DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

This action is responsive to Applicant’s Amendment filed on 10/19/2022.
Claims 1-14 are presented for examination. Claims 1, 4-9 and 12 have been amended. 
Applicant’s amendments to the claims have overcome claim objections set forth in the non-Final Office Action mailed 8/17/2022.

Examiner Notes
Examiner cites particular columns, paragraphs, figures and line numbers in the references as applied to the claims below for the convenience of the applicant. Although the specified citations are representative of the teachings in the art and are applied to the specific limitations within the individual claim, other passages and figures may apply as well. It is respectfully requested that, in preparing responses, the applicant fully consider the references in entirely as potentially teaching all or part of the claimed invention, as well as the context of the passage as taught by the prior art or disclosed by the examiner.

Claim Objections
Claims 1 and 6 are objected to because of the following informalities:
“control system comprising” at lines 1-2 of claim 1 should be “the control system comprising”.
“ensure security the plurality of functional modules” at lines 12-13 of claim 1 should be “ensure security of the plurality of functional modules”.
“one of provide and transfer” at last 2nd line of claim 1 should be “one of providing and transferring” (note: Claim 6 is objected due to same reason).
  Appropriate correction is required.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

Claims 1-2, 4-5 and 7-14 are rejected under 35 U.S.C. 103 as being unpatentable over Lo et al. (US 20180011465 A1-IDS recorded, hereafter Lo) in view of in view of Kunsman et al. (US 20110307114 A1, hereafter Kunsman) and Kashyap et al. (US 20170180427 A1, hereafter Kashyap).
Kunsman was cited on the previous office action.

Regarding to Claim 1, Lo discloses: A control system in industrial automation technology (see [0001], [0004]-[0005]), control system comprising:
hardware including at least one processor and at least one storage device in which applications to be executed by the control system are stored, the hardware being configured to implement: (see [0005]; “a control layer automation device comprises a processor, one or more control layer applications, a database, a wireless interface, a device memory” and “The device memory comprises the one or more control layer applications”)
a plurality of mutually isolated execution environments (see [0007]); 
a plurality of functional modules each of which is independently executed and/or operated in an isolated execution environment of the plurality of mutually isolated execution environments (see [0007] and [0011]; “a control layer automation device maintaining a plurality of isolated computing environments which distinct runtime computing resources and executing control layer applications in the isolated computing environments, with each control layer application configured to perform a discrete set of automation functions”), the functional modules of the plurality of functional modules being characteristic of functions of the control system (see [0011]; “each control layer application configured to perform a discrete set of automation functions”).

Lo does not disclose: a security module configured to ensure the plurality of functional modules by executing security functions relating to at least one of (i) transport encryption and (ii) administration of user and/or groups, the security functions of the security module being executed in one of the mutually isolated execution environments of the plurality of mutually isolated execution environments,
wherein at least one of the plurality of functional modules is configured to at least one of provide and transfer configuration data related to the security functions of the security module. 

However, Kunsman discloses: A control system in industrial automation technology, control system comprising: hardware including at least one processor and at least one storage device in which applications to be executed by the control system are stored, the hardware being configured to implement: (see [0002]-[0003] and [0022]. Also see Fig. 2 and [0031]);
a plurality of mutually isolated execution environments (see [0022] and [0031]);
a security module configured to ensure security the plurality of functional modules by executing security functions, the security functions of the security module being executed in one of the mutually isolated execution environments of the plurality of mutually isolated execution environments (see [0008], [0022] and [0031]; “distinct and mutually isolated execution environments can be created. Each of these execution environments can host a single functionality out of a Supervisory Control And Data Acquisition (SCADA) functionality, a gateway functionality, an engineering workplace functionality and a firewall functionality”, emphasis added. At least one of the multiple isolated environments executing/hosting the firewall functionality as claimed security module. It is well-known and understood that a firewall is a component at the computing fields to execute security functions like enforcement of access/network restrictions to protect or ensure the security of the other components at the system/device, i.e., claimed plurality of functional modules).
It would have been obvious to one with ordinary skill, in the art before the effective filing date of the claim invention, to modify at least one of the isolated execution environments executing control layer applications from Lo by including utilizing at least one isolated execution environments of an automation control system device to implement firewall functionality from Kunsman, since a firewall at computing technology area is well-known and understood component/system to one with ordinary sill in the art that to provide features like restricting network access to the external system for the internal components (see [0027] from Lo; “the Isolated App Runtime Environment 110F2 may restrict network access for a respective control layer application to communication with one or more specific operator devices”. Lo does require to provide firewall-like feature; however, Lo does not provide detail or specific for what kind of component to provide such network restrict functionality. Based on the descriptions from Kunsman, it provides a specific implementation for one with ordinary skill in the art to modify one of the isolated execution environments from Lo to execute the firewall functionality in order to provide the network restriction functionality). 
Furthermore, Kashyap discloses: a firewall module as a security module configured to ensure security of other components at the system by executing security functions relating to one of (i) transport encryption and (ii) administration of users and/or groups, the security module being executed in one of the mutually isolated execution environments of the plurality of mutually isolated execution environments (see [0046] and [0048]; “Firewall VM 250 is a specialized virtual machine that comprises firewall software/applications to restrict network access of VMs running in client 200 to appropriate and/or necessary network access points” and “When a user wishes to run any application that requires access to either a network or untrusted data (untrusted data is any data that originates from outside client 200), the application is run inside a dedicated VM that is created on-demand by hypervisor 220”. The firewall module as claimed security module to ensure security of other components, i.e., other functional modules or applications running on other VMs by executing functions of restricting network access of the other VMs requested by users to achieve the function of administration of users and/or groups. Also see Fig. 2, [0030], [0059]-[0060]; “any type of isolated execution environment, such as but not limited to a virtual machine” and “Firewall VM 250 runs an isolated operating system with a dedicated and fixed set of firewall applications that implement the network access policy for all VMs in client 200”, emphasis added. Each of the VM at Fig. 2 including VM0 230, Firewall VM 250, LVM 240 and UCVMs are isolated execution environments),
wherein at least one of the plurality of functional modules is configured to at least one of provide and transfer configuration data relating to the security functions of the security module (see [0059], [0077]; “Firewall VM 250 may provide, to any virtual machine running on client 200 in which untrusted code is executed or untrusted data is being interpreted, restricted access to only those network resources deemed necessary on an as-needed basis in accordance with a policy described by policy data stored on client 200” and “Policy data of this nature may be maintained by VM0 230 or LVM 240, for example, in certain embodiments”. At least one of the functional modules of the VM0 or LVM 240 is configured to provide and/or transfer policy data to the firewall module, i.e., the configuration data related to the security functions of the security module. In addition, see [0128]-[0131] for certain details of policy data to restricting network access and/or administration of users/groups).
It would have been obvious to one with ordinary skill, in the art before the effective filing date of the claim invention, to modify the firewall module/functionality features from the combination of Lo and Kunsman by including method of configuring the firewall module executing on an isolated execution environment to protect other modules executing on other isolated execution environments based on policy data from Kashyap, and thus the combination of Lo, Kunsman and Kashyap would disclose the missing limitations from Lo, since it provides a mechanism of configuring the firewall module to protect each execution environments or users/groups based on the requirements/needs of each execution environments or users/groups (see [0059] and [0128]-[0131] from Kashyap).

Regarding to Claim 2, the rejection of Claim 1 is incorporated and further the combination of Lo, Kunsman and Kashyap discloses: wherein the functions of the control system include at least one of a controller core, an operating system core, applications, and communication (see [0011] from Lo; “a control layer automation device maintaining a plurality of isolated computing environments which distinct runtime computing resources and executing control layer applications in the isolated computing environments, with each control layer application configured to perform a discrete set of automation functions”. The functions of the control system include at least applications).

Regarding to Claim 4, the rejection of Claim 1 is incorporated further the combination of Lo, Kunsman and Kashyap discloses: wherein the security functions executed by the security module are delegated to the security module by one of the functional modules of the plulriaty of functional modules (see [0008], [0022] and [0031] from Kunsman; “distinct and mutually isolated execution environments can be created. Each of these execution environments can host a single functionality out of a Supervisory Control And Data Acquisition (SCADA) functionality, a gateway functionality, an engineering workplace functionality and a firewall functionality”, emphasis added. At least one of the multiple isolated environments executing/hosting the firewall functionality is executing one central module to perform network access restriction for other components at the device. Note: it is well-known and understood to one with ordinary skill in the art that a network access restriction feature is delegated to the firewall by other components).

Regarding to Claim 5, the rejection of Claim 1 is incorporated and further the combination of Lo, Kunsman and Kashyap discloses: the security module is configured to execute at least one function relating to enforcement of access restrictions (see [0027] from Lo, [0008] and [0022] from Kunsman; “the Isolated App Runtime Environment 110F2 may restrict network access for a respective control layer application to communication with one or more specific operator devices”, “a firewall—separating the station bus from other networks, such as corporate network” and “distinct and mutually isolated execution environments can be created. Each of these execution environments can host a single functionality out of … a firewall functionality”. The firewall functionality to “restrict network access for a respective control layer application to communication with one or more specific operator devices” would ensure security of other functional module of the control system/device and thus enforcement of access restrictions. Also see [0046] from Kashyap; “Firewall VM 250 is a specialized virtual machine that comprises firewall software/applications to restrict network access of VMs running in client 200 to appropriate and/or necessary network access points”).

Regarding to Claim 7, the rejection of Claim 1 is incorporated and further the combination of Lo, Kunsman and Kashyap discloses: wherein the security module is configured as a proxy for communication requests, for access requests to the applications, and/or for granting access to the applications (see [0027] from Lo, [0008], [0022] from Kunsman; “the Isolated App Runtime Environment 110F2 may restrict network access for a respective control layer application to communication with one or more specific operator devices”. The firewall functionality executed at the Isolated App Runtime Environment 110F2 works as proxy for restricting network access for other applications, i.e., for communication requests, for access requests to the other applications, and/or for granting access to the other applications).

Regarding to Claim 8, the rejection of Claim 1 is incorporated and further the combination of Lo, Kunsman and Kashyap discloses: wherein the control system is configured such that one of the functional modules of the plurality of functional modules performs a function that can be delegated to the security module (see [0027] from Lo, [0008], [0022] from Kunsman; “the Isolated App Runtime Environment 110F2 may restrict network access for a respective control layer application to communication with one or more specific operator devices”. The other control layer applications at other environments except for the Isolated App Runtime Environment 110F2 would perform associated function that to be delegated to the firewall functionality executed at the Isolated App Runtime Environment 110F2).

Regarding to Claim 9, the rejection of Claim 1 is incorporated and further the combination of Lo, Kunsman and Kashyap discloses: wherein the control system is configured to verify a trustworthiness of one of the functional modules of the plurality of functional modules that is to be installed and/or executed (see [0122]-[0123], [0165] from Kashyap; “all signed executable files from an internal organization or company are to be assigned to a virtual machine having a specified set of characteristics” and “instruct untrusted applications to execute in separate virtual machines so that each untrusted application is isolated from other applications and data of the client” and “a different trust level for external sources of digital content”, “a level of trust between the first isolated execution environment and the second isolated execution environment”).

Regarding to Claim 10, the rejection of Claim 1 is incorporated and further the combination of Lo, Kunsman and Kashyap discloses: wherein the control system is included in an automation device (see [0005] from Lo; “a control layer automation device”).

Regarding to Claim 11, the rejection of Claim 10 is incorporated and further the combination of Lo, Kunsman and Kashyap discloses: wherein the automation device is included in an automation system (see [0002] and [0025] from Lo; “the automation system 100 including Controller 110E”).

Regarding to Claim 12, Claim 12 is a method claim corresponds to system Claim 1 and is rejected for the same reason set forth in the rejection of Claim 1 above.

Regarding to Claim 13, the rejection of Claim 12 is incorporated and further the combination of Lo, Kunsman and Kashyap discloses: wherein a computer program includes commands which cause the control system to execute the method (see [0051]-[0053] from Lo).

Regarding to Claim 14, the rejection of Claim 13 is incorporated and further the combination of Lo, Kunsman and Kashyap discloses: wherein the computer program is stored on a machine-readable storage medium (see [0051]-[0053] from Lo).

Claim 3 is rejected under 35 U.S.C. 103 as being unpatentable over Lo et al. (US 20180011465 A1-IDS recorded, hereafter Lo) in view of Kunsman et al. (US 20110307114 A1, hereafter Kunsman) and Kashyap et al. (US 20170180427 A1, hereafter Kashyap) and further in view of Chen et al. (US 20160179564 A1, hereafter Chen).
Kunsman and Chen were cited on the previous office action.

Regarding to Claim 3, the rejection of Claim 1 is incorporated, the combination of Lo, Kunsman and Kashyap does not disclose: at least one specified communications channel through which communication and/or interaction between two functional modules of the plurality of functional modules occurs.
However, Chen discloses: a plurality of mutually isolated execution environments; a plurality executable and/or operating functional modules each of which is executed and/or operated in an isolated execution environment of the plurality of mutually isolated execution environments (see Fig. 8, [0128], [0131] and [0200]. The two execution environments VM300D and IEE 400 are mutually isolated to each other, wherein each of the environment executes at least one software application, i.e., functional module); 
at least one specified communications channel through which communication and/or interaction between two functional modules of the plurality of functional modules occurs (see Fig. 8 and [0200]; “a relatively straightforward manner to facilitate the interaction and communication between the IEE 400 and the environment of the VM 300D, while maintaining the isolation between the two environments”).
It would have been obvious to one with ordinary skill, in the art before the effective filing date of the claim invention, to modify the multiple isolated execution environments on same device from the combination of Lo, Kunsman and Kashyap by including a particular communication mechanism between two isolated execution environments on same device from Chen, since it would provide a relatively straightforward manner to facilitate the interaction and communication between two environment while maintaining the isolation between the two environments (see [0200] from Chen).

Claim 6 is rejected under 35 U.S.C. 103 as being unpatentable over Lo et al. (US 20180011465 A1-IDS recorded, hereafter Lo) in view of Kunsman et al. (US 20110307114 A1, hereafter Kunsman) and Kashyap et al. (US 20170180427 A1, hereafter Kashyap) and further in view of Ohkado et al. (US 20120209411 A1, hereafter Ohkado).
Kunsman and Ohkado were cited on the previous office action.

Regarding to Claim 6, the rejection of Claim 1 is incorporated and further the combination of Lo, Kunsman and Kashyap discloses: a communication interface through which the at least one of the plurality of the functional modules is configured to at least one of provide and transfer the configuration data to the security module (see [0059] and [0077] from Kashyap. It is required to utilize a communication interface through one of the functional modules of the VM0 or LVM 240 is configured to provide and/or transfer policy data to the firewall module, i.e., the configuration data related to the security functions of the security module), wherein the configuration data are characteristic of a security measure (see [0059], [0077] and [0128]-[0131] from Kashyap. The policy data is related to how does the firewall VM performs the security functions on the applications/codes executed on the other VMs or system, and thus such policy data is characteristic of a security measure of the firewall VM and the applications/codes executed on the VMs or system).  
The combination of Lo, Kunsman and Kashyap does not disclose: the communication interface is an adapter.
However,, Ohkado discloses: an adapter through which at least one isolated execution environment of the plurality of execution environments is configured to provide and/or transfer data to another isolated execution environment (see [0042]; “The virtual machine 232 is connected, via the virtual network adapter 244, to a virtual network 234, which is a logical network in which a plurality of virtual machines 232 and the sandbox management section 210 participate, so that the industrial control systems 240 on the virtual machines 232 can mutually communicate with each other via this virtual network 234”, emphasis added).
It would have been obvious to one with ordinary skill, in the art before the effective filing date of the claim invention, to modify the communication between the isolated execution environments from the combination of Lo, Kunsman and Kashyap by including connecting multiple isolated execution environments to achieve communication between the executions environments via adapter type resources from Ohkado, and thus the combination of Lo, Kunsman, Kashyap and Ohkado would disclose the missing limitations from the combination of Lo, Kunsman and Kashyap (note: the firewall functionality at the combination system, i.e., claimed security module, is also implemented in one of the isolated execution environment like other control layer applications, and thus the communication between the firewall functionality and other control layer applications located at other isolated execution environments can be achieved via the adapter of corresponding isolated execution environments), since it is well-known and understood to connecting each isolated execution environments via network adapter to form a network system (see [0042] from Ohkado).

Response to Arguments
Applicant’s arguments, filed 10/19/2022, with respect to rejections of Claims 1-14 under prior art rejections have been full considered. New grounds of rejections were made based on the amended limitations at the independent claims and corresponding arguments at the Remarks.

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to ZHI CHEN whose telephone number is (571)272-0805.  The examiner can normally be reached on Monday-Friday 9:30AM-5PM.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Emerson Puente can be reached on (571)272-3652.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/Zhi Chen/
Patent Examiner, AU2196

/EMERSON C PUENTE/Supervisory Patent Examiner, Art Unit 2196