# Compare — additive to detection, additive to your DERMS PKI

> Your OT sensor sees *that* a DER is misbehaving. Your DERMS trusts a 2030.5 cert it can't revoke.
> OT detection (Dragos, Claroty xDome, Nozomi, Armis, Forescout) and the DERMS/VPP platform on your
> IEEE 2030.5 PKI are each good — keep running every one. Whisper is the two rows no category owns —
> attribution that outlives egress rotation, and identity that is publicly verifiable and revocable
> at DNS-TTL — and it feeds your stack rather than replacing it.

The fleet-takeover attack survives the whole stack, because it walks two rows no category was built
to own: **attribution that outlives egress rotation**, and **a device identity that is publicly
verifiable and revocable at DNS-TTL**. Whisper is those two rows — and only those. Additive, never a
replacement: it feeds your OT sensor and SIEM, DANE-pins the same 2030.5 cert, and closes both gaps.
**The address is the inverter — provable, and no one can forge it.**

`whisper verify --trustless` — the one thing no tool on this page offers: you never have to trust *our* API.

- **2 rows** — the two rows every fleet-takeover attack walks through — both owned here
- **0** — rip-and-replace; Whisper rides your existing DNS + IPv6, no inline OT chokepoint
- **0** — revocation in IEEE 2030.5: life-long device certs, no CRL, no OCSP
- **Splunk & Sentinel** — a signed feed into your SIEM today (CEF/ECS now)
- **trustless** — verify any DER's identity without trusting our API

---

## Every category here is good. The incident survives in the two rows none of them own.

The fleet-takeover attack — mint or reuse an aggregator bearer token, enumerate the `LFDI`s behind
it, dispatch legitimate-looking setpoints from rotating egress — passes every check on purpose.
Strip it down and it leans on exactly two structural gaps. Here's which category leaves each one
open, and why.

### Gap 1 · you can't follow them when the egress rotates

OT detection is excellent at what's on your network and whether it's behaving — but its attribution
is *network-scoped*. Rate-limit an IP and the operator spins up a fresh one across Amazon, Google
and Azure, or a residential-proxy swarm, and the sensor loses them at the firewall. The last IP *was
never the operator* — and known-indicator threat intel doesn't help either, because a just-spun
cloud IP and a residential swarm are, by definition, not yet in anyone's feed.

**Only Whisper closes it — the graph.** A live internet-infrastructure graph — **7.44B**
nodes and **39.3B** relationships of fused BGP, DNS, WHOIS, TLS, hosting and threat
intelligence, answering in under 300 ms — fingerprints the *operator*, not the IP. Cloud rotation
collapses into one infrastructure genealogy (shared ASN, hosting, certificate lineage); a
residential swarm collapses on a `JA4/JA3` client fingerprint that rides the tooling regardless of
the exit. Every answer is a reproducible evidence chain your OT SOC, your auditors and a regulator
can replay — and it lands *into* your sensor and SIEM, not beside them.

> **"Our OT platform already does device fingerprinting and anomaly detection. Isn't that identity?"**
> It's *observational* identity — inferred from behavior and passive traffic, scoped to the monitored
> network, and non-revocable off-box. So it can't follow the operator once the egress rotates, and it
> can't prove a DER to anyone outside the sensor. The OT-detection category itself is moving toward
> machine identity — a sign this is the right layer, not a knock on the sensor. Whisper's identity is
> cryptographic and its attribution is internet-scale, and both arrive as a feed *your* sensor consumes.

### Gap 2 · a life-long cert with no off-switch

Your DERMS/VPP *consumes* the manufacturer's IEEE 2030.5 certificate and its `LFDI` — a genuinely
good key-derived name — but it doesn't mint identity, and it inherits the model wholesale: a private
`SERCA→MCA→MICA` root, allow-listed per-utility out-of-band, app-layer only, and — in the standard's
own words — *"life-long certificates that cannot be updated or revoked."* No CRL, no OCSP. When one
inverter is compromised, there is no cross-operator off-switch to pull.

**Only Whisper closes it — identity you can prove and revoke.** Bind that existing `LFDI` to a
routable, DNSSEC-anchored, **DANE-EE /128** — keeping the key-derived property, adding public
verifiability and revocation at DNS-TTL. A request that passes token-auth but can't prove the target
DER's identity has no authority; one `op:revoke` and `dig -x` returns nothing, worldwide, at
DNS-TTL. No re-keying the 25M+ inverters already in the field — you bind the identity they were born
with.

> **"IEEE 2030.5 already gives every inverter a certificate and an LFDI. Why isn't that enough?"**
> Because it can't be revoked, and no one outside the utility can verify it. The LFDI is a SHA-256 of
> the device's own certificate — a good key-derived name — but it lives in a private SERCA root, is
> allow-listed out-of-band, isn't addressable, and *cannot be revoked*. Whisper keeps the key-derived
> property and makes it publicly verifiable, addressable, and revocable at DNS-TTL. Shipped today:
> pass the LFDI (or a DER serial) as `device_id`.

Gap 1 is detection made durable across rotation. Gap 2 is the root cause removed. Every category on
this page owns its check; none owns these two rows — that's the white space, and it's exactly what
the fleet-takeover attacks exploit.

---

## The incident forces three questions. Your stack answers only the first.

Line the categories up against the questions an incident actually forces you to answer, and the
picture is honest and simple: the OT layer is well covered, and the two rows underneath it are the seam.

```
① Is a DER on my network — and is it        ──▶  covered — OT detection (Dragos · Claroty · Nozomi ·
   behaving?                                       Armis · Forescout), OT layer

② Who's really behind it, across egress     ──▶  GAP 1 — network-scoped detection, partial;
   rotation?                                       lost at the firewall once it rotates

③ Prove the DER's identity — and pull its   ──▶  GAP 2 — DERMS consumes a life-long 2030.5 cert;
   plug worldwide?                                 no revocation on your stack

                                    Whisper spans ② + ③ and feeds ①
                                    operator fingerprint · JA4 · DANE-EE /128 · revoke @ DNS-TTL
                                    evidence chain → your SIEM (Splunk · CEF / ECS today)
```

Additive by construction: Whisper owns the two rows no category does, and hands the first a sharper
feed. Keep your OT sensor and your DERMS — Whisper closes what they can't reach.

---

## OT detection sees *that* a DER is misbehaving. Whisper proves *who* commanded it — and follows them when the egress rotates.

The OT-detection incumbents — Dragos, Claroty xDome, Nozomi, Armis, Forescout — are excellent at
passive asset discovery, protocol visibility (`DNP3`, `IEC 61850`, Modbus) and anomaly detection on
the OT network, and you should run one. That's necessary, and it's where the picture stops: on the
monitored network, at the sensor, with identity that is *observational* and non-revocable off-box.

Whisper adds the two rows OT detection doesn't own — internet-scale attribution across rotating
clouds and residential proxies, and a publicly-verifiable, revocable device-identity plane. On their
own turf we're honest: we're an **additive feed**, not a second sensor.

| Capability | OT detection | Whisper |
|---|---|---|
| Passive OT asset discovery, protocol visibility, anomaly detection | ✓ | additive feed |
| Device identity is… | observational (behavior / fingerprint) | ✓ cryptographic (the device's own key) |
| Attribute the operator across Amazon → Google → Azure rotation | — | ✓ |
| Collapse a residential-proxy swarm to one operator (`JA4/JA3`) | — | ✓ |
| **Publicly-verifiable** identity off the monitored network (DNS/DANE) | — | ✓ |
| Revoke a compromised DER worldwide at DNS-TTL, cross-operator | — | ✓ |
| Per-device default-deny egress governance (source-bound /128) | — | ✓ native |
| Reproducible evidence chain a regulator can replay | alerts | ✓ |
| Trustless verification — no need to trust the vendor's API | — | ✓ |
| Deploys as | in-network OT sensor / collector | additive feed · on-prem / own-tenant |
| Pricing shape | per-site / per-sensor | flat, per-device / year |

> **"Our OT platform already flags anomalous DER traffic. What do I need you for?"**
> To answer the next two questions. Flagging *that* a DER is misbehaving doesn't tell you *who* is
> behind it once the egress rotates, and it can't stop a genuine, stolen aggregator token — it can
> only notice the pattern once it's anomalous enough. The graph names the operator and follows them
> across the rotation; the identity plane makes "one token → a whole fleet" *physically impossible*,
> not merely detected. Your sensor sees the symptom sharply; we close the two rows that let it recur —
> and we feed the finding right back into it.

---

## Two categories own the top rows. Whisper owns the bottom — and enriches theirs.

The whole DER program in one grid: the OT-detection stack owns visibility and anomaly detection; the
DERMS/VPP platform on your 2030.5 PKI owns the in-ecosystem device cert; and the rows underneath —
publicly-verifiable identity, cross-operator revocation, attribution across rotating egress, egress
governance — are the seam. No empty Whisper column and no empty incumbent column: that's the additive point.

Additive one layer deeper, too: Whisper rides *on top of* the anchors you already trust — the IEEE
2030.5 / SunSpec / Kyrio device certificate on the `CSIP` head-end, IEC 62351 on the substation bus,
ISO 15118 Plug & Charge — anchoring that same identity in public DNSSEC/DANE, RDAP-registered and
trustlessly verifiable *off-ecosystem*. You can **DANE-pin the same 2030.5 certificate** your CSIP
head-end already speaks and cut single-CA trust risk. It layers out-of-ecosystem identity,
attribution and egress governance on top of both your DER PKI *and* the OT sensor you run — and
replaces none of it.

| Capability | OT detection | DERMS + 2030.5 PKI | Whisper |
|---|---|---|---|
| OT visibility & anomaly detection (discovery, protocol, threat) | ✓ | partial | additive feed |
| Per-device cryptographic identity | inferred | ✓ mfr cert / LFDI, in-ecosystem | ✓ from the key it already holds |
| **Publicly-verifiable** identity (DNS/DANE, not a private CA) | — | — | ✓ |
| Revocation at DNS-TTL, cross-operator | — | — life-long certs, no CRL/OCSP | ✓ |
| Operator attribution across rotating egress | — network-scoped | — | ✓ |
| Routable identity surviving IP / NAT / proxy rotation | — bound to IP/MAC | — LFDI is app-layer | ✓ |
| Per-device egress governance (source-bound to identity) | — | — | ✓ |

**DANE-pin the same 2030.5 cert — additive, not replacement:**

```
CSIP head-end                   /128                     Anyone verifies, off-ecosystem
IEEE 2030.5 cert · LFDI  ──DANE-pin──▶  2a04:2a01:5e0::50c  ──▶  whisper verify --trustless
private SERCA→MCA→MICA    TLSA 3 1 1     DNSSEC-anchored          our API not in the trust path
no CRL · no OCSP                                                  │
                                                                 └─▶ op:revoke → gone worldwide at DNS-TTL
```

Keep the private 2030.5 certificate; DANE-pin it under DNSSEC and the *same* identity becomes
publicly verifiable off-ecosystem and revocable at DNS-TTL — the two things the SunSpec/Kyrio root
explicitly can't provide.

Whisper is additional depth — publicly-verifiable identity, cross-operator revocation, internet-scale
attribution and egress governance — *on top of* the OT sensor and DERMS you already run. It makes
them sharper; it doesn't replace them, and it doesn't add a console your analysts babysit.

### Every tool here, you must trust. Ours, you don't have to.

Every sensor, console and feed on this page asks you to trust its verdict. Whisper's core claim —
*this address is that inverter* — is checkable by anyone, against the IANA DNS root, with our own API
deliberately outside the trust path. No account required.

```sh
# keyless — re-derive and verify any DER's identity, trustless
$ whisper verify --trustless 2a04:2a01:5e0::50c
  ✓ DNSSEC chain valid to the IANA root
  ✓ DANE-EE (TLSA) leaf matches the identity's key
  ✓ RDAP: registered under AS219419 · 2a04:2a01::/32
  identity: VERIFIED — and our own API was never trusted

# the address is the inverter — reverse DNS names it by its LFDI
$ dig -x 2a04:2a01:5e0::50c +short
  lfdi-3f2504e0.der.example-vpp.whisper.online.

# who really operates a suspicious aggregator controller — the graph API, with your key
$ curl -s https://graph.whisper.security/api/query -H "X-API-Key: whisper_live_xxx" \
    -H 'content-type: application/json' -d '{"query":"CALL whisper.identify(\"34.90.x.x\")"}'
  operator:  <fingerprinted> · seen across AWS / GCP / Azure
  residential swarm collapsed by JA4: same tooling, 41 exit IPs → 1 operator
```

---

## Whisper is one layer, done well. It sits beside these — not over them.

Plenty of good vendors live inside the private DER PKI, the charging handshake, or the substation
bus. That's a different lane, and we don't claim it. Naming the boundary is the point: it's how you
know exactly what you're buying — and that we anchor at the IP/DNS boundary, never inside anyone's
closed layer.

- **DER-cyber certification & the private DER PKI.** The SunSpec/Kyrio `SERCA→MCA→MICA` root that
  issues the 2030.5 device cert, and the type-tests behind **UL 1741 SB** / **UL 2941** / **UL 2900**.
  That's the private CA and the bench — a certified *model*, not a live per-unit revocable identity.
  Whisper is the publicly-verifiable, revocable layer *on top* of that cert: it DANE-pins it, it
  doesn't re-run the CA or re-certify the design.
- **EV Plug&Charge & the roaming/billing PKI.** Hubject and the **ISO 15118** V2G Root CA give the
  EV↔EVSE handshake a cryptographic contract cert (`EMAID`/`EVCCID`) — a walled roaming and billing
  garden with optional, fragile OCSP and multi-root path failures. That's the charging handshake, and
  we don't sit inside it. Whisper adds a verifiable, revocable network identity *per EVSE*, anchored
  at the IP/DNS boundary — alongside the 15118 PKI, never replacing it.
- **In-inverter firmware & the substation bus.** IEC 62351 on the `MMS`/`GOOSE` bus, embedded
  firewalls, secure elements and the `DNP3` outstation live inside the device and on the OT segment.
  That's the silicon and the bus — Whisper is on the wire and in the DNS above it, and it derives from
  the key those secure elements already hold. Fully complementary; it runs below us.

We don't run a private DER CA, we don't sit inside the 15118 charging handshake, and we don't touch
the substation bus — and we don't pretend to. Whisper is the network-identity, attribution and
revocation layer, and it's honest about being exactly that.

---

## No new silo. Mapped to your standards. Availability-safe by construction.

The additive posture isn't just tidy architecture — it's what makes the buy defensible. Nothing you
already run gets torn out; one line item owns two rows, feeds everything else, and adds no inline OT
chokepoint.

- **A feed, not another console.** The **Splunk**, Microsoft Sentinel and OpenCTI connectors — signed JSON → CEF/ECS — ship today, with **STIX 2.1 over TAXII** export on the roadmap.
  Findings land in the SIEM and the OT sensor you already run. Zero analysts babysitting a new pane of glass.
- **See who's enumerating your fleet.** `op:lookups` returns who resolved or RDAP-queried a DER's
  identity — a reconnaissance tripwire the LFDI's private registry never gave you. Catch someone
  walking your fleet *before* the dispatch lands, not in the post-mortem after it.
- **Govern, cap, and kill each device.** The control plane, not just identity: `op:firewall`
  allow/deny by host, cidr or port; `op:budget` caps a device's traffic; one `op:revoke` cuts a
  compromised inverter off worldwide at DNS-TTL. Default-deny per device, by name or subdomain.
- **Nothing issued in the dark.** Every identity mint and every revoke lands in a public,
  append-only **RFC 6962 Merkle transparency log**, Ed25519-signed and anchored to Bitcoin via
  OpenTimestamps — an auditable, non-repudiable trail for NERC and your regulator. *Honest status:*
  tamper-evident today; independent witnessing is the next step.
- **Availability-safe, mapped to your standards.** Rides existing DNS/IPv6 with **no inline OT
  chokepoint**; the verify/DANE path is built to **fail open** — a Whisper outage never bricks an
  inverter. Direct evidence for **NERC CIP-013 R1.2.3/R1.2.6** and **CIP-005 R3.1/R3.2**, EU NIS2
  Art.21, the EU NCCS and NISTIR 7628. [See the map →](/for-grid-security)
- **Flat pricing, a vendor that lasts.** Per-device, per-year and flat — not per-transaction, not
  usage-metered — a line item you can forecast. On real routable address space (**AS219419**), run by
  people who ran the internet's regional address registry and operated one of its root DNS servers.
  [See pricing →](/pricing)

> **"Will you still be here in five years — and is my fleet's data yours?"**
> Real address space, your tenant, your call. AS219419 and founders who operated core internet
> registries and DNS aren't a burn-rate story. The graph and the per-agent logs run on-prem or in your
> own tenant for data residency; the identity plane fails open so our uptime never gates an inverter;
> and the trustless verify path means you can audit the core claim without trusting us at all.
> *Additive* also means low switching cost in both directions — the safest way to start.

---

## Keep your stack. Own the two rows.

Whisper is the identity, attribution and revocation layer that sits on top of the OT sensor and DERMS
you already run — additive, mapped to your standards, flat to price. Keyless to try, one call to
provision, one more to revoke.

Secure your fleet → <https://console.whisper.security/sign-up> · [For grid security →](/for-grid-security)

Or run `whisper verify --trustless` right now — our API isn't in the trust path.

---

*Whisper for Energy · Identity on the wire for distributed energy resources · AS219419 · 2a04:2a01::/32*
*© viaGraph B.V. (dba Whisper Security)*
