A METHOD, A MONITORING SYSTEM AND A COMPUTER PROGRAM PRODUCT FOR MONITORING AND SECURING A NETWORK CONNECTED CONTROLLER

§102 §103 §112

DETAILED ACTION Authorization for Internet Communications The examiner encourages Applicant to submit an authorization to communicate with the examiner via the Internet by making the following statement (from MPEP 502.03): “Recognizing that Internet communications are not secure, I hereby authorize the USPTO to communicate with the undersigned and practitioners in accordance with 37 CFR 1.33 and 37 CFR 1.34 concerning any subject matter of this application by video conferencing, instant messaging, or electronic mail. I understand that a copy of these communications will be made of record in the application file.” Please note that the above statement can only be submitted via Central Fax (not Examiner's Fax), Regular postal mail, or EFS Web using PTO/SB/439. Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Continued Examination Under 37 CFR 1.114 A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 12/23/2025 has been entered. Response to Amendment In response to the claim amendment, in view of the Remarks filed 12/23/2025, the claim objection has been withdrawn. In response to the claims amendment, in view of the Remarks, the 101 rejection have been withdrawn. Claim Objections Claim 13 is objected to because of the following informalities: Regarding claim 13, there appears to be a typographical error “independent on technology” of -- independent of technology --. Appropriate correction is required. Claim Rejections - 35 USC § 112 The following is a quotation of the first paragraph of 35 U.S.C. 112: The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same and shall set forth the best mode contemplated by the inventor of carrying out his invention. Claim 16 - 17 are rejected under 35 U.S.C. 112, first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor(s), at the time the application was filed, had possession of the claimed invention. Independent claim 16 essentially recites “repairing the controller configuration data”. While the specification, as originally filed, describes verifying controller configuration integrity, detecting anomalies, interrupting processes, and restoring data or program (See Page 9). However, the specification fails to describe repairing controller data as recited in the claim. In particular, the specification does not define what constitute “repairing”, how the data is repaired, or what operations are performed to effect such repair. The disclosure of restoring or reverting to approved configuration does not necessarily encompass repairing data, as “repairing” reasonably implies correcting corrupted or modified data, which is not expressly or inherently disclosed. Therefore, the specification as originally filed does not provide support for claim. Claim 17 is a dependent claim and thus also rejected. Claim Rejections - 35 USC § 102 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action: A person shall be entitled to a patent unless – (a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention. Claim(s) 1 - 15 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Byres et al., (US 2012/0151558 A1) (hereinafter “Byres”). Byres discloses; Regarding claim 1, a method for monitoring and securing a network connected controller [i.e., a method is provided for securing industrial devices i.e., devices 104 and 106 in a networked environment i.e., network 10 using a security appliance i.e., nodes 103 and 105 (page 1, para 0009), (page 2, para 0011), (see figure 1) i.e., the endpoint device includes PLCs (programmable logic controller) (page 2, para 0035)], comprising the steps of: providing a data acquisition device interconnected inline between the controller and a network [i.e., the security appliance i.e., security nodes 103 and 105 serially associated in the communication path (emphasis added) Note: “interconnected inline” between the network industrial device i.e., devices 104 and 106 to a data network i.e., network 10 (page 1, para 0009), (page 2, para 0011 and 0013), (page 3, para 0043), (see figures 1 and 5), (page 4, para 0048)], and extracting data from the controller, using the data acquisition device [i.e., the security node passively collects (emphasis added) Note: “extracting” information on the traffic transiting between the endpoint device and other devices in the network (page 4, para 0039), (page 2, para 0012) i.e., the security appliance intercepts packets and determines if the packet should be forwarded from the endpoint device (page 1, para 10), (see figure 1) i.e., received traffic at the device interface 502 (see figures 5 and 13), (page 6, para 0064) i.e., monitoring, in the security appliance, data traffic originating from the industrial device….receiving encrypted configuration data from the management (page 2, para 0011)]. Regarding claim 2, the method according to claim 1, wherein data is extracted during operation of the controller [i.e., monitoring transiting traffic (para 0010) i.e., all devices traffic is transparently bridged…the node monitors traffic originating from the device side (para 0055) i.e., operational phase continues inspection and forwarding of live traffic (para 0064 – 0066)]. Regarding claim 3, the method according to claim 1, wherein the data acquisition device enables operational data exchange between the controller and the network [i.e., transparently bridges traffic (para 0009) i.e., operating as a bridge from the device to the network (para 0043) i.e., packets forwarded between interfaces (para 0055 – 0057)]. Regarding claim 4, the method according to claim 1 further comprising processing the extracted data [i.e., learning characteristics; tailoring rules (para 0010) i.e., traffic is inspected (para 0064) i.e., packet payload decrypted and processed (para 0067)]. Regarding claim 5. the method according to claim 4, wherein processing the extracted data comprises at least one of comparing the extracted data with pre-specified data [i.e., communication module decrypting data embedded in the packets (para 0012) i.e., MCR decryption (para 0060 – 0061) i.e., CMP packet decrypted (para 0067)]. Regarding claim 6, the method according to claim 4, further comprising, based on the processing step at least one of: transmitting an alert message [i.e., heartbeat reports anomalous events (para 0010) i.e., report by exception (para 0042) i.e., exception heartbeat sent (para 0064 – 0066)]. Regarding claim 7, the method according to claim 6, wherein at least one of controlling the process running on the controller comprises intervening in a process, interrupting the process, initiating another process on the controller [i.e., communication module decrypting data embedded in the packets (para 0012) i.e., MCR decryption (para 0060 – 0061) i.e., CMP packet decrypted (para 0067)]. Regarding claim 8, the method according to claim 1, wherein the data acquisition device is interconnected between the controller and a network switch [i.e., figurer 2 depicts multiple security appliances integrated in a network switch (para 0017 i.e., devices interconnected by a network switch hosting security nodes (para 0045)]. Regarding claim 9, the method according to claim 1, wherein the extracted data comprises at least one of sensor data. or actuator data [i.e., PLC is connected to sensors/actuators (para 0035 – 0036)]. Regarding claim 10, the method according to claim 1, wherein the controller is arranged for controlling a controlled process in at least one of an actuator or a sensor system [i.e., PLCs in SCADA systems controlling industrial processes with sensors/actuators (para 0035 – 0036)]. Regarding claim 11, the method according to claim 1, wherein the network is an industrial ethernet protocol type network [i.e., ethernet/IP, MODBUS, DNP3, OPC (para 0039) i.e., network 10 may be control network, internet, or internet (para 0043)]. Regarding claim 12, the method according to claim 1, wherein the controller is a PLC [i.e., industrial control equipment (such as PLCs) (para 0035)]. Regarding claim 13, the method according to claim 6, wherein at least one of extracting the data from the controller, controlling the process running on the controller verifying integrity of the controller configuration, or ensuring the integrity of the controller configuration can be at least one of non-intrusive, independent on technology, independent on protocol, or independent on a supplier of at least one of the network or the controller [i.e., learning characteristics; tailoring rules (para 0010) i.e., traffic is inspected (para 0064) i.e., packet payload decrypted and processed (para 0067)]. Regarding claim 14, a monitoring system for monitoring and securing a network connected controller [i.e., a system is provided for securing industrial devices i.e., devices 104 and 106 in a networked environment i.e., network 10 using a security appliance i.e., nodes 103 and 105 (page 1, para 0009), (page 2, para 0011), (see figure 1) i.e., the endpoint device includes PLCs (programmable logic controller) (page 2, para 0035)], wherein the system comprises a data acquisition device interconnectable inline between the controller and a network [i.e., the security appliance i.e., security nodes 103 and 105 serially associated in the communication path (emphasis added) Note: “interconnected inline” between the network industrial device i.e., devices 104 and 106 to a data network i.e., network 10 (page 1, para 0009), (page 2, para 0011 and 0013), (page 3, para 0043), (see figures 1 and 5), (page 4, para 0048)], wherein the data acquisition device is arranged for extracting data from the controller [i.e., the security node passively collects (emphasis added) Note: “extracting” information on the traffic transiting between the endpoint device and other devices in the network (page 4, para 0039), (page 2, para 0012) i.e., the security appliance intercepts packets and determines if the packet should be forwarded from the endpoint device (page 1, para 10), (see figure 1) i.e., received traffic at the device interface 502 (see figures 5 and 13), (page 6, para 0064) i.e., monitoring, in the security appliance, data traffic originating from the industrial device….receiving encrypted configuration data from the management (page 2, para 0011)]. Regarding claim 15, a non-transitory computer-readable computer program product for monitoring and securing a network connected controller [i.e., an apparatus is provided for securing industrial devices i.e., devices 104 and 106 in a networked environment i.e., network 10 using a security appliance i.e., nodes 103 and 105 (page 1, para 0009), (page 2, para 0011), (see figure 1) i.e., the endpoint device includes PLCs (programmable logic controller) (page 2, para 0035)], the computer program product comprising computer-readable code for causing a data acquisition device interconnected inline between the controller and a network [i.e., the security appliance i.e., security nodes 103 and 105 serially associated in the communication path (emphasis added) Note: “interconnected inline” between the network industrial device i.e., devices 104 and 106 to a data network i.e., network 10 (page 1, para 0009), (page 2, para 0011 and 0013), (page 3, para 0043), (see figures 1 and 5), (page 4, para 0048)] to perform the step of extracting data from the controller [i.e., the security node passively collects (emphasis added) Note: “extracting” information on the traffic transiting between the endpoint device and other devices in the network (page 4, para 0039), (page 2, para 0012) i.e., the security appliance intercepts packets and determines if the packet should be forwarded from the endpoint device (page 1, para 10), (see figure 1) i.e., received traffic at the device interface 502 (see figures 5 and 13), (page 6, para 0064) i.e., monitoring, in the security appliance, data traffic originating from the industrial device….receiving encrypted configuration data from the management (page 2, para 0011)]. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claim(s) 16 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Byres in view of Mulder et al., (US 9,032,522 B1) (hereinafter “Mulder”). Regarding claim 16, Byres discloses; a method for monitoring and securing a network connected controller [i.e., a method is provided for securing industrial devices i.e., devices 104 and 106 in a networked environment i.e., network 10 using a security appliance i.e., nodes 103 and 105 (page 1, para 0009), (page 2, para 0011), (see figure 1) i.e., the endpoint device includes PLCs (programmable logic controller) (page 2, para 0035)], comprising the steps of: providing a data acquisition device interconnected inline between the controller and a network [i.e., the security appliance i.e., security nodes 103 and 105 serially associated in the communication path (emphasis added) Note: “interconnected inline” between the network industrial device i.e., devices 104 and 106 to a data network i.e., network 10 (page 1, para 0009), (page 2, para 0011 and 0013), (page 3, para 0043), (see figures 1 and 5), (page 4, para 0048)]; extracting data from the controller by intercepting communications to and from the controller in real time, using the data acquisition device [i.e., the security node passively collects (emphasis added) Note: “extracting” information on the traffic transiting between the endpoint device and other devices in the network (page 4, para 0039), (page 2, para 0012) i.e., the security appliance intercepts packets and determines if the packet should be forwarded from the endpoint device (page 1, para 10), (see figure 1) i.e., received traffic at the device interface 502 (see figures 5 and 13), (page 6, para 0064) i.e., monitoring, in the security appliance, data traffic originating from the industrial device….receiving encrypted configuration data from the management (page 2, para 0011)]; analyzing the intercepted communications for deviations [i.e., analyze traffic for anomalous conditions (see ref. 1306 - 1308 of figure 13), (page 6, para 0064)]; and based on detecting a deviation data, repairing the controller data [i.e., if it is identified that an anomalous condition exists with packet by one or more the security modules, the traffic is dealt with based on the defined management rules (see ref. 1308 – 1310 of figure 13), (page 6, para 0064)]. Byres does not disclose; analyzing for deviation from controller configuration data and based on detected a deviation from the controller configuration data, repair the controller configuration data. However, Mulder discloses; analyzing for deviation from controller configuration data [i.e., analyzer component 330 is utilized to facilitate comparison of data comprising an operational state (e.g., command instruction 190B) with baseline data (e.g., baseline data 342C) captured during the initial configuration of controller 110 for a particular operational state (col. 7, lines 59 – 63), (see ref. 620 of figure 6)]; and based on detected a deviation from the controller configuration data, repair the controller configuration data [i.e., at 650, in association with determining that there is an anomaly in the content of the operational data versus the baseline data an alarm can be generated. The alarm notification can be forwarded to the controller to facilitate placing operation of the process associated with the controller into any of a safe operating state (col. 13, lines 62 – 67), (col. 14, lines 1 – 3), (see ref. 650 of figure 6)]. Before the effective filing date of the claimed invention it would have been obvious to a person of ordinary skill in the art to modify the teachings of Byres by adapting the teachings of Mulder to prevent subverting in STUX-NET attack (See Mulder; col. 1, lines 46 – 48). Regarding claim 17, Byres discloses, the method of claim 16, wherein the data acquisition device includes a first network terminal communicably coupled to the network and a second network terminal communicably coupled to the controller [i.e., a network interface 504 connects the security node to the network side…a device interface 502 connects the security node to the endpoint device (para 0048) i.e., show both interface (para 0021), (see figure 5)]. Response to Arguments Applicant’s arguments with respect to pending claim(s) have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument. Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Khuti (US 2006/0294579 A1) discloses executing business applications on or more digital data processors that are interconnected in a first zone on the network, controlling the control system with one or more digital data processors that are interconnected in a second zone on the network, filtering with a first firewall digital data traffic between an external network and the first zone, filtering with a second firewall digital data traffic between the first zone and the second zone, and monitoring with any of an intrusion detection system and an intrusion detection system digital data traffic traveling between the first zone and the second zone.. Any inquiry concerning this communication or earlier communications from the examiner should be directed to SYED A RONI whose telephone number is (571)270-7806. The examiner can normally be reached M-F 9:00-5:00 pm (EST). Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey L Nickerson can be reached at (469) 295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /SYED A RONI/Primary Examiner, Art Unit 2432