered as a signature.).

Claim 14 is rejected under 35 U.S.C. 103 as being unpatentable over Markovic et al. (US 2018/0046592) hereinafter Markovic in view of Hummel et al. (US 11,126,750) hereinafter Hummel, and in further view of Shulz (US 2008/0077976) as applied to claim 12 above, and further in view of Juels et al. (US 9,270,655) hereinafter Juels.
As per Claim 14, the combination of Markovic, Hummel and Shulz teaches the method of claim 12.
However, the combination of Markovic, Hummel and Shulz does not expressly teaches:
… wherein the passkey is a one-time password (OTP) generated by external control system and the calculating includes generating a matching OTP.
But, Juels teaches: 
… wherein the passkey is a one-time password (OTP) generated by external control system and the calculating includes generating a matching OTP (Juels, Col. 11, lines 43-50; “This passcode then serves as a signature of this data and, when received by the server 150, this passcode can be used to verify the validity of the corresponding data transaction that took place at the high-level application. In particular, the high level application provides the server 150 with the data that is to be verified, and this data transaction is accepted only if the locally produced passcode on this provided data matches the passcode that was received by the token 130.” Examiner submits that for examination purposes the passcode corresponds to the OTP and the signature corresponds to the passkey.).
Markovic, Hummel, Shulz and Juels are from similar field of technology. Prior to the instant application’s effective filling date, there was a need for providing a method for authenticating communication between an industrial control device and an external control system.
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Juels system into Markovic-Hummel-Shulz system, with a motivation to provide one-time authentication tokens with improved resilience to attacks that attempt to obtain the secret seed of one or more tokens (Juels, Col. 3, lines 61-63).

Claim 20 is rejected under 35 U.S.C. 103 as being unpatentable over Markovic et al. (US 2018/0046592) hereinafter Markovic in view of Hummel et al. (US 11,126,750) hereinafter Hummel, as applied to claim 1 above, and further in view of Simonsen et al. (US 2020/0193000) hereinafter Simonsen.
As per claim 20, the combination of Markovic and Hummel teach the method of claim 1. Markovic teach [wherein said I/O port is an analog port] and wherein the authenticity indication is encoded (Markovic, Parag. [0078]; “the action authenticator 304 includes a storage medium with a private key stored thereon and a processor configured to sign and/or encrypt the action request generated by the action originator 302 with the private key.” … Parag. [0081]; “The I/O module 100 or any other industrial element/controller 306 being driven by the action originator 302 is configured to receive the signed action request, verify the authenticity of the signed action request, and perform a requested action when the authenticity of the signed action request is verified.”) [into an analog signal].
However, the combination of Markovic and Hummel does not expressly teach:
wherein said I/O port is an analog port and … into an analog signal.
But, Simonsen teaches:
wherein said I/O port is an analog port and … into an analog signal (Simonsen, Parag. [0026]; “The native controller I/O can include digital I/O that transmits and receives discrete voltage signals to and from the field devices, or analog I/O that transmits and receives analog voltage or current signals to and from the devices.”).
Markovic, Hummel and Simonsen are from similar field of technology. Prior to the instant application’s effective filling date, there was a need for providing a method for authenticating communication between an industrial control device and an external control system.
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Simonsen system into Markovic-Hummel system, with a motivation to provide industrial control system and/or devices capable of receive and transmit analog signals at I/O analog ports (Simonsen, Parag. [0025-0026]).


Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Galpin et al. (US 10,834,094) relates to provide an industrial control system includes an action authenticator configured to sign an action request generated by the action originator. The destination communications/control module or any other industrial element/controller is configured to receive the signed action request, verify the authenticity of the signed action request, and perform a requested action when the authenticity of the signed action request is verified.
Rooyakkers et al. (US 9,191,203) relates to a secure industrial control system is disclosed herein. The industrial control system includes a plurality of industrial elements (e.g., modules, cables) which are provisioned during manufacture with their own unique security credentials.

THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
 Any inquiry concerning this communication or earlier communications from the examiner should be directed to ALEX D CARRASQUILLO whose telephone number is (571)270-5045. The examiner can normally be reached Monday - Friday 9:00 am - 6:00 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Yin-Chen Shaw can be reached on 571-272-8878. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/A.D.C./Examiner, Art Unit 2498

/JOHN B KING/Primary Examiner, Art Unit 2498