energy.whisper.online · DER & grid-edge security

A stolen token shouldn't be able to command a gigawatt of DER.

The attacker mints a token against your fleet's cloud API — or reuses one valid across two platforms — enumerates every inverter behind it, and dispatches legitimate-looking setpoints from ordinary egress. Your IP allowlists pass it; your logs record a meaningless last IP. It works for one reason: your DER devices have no identity they can prove.

We give them one. The address is the inverter — a routable, DNSSEC-anchored /128 bound to the LFDI it already carries, that no one can forge and you can revoke worldwide in a single call. Give every DER an identity it can prove — and an off-switch its own PKI never had.

whisper verify --trustless — anchored at the IANA DNS root. Our own API is not in the trust path.

~35k solar devices from 42 vendors sit exposed on the open internet
~195 GW of solar coordinated by one platform pair — a stolen token took over any account
<2% of inverters (~4.5 GW) modeled enough to force EU grid load-shedding
~800 PV monitors hijacked into Mirai — the first confirmed attack on PV generation
10+/yr solar-vendor vulns for 3 years — 80% high/critical, 32% CVSS 9.8–10
0 revocation — IEEE 2030.5 device certs are life-long, no CRL, no OCSP

This is how a fleet you built gets dispatched by someone who never owned an inverter.

No zero-day required. Just a bearer token and an aggregator API used exactly as built — at fleet scale.

01 · RECON

Find the control plane

An internet-exposed gateway (~35k found on Shodan) or, higher-value, the vendor cloud / aggregator API that fronts a whole fleet.

02 · TOKEN

Mint or steal the bearer

Hit an unauthenticated /oauth2/token, exploit a broken-authorization endpoint, or lift a hard-coded key. Now you hold a valid token — the fleet authority.

03 · ENUMERATE

One token, one fleet

Iterate account and org IDs and the LFDIs behind them. "Many small devices, one control plane" becomes "one token, thousands of inverters."

04 · COMMAND

Legitimate-looking dispatch

Push active-power setpoints, forced disconnect/reconnect, coordinated on/off, or malicious firmware. The token is valid; the egress is ordinary.

05 · ROTATE

Every last IP is disposable

Hop across Amazon, Google and Azure, or a residential-proxy swarm, every few requests. Your SOC sees a fresh last IP and correlates nothing.

06 · STRESS

Swing the aggregate

Synchronize the fleet to move real power. Research models <2% of inverters as grid-relevant — and the token stays valid until one vendor rotates it.

Invisible at the network layer by design: a real operator is one head-end to a fleet it owns; the abuser is one token to a fleet it doesn't — and every IP it ever shows you is disposable. This is not hypothetical: a single cloud-platform pair coordinating ~195 GW of solar could be made to mint a token for any account and take it over, and ~800 monitoring devices were hijacked into Mirai through one unauthenticated command-injection flaw.

Strip the incident down and it isn't a hundred bugs. It's two.

Every step in that chain leans on exactly two structural gaps that every distributed-energy program shares. Close both and the attack has nowhere left to stand.

Gap 1 · you can't follow them when the IP rotates

Rate-limit an IP and they spin up a fresh one. The egress is disposable; the last IP was never the attacker. So you block noise while the operator keeps dispatching.

The answer — the graph. A live internet-infrastructure graph — 7.44B nodes and 39.3B relationships of fused BGP, DNS, WHOIS, TLS, hosting and threat intelligence, answering in under 300 ms — fingerprints the operator, not the IP. Two levers, kept honestly separate: for cloud rotation it clusters shared ASN, hosting and certificate lineage into one infrastructure genealogy; for a residential-proxy swarm — where a subscriber IP gives an infra graph nothing to grab — a JA4/JA3 client fingerprint travels with the tooling, invisible to the proxy because it lives in the TLS handshake, and collapses the swarm to one operator. Every answer returns a reproducible evidence chain your OT SOC, your auditors and a regulator can replay.

The verbs your analysts run — or your agent runs for them: identify(ip) (who really operates a host, even behind a CDN) · origins(prefix) + walk(node,depth) (cluster rotating IPs into one genealogy) · history / watch (a timeline and a standing sentinel) · arbitrary read-only Cypher (express "one source touching N distinct DER identities in a window" as a query, not a ticket).

what your OT SOC sees — a rotating, meaningless “last IP” Stolen token = fleet authority AWS eu-central 3.68.x.x GCP europe-w4 34.90.x.x Azure westeu 20.61.x.x residential-proxy swarm 71.x · Comcast 82.x · KPN 99.x · Orange JA4-identical tooling infra genealogy JA4 fingerprint One operator ASN + hosting genealogy + JA4 / JA3 fingerprint evidence chain → your SIEM what the graph sees — one operator
Attribution survives rotation because it tracks the infrastructure and the tooling, not the ephemeral egress IP. The one thing we never rely on is the last IP.

"When a hijacked fleet phones home through rotating residential proxies and fresh cloud IPs, can you actually attribute it — or just rate-limit an IP and move on?"

Attribute it. Infrastructure genealogy collapses the cloud rotation; a JA4 client fingerprint collapses the residential swarm. The egress IP is the one thing we don't rely on — and the finding feeds straight into your OT sensor and SIEM.

Gap 2 · a stolen token looks exactly like your aggregator

A minted or reused bearer token is a valid credential. Behaviorally it's the operator. Nothing at the perimeter separates it, because the token is a bearer instrument — whoever holds it can present it — and the device on the other end has no identity to check it against.

The answer — identity. Bind the command path to the inverter's own forge-proof /128 — an address derived from the key behind the LFDI the device already carries. A stolen token that can't prove the target DER's identity simply fails, and IEEE 2030.5's own certificate — life-long, no CRL, no OCSP — finally gets the off-switch it never had.

"IEEE 2030.5 already gives every inverter a certificate. Why isn't that enough?"

Because it can't be revoked and no one outside the utility can verify it. The LFDI is a SHA-256 of the device's own certificate — a genuinely good key-derived name — but it lives in a private SERCA→MICA root, is allow-listed per-utility out-of-band, isn't addressable, and "cannot be updated or revoked." Whisper keeps the key-derived property and makes it publicly verifiable, addressable, and revocable at DNS-TTL.

Gap 1 is detection made durable. Gap 2 is the root cause. Here's the root-cause cure.

Give every DER an identity it can prove — and no one can forge.

Stop treating fleet takeover as a detection problem and make it an identity problem — strictly stronger. Whisper has one primitive: the address is the identity.

A routable IPv6 /128 out of 2a04:2a01::/32 (announced by AS219419), deterministically derived from a key, DNSSEC-anchored, DANE-EE pinned, RDAP/WHOIS-registered — re-derivable and verifiable by anyone with dig. whisper verify --trustless checks it against the IANA root; our own API is not in the trust path.

Point it at devices. Derive each inverter's — or each gateway's or EVSE's — /128 from the public key behind the identifier it already carries: the IEEE 2030.5 LFDI (itself a SHA-256 of the device's X.509 cert), a SunSpec/Kyrio device cert, a secure element, or a TPM — with the LFDI or serial as the domain separator. The private key never leaves the device; the address is a one-way function of its public half and that identifier. No re-flashing the 25M+ inverters already in the field — you bind the identity they were born with.

Inverter / EVSE key LFDI · SunSpec cert · TPM never leaves the device private key sealed public key + LFDI /128 2a04:2a01:5e0::50c routable identity DNSSEC + DANE-EE A name anyone can verify whisper verify --trustless our API not in the trust path op:revoke → gone worldwide at DNS-TTL
The IEEE 2030.5 LFDI is already a SHA-256 of the device's certificate — a good key-derived name trapped in a private, non-revocable root. Whisper binds it to a routable, publicly verifiable /128 and gives it the off-switch its own PKI explicitly lacks.

"One token → a whole fleet" becomes physically impossible

You cannot present thousands of DER identities whose keys you don't hold. Every forgery is a DNSSEC/DANE inconsistency any verifier catches.

IP rotation becomes irrelevant

Identity is not the source IP. The "last IP" was never the credential — so rotating it, across clouds or residential proxies, changes nothing.

Stolen tokens fail

A minted or reused bearer with no device key behind it authenticates to nothing. The dispatch path checks the inverter, not the bearer.

One revoke kills a compromised inverter worldwide

At DNS-TTL speed: dig -x returns nothing; verify returns false. The revocation IEEE 2030.5's life-long certs never had.

Attaches to what you already ship — it does not replace it. Whisper complements the anchors you already trust — the IEEE 2030.5 / SunSpec / Kyrio device certificate, IEC 62351 on the substation bus, ISO 15118 Plug & Charge, TPM/HSM/secure elements. It is the publicly verifiable, DNSSEC/DANE-anchored layer on top, anchoring the device↔cloud boundary: no bespoke CA trust store to push to every inverter, and revocation at DNS-TTL speed instead of a certificate that can never be revoked. You can even DANE-pin your existing 2030.5 endpoint's certificate to DNSSEC and cut single-CA trust risk.
The LFDI is the public fingerprint — the /128 is its cryptographic counterpart. The LFDI is a known, structured identifier flowing through every CSIP deployment; that's useful for interoperability but it's not a secret. The /128 is bound to the device's key and the LFDI — so the LFDI alone yields nothing. You cannot go LFDI → /128 without the key, there is no enumerable directory, and RDAP/reverse-DNS return the registry object, never the device's whereabouts. Because the derivation is tenant-bound, the same device under two aggregators yields two unrelated /128s — no one can link a unit across operators.
Lifecycle, end to end. Factory key → in-life dispatch → incident revoke. A module swap or repower re-keys to a new /128 and revokes the old one; a decommission or a change of aggregator is one revoke and a re-register to the new owner. Compromise one inverter and you've compromised that inverter, not the fleet — the fleet-takeover failure mode is structurally removed. And nothing is issued in the dark: every mint and every revoke lands in a public, Bitcoin-anchored transparency log you and your regulator can audit.

Maps to NERC CIP-013 / CIP-005 vendor-remote-access controls, EU NIS2 and the EU Network Code on Cybersecurity, NISTIR 7628 device identification, and Sandia's DER guidance — delivered as a network primitive, not a compliance binder. See the compliance map →

See who's enumerating your fleet — before the command lands.

An identity you can prove is also an identity you can watch. Because every DER's name resolves through Whisper's own authoritative DNS and RDAP, the owner sees exactly who looked — a reconnaissance tripwire the LFDI's private registry never gave you — and can govern precisely what each device may talk to.

Who checked this inverter is a query

op:lookups returns who resolved or RDAP-queried a DER's identity — an early warning that someone is enumerating your fleet, not a post-mortem after the dispatch.

Govern what each device may reach

A graph-first resolver and source-bound egress enforce default-deny per device — allow the DERMS head-end and the OTA endpoint, block everything else, by name or subdomain.

Per-device firewall, budget, kill-switch

op:firewall allow/deny by host, cidr or port; op:budget caps a device's traffic; op:revoke cuts a compromised unit off worldwide in one call.

Non-repudiable telemetry

Bind each dispatch and telemetry stream to the DER's forge-proof /128 so the ISO, the utility and your own market settlement trust the numbers came from the real device.

The same address-is-identity primitive that governs a compromised inverter also governs the AI agents your VPP and trading desk are about to run — per-agent /128, per-agent logs, default-deny egress, one revoke. From day one.

Don't take our word for it — our API isn't in the trust path.

Two tiers, by design. No key: anyone can verify a DER's identity, resolve it, and back-trace a suspicious controller — trustless, anchored at the IANA root. Your key: bind a device to the LFDI it carries, govern its egress, revoke it worldwide.

verify & attribute — no key required
# keyless — re-derive and verify any inverter's identity, trustless
$ whisper verify --trustless 2a04:2a01:5e0::50c
  ✓ DNSSEC chain valid to the IANA root
  ✓ DANE-EE (TLSA) leaf matches the identity's key
  ✓ RDAP: registered under AS219419 · 2a04:2a01::/32
  identity: VERIFIED — and our own API was never trusted

# the address is the inverter — reverse DNS names it
$ dig -x 2a04:2a01:5e0::50c +short
  lfdi-3f2504e0.der.example-vpp.whisper.online.

# who really operates a suspicious controller — the real graph API, a CALL whisper.identify()
$ curl -s https://graph.whisper.security/api/query -H "X-API-Key: whisper_live_xxx" \
    -H 'content-type: application/json' -d '{"query":"CALL whisper.identify(\"34.90.x.x\")"}'
  operator:  <fingerprinted> · seen across AWS / GCP / Azure
  residential swarm collapsed by JA4: same tooling, 41 exit IPs → 1 operator
provision & govern — with your key
# bind an inverter to the LFDI it already carries, and govern it
$ export WHISPER_API_KEY=whisper_live_xxx
$ curl -s https://graph.whisper.security/api/query -H "X-API-Key: $WHISPER_API_KEY" --data-urlencode "q=CALL whisper.agents({op:'connect', args:{tier:'wireguard',
       identity_public_key:'<base64 SPKI of the device key>',
       device_id:'3F2504E04F8911D39A0C0305E82C3301'}})"   # device_id = the LFDI
  → identity 2a04:2a01:5e0::50c   DNSSEC + DANE live
$ whisper policy set --default deny --allow derms.example-vpp.com,ota.example-vpp.com
$ whisper kill --revoke 2a04:2a01:5e0::50c   # worldwide, at DNS-TTL

Your OT sensor sees that a DER is misbehaving. Whisper proves who commanded it — and follows them when the IP rotates.

The OT-detection incumbents — Dragos, Claroty, Nozomi, Armis, Forescout — are excellent at what's on your network and whether it's behaving, and that's necessary. But their device identity is observational — inferred from behavior, scoped to the monitored network, and non-revocable off-box. Your DERMS consumes the manufacturer's IEEE 2030.5 certificate; it doesn't mint identity and inherits the life-long, no-CRL/OCSP model. Whisper adds the two layers no one else owns: an internet-infrastructure attribution graph that fingerprints the operator across rotating clouds and residential proxies, and a publicly verifiable device-identity plane that is addressable and revocable at DNS-TTL. Exactly the two gaps the fleet-takeover attacks exploit.

OT detectionDERMS + 2030.5 PKIWhisper
OT visibility & anomaly detectionadditive feed
Publicly verifiable device identity (DNS/DANE, not a private CA)
Revocation at DNS-TTL, cross-operator
Operator attribution across rotating egress

It's depth on top of the stack you already run — it can DANE-pin the same 2030.5 certificate your CSIP head-end already speaks, and it lands as a machine-readable feed into your SIEM — the Splunk and Microsoft Sentinel connectors ship today — enrichment that makes your OT sensor and threat-intel sharper. It doesn't replace them, and it doesn't add a console your analysts babysit.

See the full comparison →

Additive to your stack. Mapped to your standards. Availability-safe by construction.

Identity device /128 · DNSSEC · DANE-EE · bound to the LFDI — who is this, provably 2030.5 · SunSpec · 15118 Attribution graph operator fingerprint across rotating clouds + residential — who's really behind this 7.44B nodes · BGP·DNS·TLS·JA4 Egress governance per-device /128 · policy · lookups · firewall · budget · revoke — what may talk to what default-deny THE ADDRESS IS THE IDENTITY AS219419 · 2a04:2a01::/32 Your SIEM Splunk & Sentinel today Machine-readable STIX 2.1 / TAXII · CEF / ECS Your standards CIP-013/005 · NIS2 · NISTIR 7628
Three planes on one primitive — and all three exit into the stack you already run, not a new silo.

Turnkey CIP-013 / CIP-005 evidence

Enumerate and kill any vendor device's connection in one call — direct evidence for CIP-005 R3.1/R3.2 (determine & disable active vendor remote access) and CIP-013 R1.2.3/R1.2.6. Also maps to NIS2 Art.21, the EU Network Code's zero-trust/traceability, and NISTIR 7628 SG.IA/SG.AU. See the map →

Nothing issued in the dark

Every identity mint and every revoke lands in a public, append-only RFC 6962 Merkle transparency log, Ed25519-signed and anchored to Bitcoin via OpenTimestamps — an auditable, non-repudiable issuance trail for your regulator. Honest status: tamper-evident today, independent witnessing is the next step.

Additive & availability-safe

It rides existing DNS/IPv6 and adds no inline OT chokepoint. If your head-end authorizes against the DANE/verify path, that plane is built to fail open — a Whisper outage never bricks an inverter; checks degrade to your existing anchors. Anycast on AS219419, no single node in the path.

One identity fabric, every vendor

Derived from the key already in the device — no second PKI, no BOM cost, no re-flashing the fielded fleet. Whether it's an inverter, a battery gateway, or an EVSE, it's one verifiable /128 you and the ISO can both check.

Flat, predictable pricing

Per-device/year and flat — not per-transaction, not usage-metered. Against fleet-scale economics that's a line item you can forecast. Clear ROI: analyst-hours saved on disposable-IP correlation, one revoke instead of a fleet-wide reset. See pricing →

A vendor that will still be here

Real routable address space (AS219419), run by people who ran the internet's regional address registry and operated one of its root DNS servers. POC → pilot → enterprise, keyless to start.

Give every DER an identity it can prove.

The address is the inverter — routable, DNSSEC-anchored, bound to the LFDI it already carries, revocable worldwide in one call. Keyless to try, one call to provision, one more to revoke.

Or run whisper verify --trustless right now.