Gresham’s Law - Part 1

Gresham's law?is a monetary principle stating that "bad money drives out good". For example, if there are two forms of?commodity money?in circulation, which are accepted by law as having similar?face value, the more valuable commodity will gradually disappear from circulation. Source: Wikipedia

Gresham’s law can apply in many areas besides currency, often when there’s a feedback loop that rewards bad behavior. The Great Mental Models: Volume 4gives the example of performance enhancing drugs in cycling.?Taking the drugs led to better performance, more money, and not taking the PED’s led to being dropped from the team or circuit.

I believe we’ve been seeing Gresham’s law in action in the annual OT Security Threat Reports that vendors release. The sensationalized reports have driven out virtually all good reports, particularly in the executive summary and highlights.

Most of these reports still show accurate raw data, not fabricated data. Where they fail is the highlighting of statistics selected because they are most likely to instill fear, gain media amplification, and eventually drive sales. And the ignoring or burying any data that doesn’t support the threat and impact getting higher.

Unfortunately I saw one of the last reports,?the Waterfall / ICS STRIVE report, that I put in the “good money” category succumb to the rewards of highlighting the most sensational statistic. Even though none of the other data supported the contention there was a dramatic increase in attacks and consequences in OT.

The first bullet in the executive summary and lead in the press release and articles:

2024 saw a?146%?increase in sites suffering physical impairment of operations because of cyber attacks, rising?from 412 sites in 2023 to 1,015 in 2024.

Even though the number of attacks in the criteria they track increased by only 5% to 76. 76 … in the world, in all sectors for 2024. A cause for celebration given the fragile and insecure by design state of many ICS. Some were good. Many were lucky.

Only 13% of those 76 attacks directly impacted OT. 10 attacks in all of 2024 made it to OT. Hurrah.?This report is full of good news, especially given the dire predictions in other reports a year prior.

Another hyperbole is the “tripling of nation state attacks” in the second bullet. They went from 2 to 7. Very small, non statistically significant numbers. Most were related to GPS jamming and some attacks on small water utilities.?

The Waterfall / ICS STRIVE report remains my favorite report because they provide detail on the cyber incidents with physical consequences, and you can evaluate and draw your own conclusions. It’s regrettable that most will read the summary and the resulting articles and draw the wrong conclusions.

The fact that the threat data doesn’t indicate we are ramping up to disaster doesn’t mean most OT is secure and resilient. It’s not. I know many people in the community who could do great damage if they wanted to and were willing to deal with the likely personal consequences.?This is not a reason for hyped analysis.

Unfortunately the incentives, the rewards, are for hyped bad analysis.

We need to do better.?We can do better..

Next week in Part 2 I’ll show an example where bad information chased out good, and good is managing to make a comeback after 5 years.