DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Arguments
Applicant argued that Guo in view of Buck failed to disclose in response to receiving the command, updating a first flag associated with the first policy from active to inactive, and updating a second flag associated with the second policy from inactive to active. Yamazaki disclosed a policy database with a policy table including a policy ID and a selection flag, where the selection flag corresponding to the acquired policy ID is set to selected, and the other policy IDs are set to not selected. This is equivalent to active and inactive settings on a policy flag. See Yamazaki [0088], [0093].
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim(s) 1, 2, 5, 8, 9, 11, 12, 15-18, and 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Guo (US 2023/0199029) in view of Buck et al. (US 2020/0287793) in view of Yamazaki et al. (US 2021/0029630).
In regard to claim 1, Guo disclosed an operational technology (OT) device, (Guo [0003]) comprising:
a processor; and
a memory, accessible by the processor, the memory storing:
a first policy comprising a first set of rules governing operation of the OT device, access to the OT device, and how the OT device communicates with one or more other devices in an industrial automation system; (Guo [0008], first security policy)
a second policy comprising a second set of rules governing the operation of the OT device, access to the OT device, and how the OT device communicates with the one or more other devices in the industrial automation system; and (Guo [0008], second security policy)
instructions that, when executed by the processor, cause the processor to perform operations comprising:
receiving first data associated with a first event (Guo [0005]), …
identifying a first action in response to the first event based on the first security policy; (Guo [0005])
performing the identified first action; (Guo [0005])
…
receiving second data associated with a second event; (Guo [0005])
identifying a second action in response to the second event based on the second policy; and (Guo [0005])
performing the identified second action. (Guo [0005])
Guo failed to disclose:
receiving a command to enforce the second policy and stop enforcing the first policy;
However, Buck disclosed:
receiving a command to enforce the second policy and stop enforcing the first policy; Buck et al. [0040], where Buck disclosed the ability to roll back a policy change (a command to enforce a second policy and stop enforcing a first policy)
Buck further disclosed:
wherein the first event comprises a request for data, a request for access, a request to install software, or a request to establish a connection, or any combination thereof, Buck [0062]
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to rollback policies in Guo when it was found that they were no longer necessary for operation of the network or caused the network to malfunction.
Guo and Buck failed to disclose in response to receiving the command, updating a first flag associated with the first policy from active to inactive, and updating a second flag associated with the second policy from inactive to active.
However, Yamazaki disclosed a policy database with a policy table including a policy ID and a selection flag, where the selection flag corresponding to the acquired policy ID is set to selected, and the other policy IDs are set to not selected. This is equivalent to active and inactive settings on a policy flag. See Yamazaki [0088], [0093].
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize a policy flag in Guo / Buck in order to determine which policy had been selected for use in the Guo / Buck combination.
In regard to claim 2, Guo and Beck failed to disclose wherein the command to enforce the second policy and stop enforcing the first policy is received from another device via an OT network.
However, Beck did disclose the ability to issue a rollback based on an administrator request. See Beck [0040].
It would have been obvious to one of ordinary skill in the art to issue the administrator’s request to rollback the policy in Beck from another device, in order to allow the administrator remote access.
In regard to claim 5, Guo and Buck failed to disclose wherein the command to enforce the second policy and stop enforcing the first policy is received via a user interface of the OT device.
Buck did disclose enforcing a second policy and stop enforcing a first policy. Beck [0040]. Beck further disclosed a user interface. Beck [0062].
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to send Beck’s command to rollback a policy using a user interface as in Beck in order that the user could control the rollback of the security policy in Guo.
In regard to claim 8, Guo and Buck failed to disclose wherein the memory stores a third policy comprising a third set of rules governing the operation of the OT device, wherein identifying the first action in response to the first event is based on the first policy and the third policy.
Guo did disclose a first security policy and a second security policy. Buck did disclose the ability to rollback one policy.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention that if Guo and Beck both utilized two policies, that a third policy could be added to Guo and Beck for flexibility in establishing a security policy.
In regard to claim 9, Guo disclosed an operational technology (OT) device, comprising:
…
a processor; and
a memory, accessible by the processor, the memory storing:
the first policy, wherein the first policy comprises a first set of rules governing operation of the OT device, access to the OT device, and how the OT device communicates with one or more other devices in an industrial automation system; (Guo [0008], first security policy)
the second policy, wherein the second policy comprises a second set of rules governing the operation of the OT device, access to the OT device, and how the OT device communicates with the one or more other devices in the industrial automation system; and (Guo [0008], second security policy)
instructions that, when executed by the processor, cause the processor to perform operations comprising:
receiving first data associated with a first event (Guo [0005]), wherein the first event comprises a request for data, a request for access, a request to install software, or a request to establish a connection, or any combination thereof;
identifying a first action in response to the first event based on the first policy; (Guo [0005])
performing the identified first action; (Guo [0005])
…
receiving second data associated with a second event; (Guo [0005])
identifying a second action in response to the second event based on the second policy; (Guo [0005]) and
performing the identified second action. (Guo [0005])
Guo failed to disclose:
a user interface element that, when actuated, generates a command to enforce a second policy and stop enforcing a first policy;
and
receiving, via the user interface element, the command to enforce the second policy and stop enforcing the first policy;
However, Buck disclosed:
a user interface element that, when actuated, generates a command to enforce a second policy and stop enforcing a first policy; Buck [0062]
and
receiving, via the user interface element, the command to enforce the second policy and stop enforcing the first policy; Buck [0040]
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to rollback policies in Guo when it was found that they were no longer necessary for operation of the network or caused the network to malfunction.
In regard to claim 11, Guo and Buck failed to disclose:
receiving, from another device via an OT network, a third policy comprising a third set of rules governing the operation of the OT device, and an indication that third policy is to be enforced instead of the first policy; and
storing the third policy in the memory.
Guo did disclose a first security policy and a second security policy. Buck did disclose the ability to rollback one policy.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention that if Guo and Beck both utilized two policies, that a third policy could be added to Guo and Beck for flexibility in establishing a security policy
In regard to claim 12, Guo further disclosed:
receiving third data associated with a third event; (Guo [0005])
identifying a third action in response to the third event based on the third policy; (Guo [0005]) and
performing the identified third action. (Guo [0005])
In regard to claim 15, Guo disclosed a method, comprising:
enforcing a first policy comprising a first set of rules governing operation of an OT device, access to the OT device, and how the OT device communicates with one or more other devices in an industrial automation system; (Guo [0008], first security policy)
Guo failed to disclose:
receiving a command to stop enforcing the first policy and to enforce a second policy comprising a second set of rules governing the operation of the OT device, access to the OT device, and how the OT device communicates with the one or more other devices in the industrial automation system;
retrieving the second policy from memory; and
enforcing the second policy.
However, Buck disclosed:
receiving a command to stop enforcing the first policy and to enforce a second policy comprising a second set of rules governing the operation of the OT device, access to the OT device, and how the OT device communicates with the one or more other devices in the industrial automation system;
retrieving the second policy from memory; and
enforcing the second policy.
See Buck [0040]
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to rollback policies in Guo when it was found that they were no longer necessary for operation of the network or caused the network to malfunction.
In regard to claim 16, Guo and Buck further disclosed:
receiving first data associated with a first event (Guo [0005]), wherein the first event comprises a request for data, a request for access, a request to install software, or a request to establish a connection, or any combination thereof; Buck [0062]
identifying a first action in response to the first event based on the first policy; (Guo [0005]) and
performing the identified first action. (Guo [0005])
In regard to claim 17, Guo further disclosed wherein enforcing the second policy comprises:
receiving second data associated with a second event; (Guo [0005])
identifying a second action in response to the second event based on the second policy; (Guo [0005]) and
performing the identified second action. (Guo [0005])
In regard to claim 18, Buck further disclosed wherein the first event and the second event comprises an additional request for data, an additional request for access, an additional request to install software, or an additional request to establish a connection, or any combination thereof. Buck [0062]
Claim 20 is rejected for substantially the same reasons as claim 2.
Claims 3 and 4 are rejected under 35 U.S.C. 103 as being unpatentable over Guo in view of Buck in view of Yamazaki as applied to claim 2 above, and further in view of Official Notice.
In regard to claim 3, Guo in view of Beck in view of Yamazaki failed to explicitly disclose wherein the command is received with a file that includes the second policy.
However, Official Notice is taken that security policies are stored in security policy files.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to store a security policy in a security policy file in order for the policy to be saved and stored between devices.
In regard to claim 4, Guo in view of Beck in view of Yamazaki failed to explicitly disclose wherein the command identifies the second policy stored in the memory.
However, Official Notice is taken that a security policy may be held in memory in order for the computer to access the security policy.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to store a security policy in memory in Guo / Beck / Yamazaki in order for Guo’s device to access the security policy.
Claims 6, 13, 14 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Guo and Beck and Yamazaki as applied to claim 1 above, and further in view of Russello (US 2015/0332043).
In regard to claim 6, Guo and Beck and Yamazaki failed to disclose wherein the first policy comprises an active policy, and wherein the second policy comprises a backup policy.
However, Russello disclosed a backup policy and an active policy. Russello [0373] disclosed making a backup of the policy configuration file – a backup policy.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention when making the first and second security policies in Guo and Beck that one should be placed as a backup – a backup policy – in order to be reverted to as in Beck to allow for a rollback of a security policy.
Claim 13 is rejected for substantially the same reasons as claim 6.
Claim 14 is rejected for substantially the same reasons as claim 6.
Claim 19 is rejected for substantially the same reasons as claim 6.
Claim 7 is rejected under 35 U.S.C. 103 as being unpatentable over Guo in view of Beck in view of Yamazaki as applied to claim 1 above, and further in view of Goodman et al. (US 2024/0129134).
In regard to claim 7, Guo and Beck and Yamazaki failed to disclose:
receiving an input indicative of a modification to the first policy; and
updating the first policy stored in the memory to implement the modification.
However, Goodman disclosed modifying a security policy. Goodman [0020], [0067].
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify one of the security policies in Guo and Beck when establishing a first security policy and a second security policy, in order that one security policy could be rolled back as taught in Beck [0040].
Claim 21 is/are rejected under 35 U.S.C. 103 as being unpatentable over Guo in view of Buck in view of Yamazaki as applied to claim 1 above, and further in view of Sadeh-Koniecpol et al. (US 2010/0036779).
In regard to claim 21, Buck further disclosed the user interface element comprises a policy undo switch that, when actuated, is configured to implement the command to enforce the second policy and stop enforcing the first policy. Buck [0040], where Buck disclosed the ability to roll back a policy change (a command to enforce a second policy and stop enforcing a first policy)
Guo and Buck and Yamazaki failed to disclose policy rollback was actuated by a policy undo switch in the user interface.
However, Sadeh-Koniecpol disclosed a policy modification undo switch in the user interface. Sadeh-Koniecpol [0062]
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to undo a policy modification (policy rollback) in Guo / Buck / Yamazaki combination by clicking a button, switch, or other graphical user interface item, in order to easily modify the policy changes in Guo / Buck / Yamazaki.
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Jeffrey R. Swearingen whose telephone number is (571)272-3921. The examiner can normally be reached M-F 8:00 am - 5:00 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Oscar Louie can be reached at 571-270-1684. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
Jeffrey R. Swearingen
Primary Examiner
Art Unit 2445
/Jeffrey R Swearingen/Primary Examiner, Art Unit 2445
Prosecution Insights