Firmware protection for industrial control systems

The invention claimed is: 1 . A method for protecting an Industrial Control System (ICS) resource, the ICS comprising a plurality of Programmable Logic Controllers (PLCs), the method comprising: at an initialization stage of the ICS, monitoring the ICS to determine a file path of the resource and a functionality of the resource by a kernel-level agent operating at a kernel mode; dynamically identifying, by the kernel-level agent, the resource prior to intercepting a request to the resource based on the functionality of the resource; intercepting, by the kernel-level agent operating at the kernel mode, a request to the resource based at least on the file path of the resource, wherein the request is initiated from a user mode of the ICS; collecting, by the kernel-level agent, data associated with the intercepted request to the resource; sending, by kernel the kernel-level agent, the data to a security service, the security service operating at a user mode, wherein the security service is located on each PLC of the plurality of PLCs of the ICS; analyzing, by the security service, the collected data to determine a verdict; sending, by the security service, the verdict to the kernel-level agent; and executing, by the kernel-level agent, at least one security action for the resource based on the verdict received from the security service. 2 . The method of claim 1 , wherein the resource includes at least one of firmware, ICS files, firmware modules, and firmware libraries. 3 . The method of claim 1 , wherein intercepting the request is performed by at least one of a kernel driver or a file system filter driver. 4 . The method of claim 1 , wherein the analysis performed by the security service comprises at least one of: using anti-malware signatures to identify a potentially malicious file; applying a file rule to the data to identify a potential threat; or using a machine learning model to analyze the data. 5 . The method of claim 1 , wherein the at least one security action includes at least one of: changing the request from read-write mode to read-read mode; denying the request; allowing the request; allowing the request and preventing modification of the resource; generating a backup copy of the resource before allowing the request; allowing the request and performing copy on write-delayed snapshotting; or performing remediation of the resource. 6 . The method of claim 1 , wherein dynamically identifying the resource includes applying a rule specific to the ICS. 7 . A system for protecting an Industrial Control System (ICS) resource from a potentially malicious application, the ICS comprising a plurality of Programmable Logic Controllers (PLCs), the system comprising: at least one microprocessor; a kernel-level agent operating at a kernel mode, the kernel-level agent comprising a set of program instructions stored in memory that, when executed by the at least one microprocessor, cause the at least one microprocessor to: at an initialization stage of the ICS, monitor the ICS to determine a file path of the resource and a functionality of the resource, dynamically identify the resource prior to intercepting a request to the resource based on the functionality of the resource, intercept a request to the resource from the potentially malicious application based at least on the file path of the resource, wherein the potentially malicious application operates in a user mode of the ICS, collect data associated with the intercepted request to the resource, send the data to a defense service, and execute at least one security action for the resource based on a verdict; and a defense service operating at the user mode, the defense service located on each PLC of the plurality of PLCs of the ICS, the defense service configured to: receive the collected data; analyze the collected data to determine the verdict, and send the verdict to the kernel-level agent. 8 . The system of claim 7 , wherein the resource includes at least one of firmware, ICS files, firmware modules, and firmware libraries. 9 . The system of claim 7 , wherein the kernel-level agent is at least one of a kernel driver or a file system filter driver. 10 . The system of claim 7 , wherein the defense service is configured to analyze the collected data to determine the verdict includes at least one of: using anti-malware signatures to identify a potentially malicious file; applying a file rule to the data to identify a potential threat; or using a machine learning model to analyze the data. 11 . The system of claim 7 , wherein the at least one security action includes at least one of: changing the request from read-write mode to read-read mode; denying the request; allowing the request; allowing the request and preventing modification of the resource; generating a backup copy of the resource before allowing the request; allowing the request and performing copy on write-delayed snapshotting; or performing remediation of the resource. 12 . The system of claim 7 , wherein the kernel-level agent is further configured to dynamically identify the resource including by applying a rule specific to the ICS. 13 . The method of claim 1 , wherein a first security service of a first PLC of the plurality of PLCs operates without any common cloud reputation of a second security service of a second PLC of the plurality of PLCs. 14 . The method of claim 1 , wherein the kernel-level agent and the security service are in communication outside of a system resource intercept. 15 . The method of claim 1 , further comprising determining the resource for which to intercept based on hash content. 16 . The method of claim 1 , further comprising: after the initialization stage, monitoring the ICS to determine a functionality of another resource by the kernel-level agent; and dynamically identifying, by the kernel-level agent, the another resource prior to intercepting a request to the another resource based on the functionality of the another resource. 17 . The system of claim 7 , wherein a first security service of a first PLC of the plurality of PLCs operates without any common cloud reputation of a second security service of a second PLC of the plurality of PLCs. 18 . The system of claim 7 , wherein the kernel-level agent and the defense service are in communication outside of a system resource intercept. 19 . The system of claim 7 , wherein the set of program instructions further cause the at least one microprocessor to determine the resource for which to intercept based on hash content. 20 . The system of claim 7 , wherein the set of program instructions further cause the at least one microprocessor to: after the initialization stage, monitor the ICS to determine a functionality of another resource; and dynamically identify the another resource prior to intercepting a request to the another resource based on the functionality of the another resource.