A stolen token shouldn't be able to command a gigawatt of DER.
The attacker mints a token against your fleet's cloud API — or reuses one valid across two platforms — enumerates every inverter behind it, and dispatches legitimate-looking setpoints from ordinary egress. Your IP allowlists pass it; your logs record a meaningless last IP. It works for one reason: your DER devices have no identity they can prove.
LFDI it already carries, that no one can forge and you can revoke worldwide in a single call. Give every DER an identity it can prove — and an off-switch its own PKI never had.
whisper verify --trustless — anchored at the IANA DNS root. Our own API is not in the trust path.
This is how a fleet you built gets dispatched by someone who never owned an inverter.
No zero-day required. Just a bearer token and an aggregator API used exactly as built — at fleet scale.
Find the control plane
An internet-exposed gateway (~35k found on Shodan) or, higher-value, the vendor cloud / aggregator API that fronts a whole fleet.
Mint or steal the bearer
Hit an unauthenticated /oauth2/token, exploit a broken-authorization endpoint, or lift a hard-coded key. Now you hold a valid token — the fleet authority.
One token, one fleet
Iterate account and org IDs and the LFDIs behind them. "Many small devices, one control plane" becomes "one token, thousands of inverters."
Legitimate-looking dispatch
Push active-power setpoints, forced disconnect/reconnect, coordinated on/off, or malicious firmware. The token is valid; the egress is ordinary.
Every last IP is disposable
Hop across Amazon, Google and Azure, or a residential-proxy swarm, every few requests. Your SOC sees a fresh last IP and correlates nothing.
Swing the aggregate
Synchronize the fleet to move real power. Research models <2% of inverters as grid-relevant — and the token stays valid until one vendor rotates it.
Invisible at the network layer by design: a real operator is one head-end to a fleet it owns; the abuser is one token to a fleet it doesn't — and every IP it ever shows you is disposable. This is not hypothetical: a single cloud-platform pair coordinating ~195 GW of solar could be made to mint a token for any account and take it over, and ~800 monitoring devices were hijacked into Mirai through one unauthenticated command-injection flaw.
Strip the incident down and it isn't a hundred bugs. It's two.
Every step in that chain leans on exactly two structural gaps that every distributed-energy program shares. Close both and the attack has nowhere left to stand.
Rate-limit an IP and they spin up a fresh one. The egress is disposable; the last IP was never the attacker. So you block noise while the operator keeps dispatching.
The answer — the graph. A live internet-infrastructure graph — 7.44B nodes and 39.3B relationships of fused BGP, DNS, WHOIS, TLS, hosting and threat intelligence, answering in under 300 ms — fingerprints the operator, not the IP. Two levers, kept honestly separate: for cloud rotation it clusters shared ASN, hosting and certificate lineage into one infrastructure genealogy; for a residential-proxy swarm — where a subscriber IP gives an infra graph nothing to grab — a JA4/JA3 client fingerprint travels with the tooling, invisible to the proxy because it lives in the TLS handshake, and collapses the swarm to one operator. Every answer returns a reproducible evidence chain your OT SOC, your auditors and a regulator can replay.
The verbs your analysts run — or your agent runs for them: identify(ip) (who really operates a host, even behind a CDN) · origins(prefix) + walk(node,depth) (cluster rotating IPs into one genealogy) · history / watch (a timeline and a standing sentinel) · arbitrary read-only Cypher (express "one source touching N distinct DER identities in a window" as a query, not a ticket).
"When a hijacked fleet phones home through rotating residential proxies and fresh cloud IPs, can you actually attribute it — or just rate-limit an IP and move on?"
Attribute it. Infrastructure genealogy collapses the cloud rotation; a JA4 client fingerprint collapses the residential swarm. The egress IP is the one thing we don't rely on — and the finding feeds straight into your OT sensor and SIEM.
A minted or reused bearer token is a valid credential. Behaviorally it's the operator. Nothing at the perimeter separates it, because the token is a bearer instrument — whoever holds it can present it — and the device on the other end has no identity to check it against.
The answer — identity. Bind the command path to the inverter's own forge-proof /128 — an address derived from the key behind the LFDI the device already carries. A stolen token that can't prove the target DER's identity simply fails, and IEEE 2030.5's own certificate — life-long, no CRL, no OCSP — finally gets the off-switch it never had.
"IEEE 2030.5 already gives every inverter a certificate. Why isn't that enough?"
Because it can't be revoked and no one outside the utility can verify it. The LFDI is a SHA-256 of the device's own certificate — a genuinely good key-derived name — but it lives in a private SERCA→MICA root, is allow-listed per-utility out-of-band, isn't addressable, and "cannot be updated or revoked." Whisper keeps the key-derived property and makes it publicly verifiable, addressable, and revocable at DNS-TTL.
Gap 1 is detection made durable. Gap 2 is the root cause. Here's the root-cause cure.
Give every DER an identity it can prove — and no one can forge.
Stop treating fleet takeover as a detection problem and make it an identity problem — strictly stronger. Whisper has one primitive: the address is the identity.
A routable IPv6 /128 out of 2a04:2a01::/32 (announced by AS219419), deterministically derived from a key, DNSSEC-anchored, DANE-EE pinned, RDAP/WHOIS-registered — re-derivable and verifiable by anyone with dig. whisper verify --trustless checks it against the IANA root; our own API is not in the trust path.
Point it at devices. Derive each inverter's — or each gateway's or EVSE's — /128 from the public key behind the identifier it already carries: the IEEE 2030.5 LFDI (itself a SHA-256 of the device's X.509 cert), a SunSpec/Kyrio device cert, a secure element, or a TPM — with the LFDI or serial as the domain separator. The private key never leaves the device; the address is a one-way function of its public half and that identifier. No re-flashing the 25M+ inverters already in the field — you bind the identity they were born with.
"One token → a whole fleet" becomes physically impossible
You cannot present thousands of DER identities whose keys you don't hold. Every forgery is a DNSSEC/DANE inconsistency any verifier catches.
IP rotation becomes irrelevant
Identity is not the source IP. The "last IP" was never the credential — so rotating it, across clouds or residential proxies, changes nothing.
Stolen tokens fail
A minted or reused bearer with no device key behind it authenticates to nothing. The dispatch path checks the inverter, not the bearer.
One revoke kills a compromised inverter worldwide
At DNS-TTL speed: dig -x returns nothing; verify returns false. The revocation IEEE 2030.5's life-long certs never had.
revoke. A module swap or repower re-keys to a new /128 and revokes the old one; a decommission or a change of aggregator is one revoke and a re-register to the new owner. Compromise one inverter and you've compromised that inverter, not the fleet — the fleet-takeover failure mode is structurally removed. And nothing is issued in the dark: every mint and every revoke lands in a public, Bitcoin-anchored transparency log you and your regulator can audit.Maps to NERC CIP-013 / CIP-005 vendor-remote-access controls, EU NIS2 and the EU Network Code on Cybersecurity, NISTIR 7628 device identification, and Sandia's DER guidance — delivered as a network primitive, not a compliance binder. See the compliance map →
See who's enumerating your fleet — before the command lands.
An identity you can prove is also an identity you can watch. Because every DER's name resolves through Whisper's own authoritative DNS and RDAP, the owner sees exactly who looked — a reconnaissance tripwire the LFDI's private registry never gave you — and can govern precisely what each device may talk to.
Who checked this inverter is a query
op:lookups returns who resolved or RDAP-queried a DER's identity — an early warning that someone is enumerating your fleet, not a post-mortem after the dispatch.
Govern what each device may reach
A graph-first resolver and source-bound egress enforce default-deny per device — allow the DERMS head-end and the OTA endpoint, block everything else, by name or subdomain.
Per-device firewall, budget, kill-switch
op:firewall allow/deny by host, cidr or port; op:budget caps a device's traffic; op:revoke cuts a compromised unit off worldwide in one call.
Non-repudiable telemetry
Bind each dispatch and telemetry stream to the DER's forge-proof /128 so the ISO, the utility and your own market settlement trust the numbers came from the real device.
The same address-is-identity primitive that governs a compromised inverter also governs the AI agents your VPP and trading desk are about to run — per-agent /128, per-agent logs, default-deny egress, one revoke. From day one.
Don't take our word for it — our API isn't in the trust path.
Two tiers, by design. No key: anyone can verify a DER's identity, resolve it, and back-trace a suspicious controller — trustless, anchored at the IANA root. Your key: bind a device to the LFDI it carries, govern its egress, revoke it worldwide.
# keyless — re-derive and verify any inverter's identity, trustless
$ whisper verify --trustless 2a04:2a01:5e0::50c
✓ DNSSEC chain valid to the IANA root
✓ DANE-EE (TLSA) leaf matches the identity's key
✓ RDAP: registered under AS219419 · 2a04:2a01::/32
identity: VERIFIED — and our own API was never trusted
# the address is the inverter — reverse DNS names it
$ dig -x 2a04:2a01:5e0::50c +short
lfdi-3f2504e0.der.example-vpp.whisper.online.
# who really operates a suspicious controller — the real graph API, a CALL whisper.identify()
$ curl -s https://graph.whisper.security/api/query -H "X-API-Key: whisper_live_xxx" \
-H 'content-type: application/json' -d '{"query":"CALL whisper.identify(\"34.90.x.x\")"}'
operator: <fingerprinted> · seen across AWS / GCP / Azure
residential swarm collapsed by JA4: same tooling, 41 exit IPs → 1 operator
# bind an inverter to the LFDI it already carries, and govern it
$ export WHISPER_API_KEY=whisper_live_xxx
$ curl -s https://graph.whisper.security/api/query -H "X-API-Key: $WHISPER_API_KEY" --data-urlencode "q=CALL whisper.agents({op:'connect', args:{tier:'wireguard',
identity_public_key:'<base64 SPKI of the device key>',
device_id:'3F2504E04F8911D39A0C0305E82C3301'}})" # device_id = the LFDI
→ identity 2a04:2a01:5e0::50c DNSSEC + DANE live
$ whisper policy set --default deny --allow derms.example-vpp.com,ota.example-vpp.com
$ whisper kill --revoke 2a04:2a01:5e0::50c # worldwide, at DNS-TTL
Your OT sensor sees that a DER is misbehaving. Whisper proves who commanded it — and follows them when the IP rotates.
The OT-detection incumbents — Dragos, Claroty, Nozomi, Armis, Forescout — are excellent at what's on your network and whether it's behaving, and that's necessary. But their device identity is observational — inferred from behavior, scoped to the monitored network, and non-revocable off-box. Your DERMS consumes the manufacturer's IEEE 2030.5 certificate; it doesn't mint identity and inherits the life-long, no-CRL/OCSP model. Whisper adds the two layers no one else owns: an internet-infrastructure attribution graph that fingerprints the operator across rotating clouds and residential proxies, and a publicly verifiable device-identity plane that is addressable and revocable at DNS-TTL. Exactly the two gaps the fleet-takeover attacks exploit.
| OT detection | DERMS + 2030.5 PKI | Whisper | |
|---|---|---|---|
| OT visibility & anomaly detection | ✓ | — | additive feed |
| Publicly verifiable device identity (DNS/DANE, not a private CA) | — | — | ✓ |
| Revocation at DNS-TTL, cross-operator | — | — | ✓ |
| Operator attribution across rotating egress | — | — | ✓ |
It's depth on top of the stack you already run — it can DANE-pin the same 2030.5 certificate your CSIP head-end already speaks, and it lands as a machine-readable feed into your SIEM — the Splunk and Microsoft Sentinel connectors ship today — enrichment that makes your OT sensor and threat-intel sharper. It doesn't replace them, and it doesn't add a console your analysts babysit.
Additive to your stack. Mapped to your standards. Availability-safe by construction.
Turnkey CIP-013 / CIP-005 evidence
Enumerate and kill any vendor device's connection in one call — direct evidence for CIP-005 R3.1/R3.2 (determine & disable active vendor remote access) and CIP-013 R1.2.3/R1.2.6. Also maps to NIS2 Art.21, the EU Network Code's zero-trust/traceability, and NISTIR 7628 SG.IA/SG.AU. See the map →
Nothing issued in the dark
Every identity mint and every revoke lands in a public, append-only RFC 6962 Merkle transparency log, Ed25519-signed and anchored to Bitcoin via OpenTimestamps — an auditable, non-repudiable issuance trail for your regulator. Honest status: tamper-evident today, independent witnessing is the next step.
Additive & availability-safe
It rides existing DNS/IPv6 and adds no inline OT chokepoint. If your head-end authorizes against the DANE/verify path, that plane is built to fail open — a Whisper outage never bricks an inverter; checks degrade to your existing anchors. Anycast on AS219419, no single node in the path.
One identity fabric, every vendor
Derived from the key already in the device — no second PKI, no BOM cost, no re-flashing the fielded fleet. Whether it's an inverter, a battery gateway, or an EVSE, it's one verifiable /128 you and the ISO can both check.
Flat, predictable pricing
Per-device/year and flat — not per-transaction, not usage-metered. Against fleet-scale economics that's a line item you can forecast. Clear ROI: analyst-hours saved on disposable-IP correlation, one revoke instead of a fleet-wide reset. See pricing →
A vendor that will still be here
Real routable address space (AS219419), run by people who ran the internet's regional address registry and operated one of its root DNS servers. POC → pilot → enterprise, keyless to start.
Give every DER an identity it can prove.
The address is the inverter — routable, DNSSEC-anchored, bound to the LFDI it already carries, revocable worldwide in one call. Keyless to try, one call to provision, one more to revoke.
Or run whisper verify --trustless right now.