Unlike technologies that use application blacklisting, which uses a list of blacklisted or undesirable programs and prevents those from executing, whitelisting is more restrictive and allows only those applications that have been explicitly permitted, to run. There is great debate among security experts over which technique, blacklisting or whitelisting, is better. Proponents of blacklisting argue that application whitelisting is too complex and difficult to manage. Compiling the initial whitelist requires detailed knowledge about all the users' tasks and the applications they need to run to perform those tasks. Maintaining the list can become a nightmare if many systems change regularly.
On the other hand, maintaining a list of blacklisted applications is not an easy task, and what if you miss one or what if the signature of the blacklisted application changed just enough to not be detected by the blacklisting application? From my experience, a blacklisting application is best suited for systems that change frequently because of updates, additions, and other changes to the application and the operating system. Also, because of maintaining the blacklist of applications, a system like this should be able to receive regular list updates, be it from the Internet or an intermediate update server. In a typical ICS environment, systems in level 3 and higher in the Purdue model are prime candidates for a blacklisting solution.
A whitelisting application works well on systems that are more stagnant in nature: ones that don't change regularly because of patching or repurposing. Computer systems in level 2 and below of the Purdue model tend to be of such caliber. They are often purpose-built (Windows) computers that are set up in just the right way to serve their unique purpose. Because of their location, their age, or OEM-enforced restrictions, these systems do not receive or cannot receive application or operating system updates. This stagnant posture and the inability to be defended by other means make these systems perfectly suited for a whitelisting solution.