DETAILED ACTION
This action is responsive to the Application filed 4/14/21.
Accordingly, claims 1-20 are submitted for prosecution on merits.
	Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-11, 16-19 is/are rejected under § 35 U.S.C. 103 as being unpatentable over Lewis, USPubN: 2022/0046047(herein Lewis) in view of Gonsalves et al, USPubN: 2008/0010225 (herein Gonsalves) and Donovan et al, USPN: 11,429,713 (herein Donovan) further in view of Konrardy et al, USPubN: 2021/0295439 (herein Konrardy), and Arov et al, USPubN: 2018/0276375 (herein Arov) 
	As per claim 1, Lewis discloses a method for controlling an industrial asset, the method comprising:
	generating, via a controller (para 0055-0056), a cyber-attack model (machine learnijng model – para 0054, 0057; Fig. 2A-2B; machine learning, potential cyber-attack - para 0029) configured to predict a plurality of operational impacts (machine learning data … training data … used to link … type of impact … determine likelihood of a cyber-attack, potential impact – para 0058) on the industrial asset (computing device 130, 140, 170 – Figs. 2; user computing device – Fig. 3; user personal device, remote computing device – para 0003, 0005; desktops accessed by device at remote locations – para 0033-0034 – Note1: desktop applications and computing devices of enterprise infrastructure and server platform – para 0039-0040 -  reads on industrial assets of the enterprise or service platforms) of a plurality of potential cyber-attacks (para 0029, 0034-0035);
	training, via the controller, the cyber-attack model (machine learning … used to evaluate … detect potential cyber-attack – para 0029) via a training data set to correlate (e.g. detect a potential cyber attack and initiate one or more security response actions – para 0029; upon detecting … one or more security response actions may be initiated – para 0033; machine learning … cyber event analysis … identify suspicious activity and initiate … seecurity response actions upon identifying – para 0044; cyber event analysis … initiate one or more security response actions – para 0046) the plurality of potential mitigation responses (e.g. machine learning engine 112c … analysis module 112b … response actions … associated with a potentially suspicious activity or potential cyber-attack – para 0053; para 0054) to the predicted plurality of operational impacts corresponding to the plurality of potential cyber-attacks;
	detecting, via a cyber-attack neutralization module (e.g. notification generation 112e – para 0060; analysis module, machine learning 112c, notification generation 112e – para 0051; Fig. 1B), a cyber-attack impacting (e.g. types of impact from a cyber-attack, virtual desktop … remote computing device – para 0058) at least one component of the industrial asset (user personal device, remote computing device – para 0003, 0005; desktops accessed by device at remote locations – para 0033-0034; para 0045);
	identifying, via the neutralization module (Fig.1B, para 0051, 0060), a predicted operational impact (trained to predict a potential cyber-attack – para 0065; machine learning data … training data … used to link … type of impact … determine likelihood of a cyber-attack, potential impact – para 0058) of the plurality of operational impacts which corresponds to the detected the cyber-attack (cyber-attacks – para 0023-0025; para 0033-0034; kinds of cyber-attacks – para 0044) based on the cyber-attack model (see machine learning from above; Machine learning – para 0044);
	selecting, via the neutralization module, at least one mitigation response (detect a potential cyber attack and initiate one or more security response actions – para 0029; upon detecting … one or more security response actions may be initiated – para 0033; machine learning … cyber event analysis … identify suspicious activity and initiate … seecurity response actions upon identifying – para 0044; cyber event analysis … initiate one or more security response actions – para 0046) of the plurality of potential mitigation responses based on the predicted operational impact (see above) of the cyber-attack; and
	altering an operating state (establish a change – para 0008; notification may be pushed out … to prevent or minimize impact of … cyber-attack from the identified information – para 0060; change from creating content to viewing content – claim 6, pg. 13; one or more response actions includes transmitting a security response alert to … prevention computing device – claim 10, pg. 13; transmitting a security response alert … to initiate … display – claim 13, pg. 13; response alert - para 0084; security response alert … to mitigate data loss  or compromise – para 0087; para 0091) based on the at least one mitigation response.
	A) Lewis does not explicitly disclose cyber-attack model configured to 
	predict a plurality of potential mitigation responses (corresponding to the plurality of potential cyber-attacks)
	Lewis discloses inferring via machine learning on impact caused by potential cyber-attacks and initiating security responses (para 0029, 0033, 0044, 0046) to the type of of computer harm, attacks or impact thereof (impact of such threats – para 0003; impact by the cyber event – para 0030; para 0058; impact of the potential cyber-attack – para 0060).  Hence, the correlation associating a potential harm or a type of impact caused by potential cyber-attacks being predicted via a machine learning to a particular mitigation response to be initiated entails that analysis in determining a mitigation response is subsumed under or integral to the process of generating a predicted impact by the same machine learning.
	Donovan discloses artificial intelligence to train actions and responses related to simulated cyber-attacks, the training using machine learning regressive techniques (e.g. decision tree or neural network) attached to an analytic server (col. 12 li. 23-40) to evaluate on predictor functions and parameters of the modeled cyber-attacks actions and responses, the regression ML techniques not only for producing prediction on trained data or trainee’s actions, but also for predicting a best subsequent action to be performed by a virtual (attack) machine with presented with a cyber attack (col. 12 li. 41-53; decision tree … determine a subsequent step to be performed by the attack machine (e.g .red team counter responses – col. 11 li. 28-31)
	Gonsalves discloses a threat assessment and prediction mechanism to interrelate between cyber sensed outputs and cyber attacks (see Abstract) using rule-based inferencing engine to interpret data from distributed sources within situational context, in terms of Bayesian network ( para 0124-0128; Fig. 28) to support alert generation for cyber threats and prediction (para 0004), attack detection thereof, impact assessment (see claim 1, pg. 12; claim 12, pg. 13) and remediation/mitigation (para 0045, 0066), the detection and prediction thereof using use cases to describe impact of the predicted attack and to generate response thereto (para 0013-0016; predict Network attack, assess impact and generate Response use cases – para 0060); e.g. a Integrated Network Attack Fusion System (INAFS) operating via Bayesian belief model to provide detection as well as response for a cyber attack (para 0037; predict attack, assess impact and genreates a response … then display the recommended response - para 0067; Fig. 12); hence a Bayesian network attached with a INAF platform to predict attacks, assess the impact and recommend responses thereto entails predictive and inferencing effect of a rule based inferencing model to predictively detect/assess impact of cyber attacks as well as infer of possible responses thereto.
	Based on the immediate relationship between identifying a cyber-attack impact and generating initiation of a response in Lewis, it would have been obvious before the time of the effective date of the claimed invention for one of ordinary skill in the art to implement the predictive or inferring model in Lewis so that artificial intelligence and inferencing capability of the model (neural network or bayesian intelligence) would be part of cyber-attack model in the sense that if can infer or predict impacts of the cyber attacks on assets, but also infer or predict a plurality of potential mitigation responses (corresponding to the plurality of potential cyber-attacks – as set forth per the Bayesian model in Gonsalves INAFS or per the regression technique of Donovan’s analytic server; because
	implementing a artificial mechanism or learning technique in form of intelligence to predict possible attacks and infer potential impacts caused thereby combined with added capability to equally predict, infer or recommend a possible response thereto using a rule-based engine or integrated system as set forth above, would more effectively match a instrumental resource in specific computing magnitude and industrial strength to overcome the very aspect of the impact or point of focus aimed by the harm, malware pertaining to the very cyber-attack type, without need for pre-testing or simulating operation of the employed corrective action, which would alleviate of cost expenditure in the endeavor of maintaining operative state of the enterprise assets in terms of their being contextually, industrially situated with their computing and NW resources.
	B) Nor does Lewis explicitly disclose selecting by the neutralization module a mitigation response (based on the predicted impact of the cyber-attack) and altering an operating state of the industrial asset based on the response.
	Use of machine learning or artificial intelligence to precisely appraise on potential threat or degree of impacts caused by a cyber threat/attack most necessarily entails use of information geared for adopting corrective measure to circumvent effect caused by the cyber threat or harm, such as recommending a solution or a timely response to stem/prevent negative effects, or mitigate tenor of the identified impact, severity of a malfunction, or avert damage caused thereby, which can be carried in form of issuing an alert and initiating measures underlying the notification or alarm such as adjusting or reiterating operational performance of assets affected by the cyber attack.  The actions or responsive changes taken to prevent or lessen effect of cyber impacts are shown in Lewis as pushing an alert and presentation of data responsive to the effect of the detection (notification may be pushed out … to prevent or minimize impact of … cyber-attack from the identified information – para 0060; change from creating content to viewing content – claim 6, pg. 13; one or more response actions includes transmitting a security response alert to … prevention computing device – claim 10, pg. 13; data loss prevention – para 0053; verifying authenticity … may flag the recent activity … determine that authentication has failed – para 0079)
	Konrardy discloses computing assets underlying a smart home monitoring and component risk profiling environment, to preclude impact caused by cyber-attacks and malfunction of components affected thereby; e.g. autonomous vehicles or smart home, the monitoring using sensors and tracking of expected value or damage construed as loss-event, where mitigating actions include adjustments to the component or replacement thereof as well as change made to their settings, including repair, upddate or replacement (para 0009-0014; adjust the component … component to be repaired, replaced, upgraded - see claim 20 – pg. 46)
	Use of sensors as part of establishing a model attached with a SCADA based monitoring of plant operations is shown in the security model and cyber-security coverage in Arov’s industrial monitoring facility (Fig. 3-4), the SCADA attack detection system using machine learning as part of the statistical/information recognition (para 0007-0008), where predicted output from a detection model (para 0059) and monitored output underlying scenarios expressed via attack vector implementation are correlated for mismatch which in turn, would trigger a security alert (para 0060-0064), in the sense that, upon detection of a attack tampering a operation, controller commands can be reprogrammed to activate/deactivate a devices(valve, pump); e.g. command closure issued to rectify pressure values to make them operate within safety range (para 0076-0077; Fig. 5)
	Therefore, based on the rationale set forth above to use a predictive model to infer on cyber impacts and potential responses thereto, it would have been obvious before the time of the effective date of the claimed invention for one of ordinary skill in the art to implement a model for detection and prediction of cyber attack and possible mitigation responses in accordance with Lewis’s automated cyber-attacks response approach so that, based on the predicted impact of the cyber-attack, a neutralization module underlying the predictor model would generate or recommend a mitigation response and, in accordance thereto, provides controller command for altering an operating state of the industrial asset based on the response – as set forth per update, repair operation to components in Konrardy smart home system, or per the controller adjustment in Arov’s industrial monitoring to rectify presssure settings; because
	urgency of a cyber impact identified as a immediate, or potential flaw/malfunction or security issue mostly dictates that corrective maintenance/preventive action or a security measure be taken timely to attenuate severity of the harm or prevent the harm from happening; and 
	in accordance to operational scale and resources size of enterprise architectures, service infrastructure or industrial endeavors construed via the quantity of assets to be protected therein, use intelligence models or AI techniques to predict cyber type issues and recommend mitigation responses as set forth above, would not only facilitate recognition of a threat type, identification of a defined impact thereby, but also make inferencing to the precise timeliness with which to address urgency or impending harm caused by a cyber issues or assets vulnerability attack in the sense that trained data, finding, recommendation or derivation learned from the intelligent techniques can assist a cyber-related administration or management level to identify, on basis of the very learning or recommendation by the model intelligence, the most effective response to a very specific type of harm, the latter enhanced by recognition of accurate a response-time margin within which to adopt/select a safety measure or corrective action geared for particularly adjusting operative state of a asset or mitigating negative impact to its performance within a properly bound timeline.
	As per claims 2-3, Lewis does not explicitly disclose method of claim 1,
	(i) wherein detecting the cyber-attack further comprises:
	identifying an attack point of the cyber-attack via an attack-detection-localization (ADL) module of the neutralization module, the attack point corresponding to at least one of a first sensor, a first actuator, and a system controller of the industrial asset;
	wherein the attack point corresponds to an affected output signal of the first sensor, 
	(ii) wherein selecting the at least one mitigation response further comprises:
	filtering the affected output signal so as to preclude a utilization of the affected output signal by the system controller to affect the operating state of the industrial asset; and
	generating, via the system controller, a set point for the industrial asset based, at least in part, on an alternative signal obtained from a second sensor.
	Location of enterprise assets in Lewis constitutes (para 0039, 0041, 0043) collection of information to track and which is subjected for a cyber event analysis to operate in order to initiated mitigation response or effectuating loss prevention measures (para 0052); hence attack point corresponding to a controller of the enterprise asset subjected to a identified cyber threat is recognized.
	Use of sensor and actuator in association with control of an industrial asset such as devices or component of a plant process is shown in the SCADA monitoring by Arov cyber-attack detection (para 0013-0020); where accordingly, cyber-security threats are covered by a cyber-attack operational model, which obtains sensor data and defines, as part of seeking a solution to the predicted cyber threat, a combination of inputs that cannot coexist for use (para 0054) with a given plant command or actuator to consolidate a model output (and controller command) that reflects a particular set of inputs accounting of specific sensor locations (para 0056), in accordance to which, a cyber attack can be detected from mismatch between monitored output and predicted output.  Hence, localization of an attack point by virtue of installed sensor at specific locations and implementation of diversified model inputs based thereon is recognized.  Further, Arov discloses configuring of physical paramters into the predicting capability of an operational model (para 0055) whose configuration is based on selective recombining of diverse inputs in consideration of reliability of each from a given set of sensors (or locations thereof) to match a intended actual model output (para 0057), where the actual output is subjected to a mismatch comparison (para 0064) with a model’s predicted output so to identify whether a cyber attack occurs at specific input points; in the sense that this cyber attack detection entails repetitive filtering of the intended output from basis of various input setting into the model so as to either preclude a utilization of the affected output signal by the system controller or to avoid contamining a plant command with a cyber event
	Therefore, based the repeated instances by which a model output is refined in accordance to varied set of input and corresponding sensor information, the output refining cycles by Arov’s analytic model to narrow down difference between actual output with predicted data discloses effect of filtering behavior of each output by the model with corresponding changes at the input (*)
	According to the above, it would have been obvious before the time of the effective date of the claimed invention for one of ordinary skill in the art to implemement a predictor model geared for similarity comparison at the output based on the input for detection of a cyber attack endpoint so that sensor are installed at specific location underlying the attack endpoints for identifying an attack point of the cyber-attack as via an attack-detection-localization (ADL) module of the neutralization module, the attack point corresponding to at least one of a first sensor, a first actuator, and a system controller of the industrial asset such that an attack point corresponds to an affected output signal of the first sensor – as construed per the construction of input data formed from respective sensor locations in Arov repetitive operational model configuration – where selecting the at least one mitigation response via use of the predictor model includes filtering the affected output signal - per (*) - so as to preclude a utilization of the affected output signal by the system controller to affect the operating state of the industrial asset – as per the approach to selectively combine different inputs to output a signal that can be compared with prediction by the model as in Arov – so to generate a set point for the industrial asset based, at least in part, on an alternative signal obtained from a second sensor being different from the first sensor at which a identification of  cyber-attack is detected on basis of the output mismatch  as shown in Arov; because
	use of sensor locations or actuator locations as via a localization module to monitor sensor as potential attack points identifiable via different set of inputs into a predictor model as set forth above would enable a cyber-detection layer to correlate , via a regression model utilizing physical parameters and collected metrics, input and output for a mismatch – as in Arov -  indicative of a potential cyber attack at a specific location (attack point) construed via sensor locations in combination with repeated effect of filtering outputs on basis of diversified input setting and their respective sensors; such that attack identified at specifically monitored locations in terms of controller components (or actuator setting as per Arov) can be understood in terms of specific impact based on which proper and timely mitigation response (or implementation therefor) can be selected for a prompt securityfix and cyber preventive action.
	As per claim 4, Lewis does not explicitly disclose method of claim 2, wherein determining the predicted operational impact further comprises:
	determining, via the ADL module, a severity score for the cyber-attack; and
wherein selecting the at least one mitigation response further comprises selecting the at least one mitigation response based, at least in part, on the severity score.
	But identifying a location at which impact of a cyber attack is specified or measured so that, based thereon, act of selecting a commensurate response or mitigation action to match severity of the impact falls under the obviouus ambit of using a neutralization module to identify an impact and select the appropriate mitigation module with which to alter operation state of an asset being protected under administration of the preventive action particularly tailored to address the impact, which has been rendered obvious in rationale B of claim 1.
	Hence, use of an ADL to determine severity of a cyber attack whereby to select a response made effective and commensurate with how severe the attack is would have been obvious for the same reasons addressing obvious use of a neutralization module in selecting a mitigation response and altering action set forth with rationale B from above.
	As per claim 5, Lewis does not explicitly disclose method of claim 2, wherein the at least one mitigation response comprises:
	(i) emulating, via a system emulator, a nominal operating state of the industrial asset in response to an operating condition affecting the industrial asset;
	generating at least one output of the system emulator corresponding to an input or output of at least one of the first sensor, the first actuator, and the system controller of the industrial asset in the absence of a cyber-attack; and
	(ii) replacing, with the at least one output of the emulator, at least one input or output of the at least one of the first sensor, the first actuator, and the system controller which is subject to the cyber-attack, wherein replacing the at least one input or output with the at least one output of the emulator mitigates the predicted operational impact of the cyber-attack.
	As for (i)
	Emulation is a process by which input and situational data are fed into a trial/test setup to obtain outcome that would mimic or achieve similar result to industrial functionality previously achieved and recorded as a good. Accordingly, Konrardy discloses sensor data associated with autonomous operation, telematics data, and features setting regarding environment for the vehicle operation (para 0262, 0264) in accordance to test results (and conditions) that are to be compared to baseline output, the comparing provided via an emulator program executin SW routines (Fig. 10) to mimic autonomous operation of features associated with an autonomous vehicle or object in virtual a smart home environment (para 0253-0258) where output valeues may be indicative of ordinary or acceptable operations under certain condtions (para 0259) or else, indicative of failures/errors by the software (para 0257); hence generating emulated output corresponding to input settings from at least on sensor to meet previously recorded baseline of a controller execution achieved in a non-contaminated cyber context or to detect malfunction respective to a baseline is recognized.
	As for (ii),
	Use of a test outcome and parametric setting as part of a corrective action or mitigation response implementation to address impact of a detected security flaw, or cyber contamination has been addressed with rationale B in claim 1; and implementing a mitigation response with emulator setting on basis of sensor data or appropriate condtions to obtain a replacement behavior particularly carried out for replacing the at least one input or output of a actual environment with the at least one output of the emulator mitigates the predicted operational impact of the cyber-attack would have been obvious for the same reasons set with rationale B in claim 1.
	Thus, based on the use of known credentials or verified data (Fig. 2C; para 0054) with which to implement a correlation process or comparision by a analytic model implemented from input training in Lewis, it would have been obvious before the time of the effective date of the claimed invention for one of ordinary skill in the art to provide a means to establish baseline for use by the comparison, including generating at least one output of the system emulator corresponding to an input or output of at least one of the first sensor, the first actuator, and the system controller of the industrial asset in the absence of a cyber-attack; i.e. the emulator emulating a nominal operating state of the industrial asset – as per Konrardy creating a baseline in a non-contaminated runtime – and in response to an operating condition affecting the industrial asset – as per Konrardy detection of cyber faults; where using outcome from the emulator, the cyber detection and mitigation process in Lewis would be able to replace at least one input or output of the at least one of the first sensor, the first actuator– as in Konrardy input settings -  upon detection of a fault in the system controller being subject to the cyber-attack, wherein replacing with the at least one output of the emulator mitigates the predicted operational impact of the cyber-attack, in accordance to the rationale B in claim 1; because ]
	use of a emulator to pre-record baseline values would help establishing reference or standardized behavior with which a cyber-attack preventive implementation (using intelligent analytic models) can employ in order to evaluate comparison mismatch – as in Konrardy - and detect discrepancies between executed behavior by a test or model expirementation (e.g. using actual conditions or sensor data as in Konrardy) respective and known accepted values of a baseline, where effect of emulating a functionality coupled to a baseline comparing approach to implement mitigation measures in response to identification of a cyber- related attack or behavioral malfunction of a industrial asset would consequently benefit from the timeliness with which degree of severity by a threat or immediacy of relevant security setbacks/impacts (on the enterprise assets) can be responded and commensurately handled and stemmed.
	As per claim 6, Lewis does not explicitly disclose method of claim 5, 
	(i) wherein the attack point corresponds to an affected command signal for the first actuator, and 
	(ii) wherein replacing the at least one input or output subject to the cyber-attack further comprises:
	filtering the affected command signal; and generating a replacement command signal for the first actuator via the system emulator.
	As for (i),
	A sensor-based identification of conditions or controlling HW, devices as collected input for use in running a cyber-attack analytic carried out with a mismatch detecting model in Arov SCADA approach (see Abstract; Fig. 3), where behavior to track with operation by the model includes collected information from actual industrial plant components such as sensor and control type actuator (para 0005; Fig. 1); where sensor locations reflected in physical parameters forming model input data (para 0021-0025) are configured in the SCADA system as attack vectors (para 0013-0020) integrated with execution of the model in terms of mismatch detection indicative of cyber-attacks; hence attack point corresponding to plant signal emanating by an actuator being tracked at the very point installed with a monitoring sensor entails attack point corresponding to an affected command signal for the first actuator.
	As for (ii),
	filtering the affected command signal from basis of a refining output per each model execution that refine plant process signalling from various physical input combinations ( to attain a mismatch detection has been shown in the teaching by Arov per the obviousness rationale (ii) of claims 2-3; and generating a replacement command signal for the first actuator via the system emulator responsive to the model finding that the at least one input or output has been subject to the cyber-attack; via a mismatch detection has been addressed with the rationale (ii) of claim 5.
	Therefore, implementing detection model for cyber-attack in terms of filtering affected command signal geared for attack point corresponding to signal of actuator operation, and responsive to finding that the at least one input or output has been subject to the cyber-attack by the filtering effect, to generate a replacement signal to that observed from the affected actuator operation would have been obvious for the same reasons set forth in rationale (ii) of claims 2-3 and rationale (ii) set forth for addressing obviousness of the input/output replacement in claim 5.
	As per claim 7, Lewis does not explicitly disclose method of claim 5, wherein the attack point corresponds to an affected feedback signal of the first actuator, and wherein replacing the at least one input or output subject to the cyber-attack further comprises:
	filtering the affected feedback signal;
	modeling a replacement feedback signal for the first actuator via an actuator emulator of the system emulator;
	delivering the replacement feedback signal to the system controller; and
	generating a command signal for the first actuator based, at least in part, on the replacement feedback signal.
	Feedback signal analyzed at the output of a executed model run entails refinement step made to output of the run in terms of modification made to a back end input for instantiating another run.
	A replacement feedback signal amounts to a output that consistute a replacement behaviour that is deemed proper to correct a cyber-attack threat or impact.
	In other words, the delivering the replacement feedback signal to the system controller; and
	generating a command signal for the first actuator based, at least in part, on the replacement feedback signal, after the feedback signal has been subjected to filtering by cycles of the cyber-detection model would have been obvious for the same reasons set forth with obviousness of claim 6.
	That is, the steps of filtering, modeling a replacement feedback signal, delivering the replacement feedback signal to the system controller; and generating (a command) would have been obvious on basis of the rationale in claim 6.
	As per claim 8, Lewis does not explicitly disclose  method of claim 5, wherein the attack point corresponds to the system controller, and wherein replacing the at least one input or output subject to the cyber-attack further comprises:
	filtering an output of the system controller so as to preclude the system controller from affecting the operating state of the industrial asset; and
	generating, via a controller emulator of the system emulator, at least one setpoint command configured to establish or maintain an operation of the industrial asset by altering the operating state of the industrial asset.
	Activating a corrective signal as replacement for a control signal by a actuator in form of process controller command or setpoint signalling falls under the ambit of a corrective action by a process plant in Arov to handle negative effect of a cyber attack identified from stages of filtering by an model to confirm of occurrence of a mismatch indicative of such attack (refer to rationale(ii) of claims 2-3)
	Use of an emulator to seek a proper replacement command or control endpoint signalling to address or mitigate effect of a malfunction caused by a cyber type threat into a industrial asset functionality whose normal state is deemed altered (and detected by a model) falls under the ambit of the replacement addressed in claim 5.
	That is, the process of replacing the at least one input or output subject to the cyber-attack in terms of steps of filtering an output, generating, via a controller emulator, at least one setpoint command (to maintain an operation of the industrial asset) would have been obvious for the same reasons set forth with the corresponding rationale in claim 3, and claim 5.
	As per claims 9-10, Lewis discloses method of claim 5, wherein the attack point corresponds to an affected output signal of the first sensor, and wherein replacing the at least one input or output subject to the cyber-attack further comprises:
	filtering the affected output signal of the first sensor;
	receiving, via the system emulator, an unaffected output signal from at least a second sensor;
	generating a replacement output signal for the first sensor via a sensor emulator of the system emulator based, at least in part, on the unaffected output signal; and
	delivering the replacement output signal to the system controller;
	wherein the second sensor is positioned separate from the industrial asset.
	Implementing a replacement signal from a sensor-based signalling which results in a acceptable behavior as via an emulator so that the signalling point thereof is under monitoring effect by a second sensor being different from a first sensor whose control signal leads to identification of a cyber-attack would have been obvious when the emulation of signals is configured to find outcome that mimics a known good command, as this mechanism is shown in Konrardy (refer to claim 5) whereas effect of filtering a output signal is deemed obvious per the rationale in claim 3.
	That is, the process of replacing the at least one input or output subject to the cyber-attack in terms of steps of filtering an output, generating, via a controller emulator, at least one unaffected output (from signalling captured from a different sensor) and delivering it to a system controller  would have been obvious for the same reasons set forth with the corresponding rationale in claim 3, and claim 5.
	( all of which being addressed in claim 8)
	As per claim 11, Lewis does not explicitly disclose (method of claim 5, further comprising:
	correlating, via the neutralization module, the predicted operational impact to an impact on an output of the industrial asset delivered to a connected system; and
	utilizing the least one output of the system emulator to mitigate the impact of the cyber-attack on the output of the industrial asset.
	Use of a output generated from an emulator as a solution to providing sensor-based endpoint signal or control command so as to mitigate effect of  a cyber-attack identified from a mismatch verification by the model is shown in Arov, per the rationale settings in claim 5; whereas use of a model to correlate predicted outcome with actual outcome expressing behavior of an industrial asset delivered to a connected system equipped with analytic model has been addressed with the training in Lewis (e.g. trained to predict a potential cyber-attack – para 0065; machine learning data … training data … used to link … type of impact … determine likelihood of a cyber-attack, potential impact – para 0058) to derive the plurality of operational impacts which corresponds to the detected the cyber-attack (cyber-attacks – para 0023-0025; para 0033-0034; kinds of cyber-attacks – para 0044) based on the cyber-attack model (see machine learning from above; Machine learning – para 0044) on basis of correlation by the model that enables provision of a mitigation response for neutralizing effect of an attack.  Hence, correlating, via the neutralization module, the predicted operational impact to an impact on an output of the industrial asset delivered to a connected system, using an emulator output to help mitigating impact at the output of a industrial asset is recognized.
	Therefore, based on the obviousness in use of a emulator per claim 5, the correlating, via the neutralization module (in accordance with use of training in Lewis to correlate model prediction with actual outcome as set forth above) and utilizing the least one output of the system emulator to mitigate the impact of the cyber-attack on the output of the industrial asset would both have been obvious for the same reasons set forth in claim 5. 
	As per claim 16, Lewis discloses a system for controlling and industrial asset, the system comprising: the system controller comprising at least one processor configured to perform a first plurality of operations (Fig. 1A, B and 2A) so as to affect an operating state of the industrial asset (refer to claim 1); and
	a neutralization module (refer to claim 1) comprising at least one processor configured to perform a second plurality of operations (see below), the second plurality of operations comprising:
	detecting, via a cyber-attack neutralization module (neutralization module), a cyber-attack impacting (refer to claim 1) at least one component of the industrial asset,
	identifying a predicted operational impact (refer to claim 1) of a plurality of operational impacts which corresponds to the detected the cyber-attack based on a cyber-attack model (refer to claim 1), 
	wherein the plurality of operational impacts (see model to predict operational impacts per claim 1) are generated via a controller implementing a cyber-attack model (refer to claim 1) to predict the plurality of operational impacts (refer to claim 1) on the industrial asset of a plurality of potential cyber-attacks,
	selecting at least one mitigation response (refer to claim 1) of a plurality of potential mitigation responses based on the predicted operational impact of the cyber-attack (see above), 
	wherein the plurality of potential mitigation responses are generated (refer to rationale A in claim 1) via the cyber-attack model, and wherein an operating state of the industrial asset is altered (refer to rationale B in claim 1) based on the at least one mitigation response.
	C) Lewis does not explicitly disclose system for controlling and industrial asset including
	at least one sensor operably coupled to the industrial asset;
	at least one actuator operably coupled to the industrial asset;
	a system controller communicatively coupled to the at least one sensor and the at least one actuator, 
	a neutralization module operably coupled to the at least one sensor, the at least one actuator, and the system controller
	Arov discloses SCADA monitoring (see Abstract) and operational model established upon sensor data and actuator component of a machine or HW operating a process plant, where mitigation to a detected cyber attack is based on a mismatch between actual output by the model and predicted output from the operational of the plant; the attack detection implementation in terms of analytics model by which industrial components behavior to track with experimentation by the model includes collected information from actual industrial plant components such as sensor and control type actuator (para 0005; Fig. 1); where sensor locations reflected in physical parameters forming model input data (para 0021-0025) are configured in the SCADA system as attack vectors (para 0013-0020) integrated with execution of the model in terms of mismatch detection indicative of cyber-attacks or defined attack vectors; thus coordinating a neutralization engine and plant controller with actuator and sensor coupled to the industrial devices to operate a system that control industrial assets is recognized.
	Thus, It would have been obvious before the time of the effective date of the claimed invention for one of ordinary skill in the art to implement the neutralization aspect of Lewis’s training model so that system controller and collected data therefrom includes state of operations retrieved from sensor and actuators installed with the controller operations, so that the system controller and the neutralization module are equally coupled to installation of sensor and actuators - as set forth in Arov SCADA system – because 
	this configuration would track actual metrics from executed operations emanating from the system controller of the industrial asset environment, the captured data facilitated by way of installed sensors and operational state of relevant actuators, whereas effect of coupling the sensor and actuators with both the system controller and the neutralization module would provide interconnectivity means by which captured metrics from actually executing industrial assets can be fed into a analytic model, formulated as vector quantification for use by the neutralization engine of the model, which in turn,  would correlates model generated output with the vectorized representation of quantized, actual state of components under the control of the system controller execution so to generate predicted cyber attacks on specific asset whose sensor data is being trained and correlated at the model, based on which, responses can be derived and selectively initiated as possible mitigation measures to handle impact caused by the attacks.
	As per claim 17, Lewis discloses system of claim 16, wherein detecting the cyber-attack further comprises:
	identifying an attack point of the cyber-attack via an attack-detection-localization (ADL) module of the neutralization module, the attack point corresponding to at least one of a first sensor, a first actuator, and a system controller of the industrial asset.
	( all of which being addressed in claim 2)
	As per claim 18, Lewis discloses system of claim 17, wherein the at least one mitigation response further comprises:
	emulating, via a system emulator, a nominal operating state of the industrial asset in response to an operating condition affecting the industrial asset, and
	generating at least one output of the system emulator corresponding to an input or output of at least one of the first sensor, the first actuator, and the system controller of the industrial asset in the absence of a cyber-attack.
	(refer to rationale in claim 5)
	As per claim 19, Lewis discloses system of claim 18, wherein the attack point corresponds to the system controller, and wherein replacing the input and/or output subject to the cyber- attack further comprises:
	filtering an output of the system controller so as to preclude the system controller from affecting the operating state of the industrial asset; and
	generating, via a controller emulator of the system emulator, at least one setpoint command configured to establish or maintain an operation of the industrial asset by altering the operating state of the industrial asset.
	( all of which being addressed in claim 8)
Claims 12-13 is/are rejected under § 35 U.S.C. 103 as being unpatentable over Lewis, USPubN: 2022/0046047(herein Lewis) in view of Gonsalves et al, USPubN: 2008/0010225 (herein Gonsalves) and Donovan et al, USPN: 11,429,713 (herein Donovan) further in view of Konrardy et al, USPubN: 2021/0295439 (herein Konrardy), and Arov et al, USPubN: 2018/0276375 (herein Arov) and further of Ray et al, USPubN: 2013/0104236 (herein Ray)
	As per claims 12-13, Lewis does not explicitly disclose 
	(method of claim 1) wherein mitigating the impact of the cyber-attack on the output of the industrial asset further comprises derating the industrial asset.
	(method of claim 11) wherein determining the predicted operational impact of the cyber-attack further comprises:
	correlating, via the neutralization module, the predicted operational impact to an accumulation of damage to a component of the industrial asset; and derating the industrial asset to mitigate the accumulation of damage.
	Identification of vulnerability to malicious attacks of various types and different contexts of HW , OS and applications as well as their interplay is shown in Ray in terms of performance factor such as the derated thermal performance or valuation of a IT system component being susceptible to storm, lightning, flood or fluctuation of stock/trading market (para 0121) or damages caused by insider attack, where the resulting security risk and impact of loss or threat probabilities amount to impact characterized as derating or loss of trustworthiness in the business or information sources/assets (para 0151) versus the amount of revenue cost over time, which can be shown as a correlation (para 0651-0653) expressed as asset valuation in terms of accumulation  over asset cost within a duration, coupled to time impact of the derating versus the revenue cost (para 0654-0657); hence correlation between a derating in performance by a component, a business asset and accumulation of cost, value loss or impact over a time period is recognized.
	Hence, It would have been obvious before the time of the effective date of the claimed invention for one of ordinary skill in the art to arrange mitigation of a cyber attack in light of performance loss impacted by the attack on a industrial asset in Lewis so that mitigating the impact of the cyber-attack on the output of the industrial asset includes expressing the degree of derating of the industrial asset- as shown in Ray -  at the level of the correlation model, the latter including effect of a neutralization module, to correlate a predicted operational impact to an accumulation of damage to a component of the industrial asset – as shown in Ray calculation of revenue loss linearly with accrued derating effect – thereby to derive the proper measure in the derating of the relevant industrial asset thereby to enlist proper mitigation resources or sufficient corrective measures to stem the accumulation of damage; because
	use of training to track and locate where cyber attacks reside and which industrial asset is affected thereby, in terms of assessing monetary loss computed in terms of performance derating for the affected asset as set forth above would enable the amount of revenue loss, performance degradation and loss of trustworhiness in the use of the given asset to be laid out computationally and evaluated over a time period, so that within the boundaries thereof, decision can be made to overcome the performance loss or reducing effect of the derating if the cost of implementing responses for mitigating the impact causing said derating would be deemed feasible over the cost aspect of the enterprise and optimally satisfactory towards the endeavor of conducting a risk free, secure and trustworthy enterprise business.
Claims 15, 20 is/are rejected under § 35 U.S.C. 103 as being unpatentable over Lewis, USPubN: 2022/0046047(herein Lewis) in view of Gonsalves et al, USPubN: 2008/0010225 (herein Gonsalves) and Donovan et al, USPN: 11,429,713 (herein Donovan) further in view of Konrardy et al, USPubN: 2021/0295439 (herein Konrardy), and Arov et al, USPubN: 2018/0276375 (herein Arov) and further of Mestha et al, USPubN: 2019/0230119 (herein Mestha)
	As per claim 15, Lewis does not explicitly disclose (method of claim 1), wherein the industrial asset comprises a wind turbine.
	Use of a model and vectors quantization associated with a neural network or decision tree as in Lewis (para 0056) can be seen in Mestha use of feature vectors and decision boundaries to classify normal behavior from contaminated behavior (health of the equipment or machinery – para 0045) via assessing the vectors and time series analytics as well as sensor signals (see Abstract; Fig 5, Fig. 9; para 0047, 0050) per effect of a neutralization engine equiped with SVM and ELM (para 0075) training and learning on ways to mitigate attacks (para 0078) over industrial assets, where one of the industrial assets can be a wind turbine (para 0045, 0083; claim 14, pg. 12) of a power grid.
	Therefore, It would have been obvious before the time of the effective date of the claimed invention for one of ordinary skill in the art to implement decsion tree and machine learning intelligence techniques in Lewis so that a neutralization engine evaluate the quantization and time series aspect of the assets – as in Mestha - per a model that trains and classfies normal behaviour of the industrial asset from what is indicative of abnormal behavior (affected by a cyber attack), finding a mitigation response in view of the determined impact, where the asset operation to track and detected for a mitigation response relates to that of a wind turbine – as set forth in Mestha; because
	industrial assets subjected to cyber attack can be of multiple types in multiple domain of application, and for instance, use of a neutralization platform to learn and find a mitigation to any security issue related to a power grid or energy distribution domain such as evaluation model behavior of a wind turbine would provide timely measures to correct the inadvertent issue incurred in the turbine operation in its contribution for the distribution of energy, avert any extratemporal shutdowns and minimizing the overall cost of the relevant enterprise while sustaining a acceptable SLA expected of the service by the consumer domain.
	As per claim 20, refer to rejection of claim 15.
Allowable Subject Matter
Claims 14 is objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims, the objected to subject matter including:
	(claim 14), method of claim 1, wherein determining the predicted operational impact of the cyber-attack further comprises:
	correlating, via the neutralization module, the predicted operational impact to an unwarranted shutdown of the industrial asset in response to a shutdown protocol of a safety system in response to the detected cyber-attack, wherein the shutdown protocol is unwarranted for the operating state of the industrial asset; and
	overriding, via the neutralization module, the shutdown protocol to preclude the unwarranted shutdown of the industrial asset.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Tuan A Vu whose telephone number is (571) 272-3735.  The examiner can normally be reached on 8AM-4:30PM/Mon-Fri.
If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, Chat Do can be reached on (571)272-3721.
The fax phone number for the organization where this application or proceeding is assigned is (571) 273-3735 ( for non-official correspondence - please consult Examiner before using) or 571-273-8300 ( for official correspondence) or redirected to customer service at 571-272-3609.
Any inquiry of a general nature or relating to the status of this application should be directed to the TC 2100 Group receptionist: 571-272-2100.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).

/Tuan A Vu/
Primary Examiner, Art Unit 2193
Novembre 17, 2022