DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

This action is responsive to the communication filed 11/13/2020.
Claims 1-14 are presented for examination.

Examiner Notes
Examiner cites particular columns, paragraphs, figures and line numbers in the references as applied to the claims below for the convenience of the applicant. Although the specified citations are representative of the teachings in the art and are applied to the specific limitations within the individual claim, other passages and figures may apply as well. It is respectfully requested that, in preparing responses, the applicant fully consider the references in entirely as potentially teaching all or part of the claimed invention, as well as the context of the passage as taught by the prior art or disclosed by the examiner.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 11/13/2020.  The submissions are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner. 

Priority
Acknowledgment is made of applicant’s claim for foreign priority under 35 U.S.C. 119 (a)-(d) or (f).

Claim Objections
Claim 1 is objected to because of the following informalities:
“execution enviornments” at line 7 should be “execution environments”.
Appropriate correction is required.

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.

Claims 1-2 and 10-11  are rejected under 35 U.S.C. 102 (a) (1) as being anticipated by Lo et al. (US 20180011465 A1-IDS recorded, hereafter Lo).

Regarding to Claim 1, Lo discloses: A control system in industrial automation technology (see [0001], [0004]-[0005]), comprising:
hardware including at least one processor and at least one storage device in which applications to be executed by the control system are stored (see [0005]; “a control layer automation device comprises a processor, one or more control layer applications, a database, a wireless interface, a device memory” and “The device memory comprises the one or more control layer applications”);
a plurality of mutually isolated execution environments (see [0007]); and
a plurality independently executable and/or operating functional modules each of which is executed and/or operated in an isolated execution environment of the plurality of mutually isolated execution enviornments (see [0007] and [0011]; “a control layer automation device maintaining a plurality of isolated computing environments which distinct runtime computing resources and executing control layer applications in the isolated computing environments, with each control layer application configured to perform a discrete set of automation functions”),
wherein the functional modules of the plurality of functional modules are characteristic of functions of the control system (see [0011]; “each control layer application configured to perform a discrete set of automation functions”).

Regarding to Claim 2, the rejection of Claim 1 is incorporated and further Lo discloses: wherein the functions of the control system include at least one of a controller core, an operating system core, applications, and communication (see [0011]; “a control layer automation device maintaining a plurality of isolated computing environments which distinct runtime computing resources and executing control layer applications in the isolated computing environments, with each control layer application configured to perform a discrete set of automation functions”. The functions of the control system include at least applications).

Regarding to Claim 10, the rejection of Claim 1 is incorporated and further Lo discloses: wherein the control system is included in an automation device (see [0005]; “a control layer automation device”).

Regarding to Claim 11, the rejection of Claim 10 is incorporated and further Lo discloses: wherein the automation device is included in an automation system (see [0002] and [0025]; “the automation system 100 including Controller 110E”).

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

Claim 3 is rejected under 35 U.S.C. 103 as being unpatentable over Lo et al. (US 20180011465 A1-IDS recorded, hereafter Lo) in view of in view of Chen et al. (US 20160179564 A1, hereafter Chen).

Regarding to Claim 3, the rejection of Claim 1 is incorporated, Lo does not disclose: at least one specified communications channel through which communication and/or interaction between two functional modules of the plurality of functional modules occurs.
However, Chen discloses: a plurality of mutually isolated execution environments; a plurality executable and/or operating functional modules each of which is executed and/or operated in an isolated execution environment of the plurality of mutually isolated execution environments (see Fig. 8, [0128], [0131] and [0200]. The two execution environments VM300D and IEE 400 are mutually isolated to each other, wherein each of the environment executes at least one software application, i.e., functional module); 
at least one specified communications channel through which communication and/or interaction between two functional modules of the plurality of functional modules occurs (see Fig. 8 and [0200]; “a relatively straightforward manner to facilitate the interaction and communication between the IEE 400 and the environment of the VM 300D, while maintaining the isolation between the two environments”).
It would have been obvious to one with ordinary skill, in the art before the effective filing date of the claim invention, to modify the multiple isolated execution environments on same device from Lo by including a particular communication mechanism between two isolated execution environments on same device from Chen, since it would provide a relatively straightforward manner to facilitate the interaction and communication between two environment while maintaining the isolation between the two environments (see [0200] from Chen).

Claims 4-5, 8 and 12-14 are rejected under 35 U.S.C. 103 as being unpatentable over Lo et al. (US 20180011465 A1-IDS recorded, hereafter Lo) in view of in view of Kunsman et al. (US 20110307114 A1, hereafter Kunsman).

Regarding to Claim 4, the rejection of Claim 1 is incorporated, Lo does not disclose:
at least one central module configured to execute and/or to perform at least one function relating to a functional module of the plurality of functional modules,
wherein the at least one function executed and/or performed by the at least one central module is delegated to the at least one central module by one of the functional modules of the plulriaty of functional modules, and
wherein the at least one central module executes and/or performs the at least one function in one of the mutually isolated execution environments of the plurality of mutually isolated execution environments.
However, Kunsman discloses: A control system in industrial automation technology, comprising: hardware including at least one processor and at least one storage device in which applications to be executed by the control system are stored (see [0002]-[0003] and [0022]. Also see Fig. 2 and [0031]);
a plurality of mutually isolated execution environments (see [0022] and [0031]); and
at least one central module configured to execute and/or to perform at least one function relating to a functional module of the plurality of functional modules, wherein the at least one function executed and/or performed by the at least one central module is delegated to the at least one central module by one of the functional modules of the plurality of functional modules, and wherein the at least one central module executes and/or performs the at least one function in one of the mutually isolated execution environments of the plurality of mutually isolated execution environments (see [0008], [0022] and [0031]; “distinct and mutually isolated execution environments can be created. Each of these execution environments can host a single functionality out of a Supervisory Control And Data Acquisition (SCADA) functionality, a gateway functionality, an engineering workplace functionality and a firewall functionality”, emphasis added. At least one of the multiple isolated environments executing/hosting the firewall functionality is executing one central module to perform network access restriction for other components at the device. Note: it is well-known and understood to one with ordinary skill in the art that a network access restriction feature is delegated to the firewall by other components).
It would have been obvious to one with ordinary skill, in the art before the effective filing date of the claim invention, to modify at least one of the isolated execution environments executing control layer applications from Lo by including utilizing at least one isolated execution environments of an automation control system device to implement firewall functionality from Kunsman, since a firewall at computing technology area is well-known and understood component/system to one with ordinary sill in the art that to provide features like restricting network access to the external system for the internal components (see [0027] from Lo; “the Isolated App Runtime Environment 110F2 may restrict network access for a respective control layer application to communication with one or more specific operator devices”. Lo does require to provide firewall-like feature; however, Lo does not provide detail specific for what kind of component to provide such network restrict functionality. Based on the descriptions from Kunsman, it provides a specific implementation for one with ordinary skill in the art to modify one of the isolated execution environments from Lo to execute the firewall functionality in order to provide the network restriction functionality). 

Regarding to Claim 5, the rejection of Claim 4 is incorporated and further the combination of Lo and Kunsman discloses: the at least one central module is configured to ensure security of at least one functional module of the plurality of functional modules and/or the control system, and/or the at least one central module is suitable and/or configured to execute at least one function relating to transport encryption, administration of users and/or groups, and/or enforcement of access restrictions (see [0027] from Lo, [0008] and [0022] from Kunsman; “the Isolated App Runtime Environment 110F2 may restrict network access for a respective control layer application to communication with one or more specific operator devices”, “a firewall—separating the station bus from other networks, such as corporate network” and “distinct and mutually isolated execution environments can be created. Each of these execution environments can host a single functionality out of … a firewall functionality”. The firewall functionality to “restrict network access for a respective control layer application to communication with one or more specific operator devices” would ensure security of other functional module of the control system/device and thus enforcement of access restrictions).

Regarding to Claim 8, the rejection of Claim 4 is incorporated and further the combination of Lo and Kunsman discloses: wherein the control system is configured such that one of the functional modules of the plurality of functional modules performs a function that can be delegated to the at least one central module (see [0027] from Lo, [0008], [0022] from Kunsman; “the Isolated App Runtime Environment 110F2 may restrict network access for a respective control layer application to communication with one or more specific operator devices”. The other control layer applications at other environments except for the Isolated App Runtime Environment 110F2 would perform associated function that to be delegated to the firewall functionality executed at the Isolated App Runtime Environment 110F2).

Regarding to Claim 12, Lo discloses: A method in industrial automation technology for operating a control system (see [0001], [0004]-[0005]) having hardware including at least one processor and at least one storage device, in which applications to be executed by the control system are stored (see [0005]; “a control layer automation device comprises a processor, one or more control layer applications, a database, a wireless interface, a device memory” and “The device memory comprises the one or more control layer applications”), the method comprising:
executing at least one application of the applications in an isolated execution environment as a functional module (see [0007] and [0011]; “a control layer automation device maintaining a plurality of isolated computing environments which distinct runtime computing resources and executing control layer applications in the isolated computing environments, with each control layer application configured to perform a discrete set of automation functions”).
Lo does not disclose:
 executing at least one central module in another isolated execution environment; and 
implementing at least one security measure for the functional module with the at least one central module.
However, Kunsman discloses: A method in industrial automation technology for operating a control system having hardware including at least one processor and at least one storage device, in which applications to be executed by the control system are stored (see [0002]-[0003] and [0022]. Also see Fig. 2 and [0031]), the method comprising:
executing at least one central module in another isolated execution environment; and implementing at least one security measure for the functional module with the at least one central module (see [0022] and [0031]; “distinct and mutually isolated execution environments can be created. Each of these execution environments can host a single functionality out of a Supervisory Control And Data Acquisition (SCADA) functionality, a gateway functionality, an engineering workplace functionality and a firewall functionality”, emphasis added.. At least one of the multiple isolated environments executing/hosting the firewall functionality is executing one central module and implementing security measure for the functional module with the central module. Note: it is well-known and understood to one with ordinary skill in the art that a generic firewall at computing technology would perform at least function of security measure for other components). 
It would have been obvious to one with ordinary skill, in the art before the effective filing date of the claim invention, to modify at least one of the isolated execution environments executing control layer applications from Lo by including utilizing at least one isolated execution environments of an automation control system device to implement firewall functionality from Kunsman, since a firewall at computing technology area is well-known and understood component/system to one with ordinary sill in the art that to provide features like restricting network access to the external system for the internal components (see [0027] from Lo; “the Isolated App Runtime Environment 110F2 may restrict network access for a respective control layer application to communication with one or more specific operator devices”. Lo does require to provide firewall-like feature; however, Lo does not provide detail specific for what kind of component to provide such network restrict functionality. Based on the descriptions from Kunsman, it provides a specific implementation for one with ordinary skill in the art to modify one of the isolated execution environments from Lo to execute the firewall functionality in order to provide the network restriction functionality).

Regarding to Claim 13, the rejection of Claim 12 is incorporated and further the combination of Lo and Kunsman discloses: wherein a computer program includes commands which cause the control system to execute the method (see [0051]-[0053] from Lo).

Regarding to Claim 14, the rejection of Claim 13 is incorporated and further the combination of Lo and Kunsman discloses: wherein the computer program is stored on a machine-readable storage medium (see [0051]-[0053] from Lo).

Claims 6-7 are rejected under 35 U.S.C. 103 as being unpatentable over Lo et al. (US 20180011465 A1-IDS recorded, hereafter Lo) in view of in view of Kunsman et al. (US 20110307114 A1, hereafter Kunsman) and further in view of Jabr et al. (US 20140101321 A1, hereafter Jabr) in view of Ohkado et al. (US 20120209411 A1, hereafter Ohkado).

Regarding to Claim 6, the rejection of Claim 5 is incorporated, the combination of Lo and Kunsman does not disclose:
an adapter through which at least one functional module of the plurality of functional modules is configured to provide and/or transfer configuration data to the at least one central module,
wherein the configuration data are preferably characteristic of a security measure.
However, Jabr discloses: an interface through which at least one isolated execution environment of the plurality of execution environments is configured to provide and/or transfer configuration data to the at least one firewall module, wherein the configuration data are preferably characteristic of a security measure (see [0024]-[0027]; “virtual machine 102 sends a synchronize (SYN) message 130, such as a SYN packet according to the Transmission Control Protocol (TCP), to establish a communication session between virtual machine 102 and server 106”, “Initially, firewall 103 a checks to verify whether or not firewall 103 a already maintains the flow state for Flow 1” and “Message 113 comprises sufficient information to identify both virtual machine 102 and firewall 103 a … With the registration of the relationship between virtual machine 102 and firewall 103 a in directory 107, other firewalls will be able to determine that virtual machine 102 was previously mapped to firewall 103 a, and also determine that firewall 103 a maintains the flow state for Flow 1”).
It would have been obvious to one with ordinary skill, in the art before the effective filing date of the claim invention, to modify the process of network access for a respective control layer application executed in an isolated execution environment to communication with one or more specific operator devices from the combination of Lo and Kunsman by including the process of an isolated execution environment establishes a communication section to external device via a firewall from Jabr, since it would provide detail execution steps for a firewall service to create communications session between a local component and external system (see [0024]-[0027] from Jabr).
Furthermore, Ohkado discloses: an adapter through which at least one isolated execution environment of the plurality of execution environments is configured to provide and/or transfer data to another isolated execution environment (see [0042]; “The virtual machine 232 is connected, via the virtual network adapter 244, to a virtual network 234, which is a logical network in which a plurality of virtual machines 232 and the sandbox management section 210 participate, so that the industrial control systems 240 on the virtual machines 232 can mutually communicate with each other via this virtual network 234”, emphasis added).
It would have been obvious to one with ordinary skill, in the art before the effective filing date of the claim invention, to modify the communication between the isolated execution environments from the combination of Lo, Kunsman and Jabr by including connecting multiple isolated execution environments to achieve communication between the executions environments via adapter type resources from Ohkado, and thus the combination of Lo, Kunsman, Jabr and Ohkado would disclose the missing limitations from the combination of Lo and Kunsman (note: the firewall functionality at the combination system, i.e., claimed central module, is also implemented in one of the isolated execution environment like other control layer applications, and thus the communication between the firewall functionality and other control layer applications located at other isolated execution environments can be achieved via the adapter of corresponding isolated execution environments), since it is well-known and understood to connecting each isolated execution environments via network adapter to form a network system (see [0042] from Ohkado).

Regarding to Claim 7, the rejection of Claim 6 is incorporated and further the combination of Lo, Kunsman, Jabr and Ohkado discloses: wherein the at least one central module is configured as a proxy for communication requests, for access requests to the applications, and/or for granting access to the applications (see [0027] from Lo, [0008], [0022] from Kunsman; “the Isolated App Runtime Environment 110F2 may restrict network access for a respective control layer application to communication with one or more specific operator devices”. The firewall functionality executed at the Isolated App Runtime Environment 110F2 works as proxy for restricting network access for other applications, i.e., for communication requests, for access requests to the other applications, and/or for granting access to the other applications).

Claim 9 is rejected under 35 U.S.C. 103 as being unpatentable over Lo et al. (US 20180011465 A1-IDS recorded, hereafter Lo) in view of in view of Kunsman et al. (US 20110307114 A1, hereafter Kunsman) and further in view of Kim et al. (US 20190173862 A1, hereafter Kim).

Regarding to Claim 9, the rejection of Claim 4 is incorporated, the combination of Lo and Kunsman does not disclose: wherein the control system is configured to verify a trustworthiness of one of the functional modules of the plurality of functional modules that is to be installed and/or executed.
However, Kim discloses: a firewall module is configured to verify a trustworthiness of an application that is to be installed and/or executed (see [0044]-[0045]; “install a hacking program through a wireless gateway in the vehicle” and “a firewall (e.g., a Layer 7 Firewall) on the CAN that checks whether malicious code is included in an application when the application is downloaded from a trusted server”. The firewall module verifies a trustworthiness of an application that is to be installed by checking whether malicious code is included in the application. Note: based on [0044], “the application is downloaded” from [0045] is used for the installation and execution on the local system/device).
It would have been obvious to one with ordinary skill, in the art before the effective filing date of the claim invention, to modify the feature of the firewall module executing on the Isolated App Runtime Environment 110F2 from the combination of Lo and Kunsman by including feature of a firewall to verify whether malicious code is included in the application that is to be installed from Kim, and thus the combination of Lo, Kunsman and Kim would disclose the missing limitations from the combination of Lo and Kunsman, since it would provide a mechanism of ensuring there is no malicious code is included in the application to be installed and executed (see [0044]-[0045] from Kim).

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ZHI CHEN whose telephone number is (571)272-0805.  The examiner can normally be reached on Monday-Friday 9:30AM-5PM.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Emerson Puente can be reached on (571)272-3652.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/Zhi Chen/
Patent Examiner, AU2196

/EMERSON C PUENTE/Supervisory Patent Examiner, Art Unit 2196