Gresham’s law is a monetary principle stating that “bad money drives out good”. For example, if there are two forms of commodity money in circulation, which are accepted by law as having similar face value, the more valuable commodity will gradually disappear from circulation. Source: Wikipedia
Part 2
The far worse passive-only OT asset inventory and detection approach drives out active queries … until it doesn’t.
From my weekly article way back in July of 2018.
The competitors are almost all promoting passive-only solutions today because it is an immediate answer to the asset owner objection that adding security will cause an outage. That said, the information available using an active component that uses legitimate control system commands to gather data is so valuable to detection and asset inventory that the passive only solutions will be left behind. Most of the competitors know this and have active solutions in development, or already existing as stealth products, for when they feel the asset owners are ready.
My market prediction track record is directionally quite good, and my timeframes tend to be very optimistic. It usually takes longer. (Until it doesn’t)
I remember a visit to a still top-tier (what Gartner would call a leader) OT vendor back in 2018. The technical experts brought me into the lab, showed me their tech, and emphasized that they were passive only. They didn’t put any packets on the network. My response, that’s too bad. You would get more asset information and more accurate asset information if you used the legitimate OT protocol requests to ask for asset information.
The vendor’s response: we know, and we can do it in the lab. Customers won’t buy our product if it isn’t passive. We won’t release active or talk about active.
We went through 5 years were all of the first and second tier competitors, except for Indegy, preached that active queries were dangerous. It might be ok for IT, but OT is different. Passive-only is the only solution that should be considered for OT.
The vendors knew that an active / passive combination was the right approach. However adding active to the solution required overcoming an objection. Objection: Your going to bring our system down. Response: it’s impossible for our system to put anything on your network. That would be very bad, and we know this.
If a vendor (like Indegy) had anything but passive-only, the competitors were ready to pounce. You can’t buy that solution. It’s dangerous.
The good news is the good money (message) is starting to push back on the bad money (message). The vendors now offer a combination of passive and active. They are even starting to promote, to early adopters, active queries to get a more complete and accurate asset inventory. Will it be another 5 years before my 2018 prediction comes true?
Why the reversal of Gresham’s law? The benefits of active were there in 2018. It’s not a new technical invention. It might be that as the deployed base and vendor / asset owner relationships grew the discussion of active queries could be broached with the innovators. It was no longer taboo with all customers. If the vendor could open the active queries door the improved asset inventory is a big leap forward. Obviously better.
What will it take to turn around the OT Threat Reports discussed in Part 1.