energy.whisper.online · for grid security & compliance

Your standard says determine and disable active vendor remote access. The DER's own certificate can't be revoked.

NERC CIP-005 R3, CIP-013, NIS2 — every one of them turns on identifying a vendor's connection to a device and cutting it off on demand. But the identity the DER actually carries — the IEEE 2030.5 LFDI — lives in a private root that, in its own guidance, issues "life-long certificates that cannot be updated or revoked." You cannot disable what you cannot address.

We give the DER an off-switch. Bind the LFDI it already carries to a routable, DNSSEC-anchored /128 you can enumerate, attribute, and revoke worldwide in a single call — additive, out-of-band, availability-safe. The determine-and-disable evidence writes itself.

whisper verify --trustless — anchored at the IANA DNS root. Our own API is not in the trust path.

0 revocation — IEEE 2030.5 device certs are life-long: no CRL, no OCSP, "cannot be updated or revoked"
R3.1 / R3.2 determine & disable active vendor remote access — in one call, with the log to prove it
R1.2.3 / R1.2.6 CIP-013 vendor-access controls, delivered as a per-device off-switch
NIS2 · NCCS Art.21 access control + Reg. 2024/1366 Art.33 zero-trust & traceability
fail-open additive, out-of-band; no inline OT chokepoint — never bricks a DER
DNS-TTL one compromised device, revoked worldwide, in a single call

Four buyers across the DER chain. One missing primitive between all of them.

The utility that has to pass a CIP audit, the aggregator running the fleet, the OEM shipping the inverter, and the CPO running the chargers all face the same structural gap: the device has an identity it cannot prove off-ecosystem and no one can revoke. Here is each of them in their own words — the trigger that brings them in, the vocabulary they speak, and the one line that lands.

A

Utility OT / NERC-CIP compliance lead

TRIGGER · CIP audit · CIP-013 rollout · DERMS deployment

"Enumerate and kill any vendor connection in one call." Attribution determines every active vendor remote-access session; one revoke disables it worldwide at DNS-TTL. Direct evidence for CIP-005 R3.1/R3.2 and CIP-013 R1.2.3/R1.2.6 — additive, out-of-band, and availability-safe: no inline OT chokepoint sits between your head-end and the field.

ESP · BES Cyber System · EACMS/PACS · IRA · determine & disable · RSAW · availability

B

DER aggregator / VPP security lead

TRIGGER · ISO market-cyber clauses · spoofed-telemetry incident · scaling past 10k endpoints

"One identity fabric across every vendor's device — from the key already in the inverter." Non-repudiable telemetry the ISO and your settlement can trust, and instant fleet-wide offboarding when a vendor or a unit goes bad. One verifiable /128 per EndDevice, whatever make it is — no per-vendor silo, no re-provisioning campaign.

fleet · provisioning · telemetry integrity · non-repudiation · dispatch · multi-vendor

C

Inverter / DER OEM product security & PSIRT

TRIGGER · UL 1741-SB / CSIP cert · CVE-driven recall · utility RFP requiring identity + revocation

"Derive a network identity from the key you already provision — no second PKI, no BOM cost." Reuse the SunSpec/Kyrio device cert or secure-element key you already ship; DANE-pin your 2030.5 endpoint; and when a model line has a CVE, field-revoke the compromised units worldwide in one call instead of a recall. Identity-ready at type test, live-revocable in the field.

SunSpec · CSIP · ECC · secure element · cert lifecycle · revocation · OTA · NIST IR 8498 · BOM cost

D

EV-charging CPO / eMSP security lead

TRIGGER · Plug & Charge rollout · OCPP 2.0.1 · NIS2 deadline · tampered-charger incident

"A verifiable network identity per EVSE, revocable in one call — alongside your 15118 PKI." Instant containment for a compromised charger without waiting on the closed contract-cert root, and an audit trail your CSMS and NIS2 file can both use. It sits beside ISO 15118 Plug & Charge and OCPP — it never touches the charging handshake.

CPO/eMSP · CSMS · Plug & Charge · V2G · contract cert · EVSE · OCPP · roaming · audit trail

Different words, one primitive underneath all four: the address is the DER. A device identity that is publicly verifiable, addressable, and revocable at DNS-TTL — the three properties the mandated DER PKI structurally lacks.

Strip the incident down and it isn't a hundred bugs. It's two.

The fleet-takeover pattern — steal a bearer token, enumerate the LFDIs behind it, dispatch legitimate-looking setpoints from rotating egress — leans on exactly two structural gaps that every distributed-energy program shares. Close both and the attack, and the audit finding, have nowhere left to stand.

Gap 1 · you can't follow them when the IP rotates

Rate-limit an IP and they spin up a fresh one. The egress is disposable; the last IP was never the attacker. So your OT sensor blocks noise while the operator keeps dispatching — and CIP-005 R3.1 asks you to determine an active session you can't even attribute.

The answer — the graph. A live internet-infrastructure graph — 7.44B nodes and 39.3B relationships of fused BGP, DNS, WHOIS, TLS, hosting and threat intelligence, answering in under 300 ms — fingerprints the operator, not the IP. Two levers, kept honestly separate: for cloud rotation it clusters shared ASN, hosting and certificate lineage into one infrastructure genealogy; for a residential-proxy swarm — where a subscriber IP gives an infra graph nothing to grab — a JA4/JA3 client fingerprint travels with the tooling, invisible to the proxy because it lives in the TLS handshake, and collapses the swarm to one operator. Every answer returns a reproducible evidence chain your OT SOC, your auditors and a regulator can replay.

"When a hijacked fleet phones home through rotating residential proxies and fresh cloud IPs, can you actually attribute it — or just rate-limit an IP and move on?"

Attribute it. Infrastructure genealogy collapses the cloud rotation; a JA4 client fingerprint collapses the residential swarm. The egress IP is the one thing we don't rely on, and the finding lands in your OT sensor and SIEM as a reproducible, replayable evidence chain, ready for the RSAW, not a hunch.

Gap 2 · a stolen token looks exactly like your aggregator

A minted or reused bearer token is a valid credential. Behaviorally it's the operator. Nothing at the perimeter separates it, because the token is a bearer instrument — whoever holds it can present it — and the EndDevice on the other end has no identity to check it against. And even when it does, the 2030.5 certificate behind the LFDI can never be turned off.

The answer — identity. Bind the command path to the inverter's own forge-proof /128 — an address derived from the key behind the LFDI the device already carries. A stolen token that can't prove the target DER's identity simply fails, and IEEE 2030.5's own certificate — life-long, no CRL, no OCSP — finally gets the off-switch that CIP-005 R3.2 requires and its own PKI never had.

"IEEE 2030.5 already gives every inverter a certificate. Why isn't that enough for a CIP-005 R3 disable?"

Because it can't be revoked and no one outside the utility can verify it. The LFDI is the leftmost 160 bits of a SHA-256 over the device's X.509 certificate — a genuinely good key-derived name — but it lives in a private SERCA→MCA→MICA root, is allow-listed per-utility out-of-band, isn't addressable, and, in the standard's own words, "cannot be updated or revoked." Whisper keeps the key-derived property and makes it publicly verifiable, addressable, and revocable at DNS-TTL — so "disable active vendor remote access" becomes one call with a log behind it.

Gap 1 makes detection durable enough to determine. Gap 2 gives you the identity to disable. Together they are exactly the two verbs your standard asks for.

Three planes on one primitive — and all three exit into the stack you already run.

The primitive is one line: the address is the identity — a routable IPv6 /128 out of 2a04:2a01::/32 (announced by AS219419), DNSSEC-anchored, DANE-EE pinned, verifiable by anyone with dig. Point it at your fleet and you get three planes, no new silo, and no re-flashing the 25M+ inverters already in the field.

Identity

Each EndDevice's /128 is derived from the key behind the identifier it already carries — the IEEE 2030.5 LFDI, a SunSpec/Kyrio device cert, a secure element or TPM, with the LFDI or serial as the domain separator. The private key never leaves the device. The head-end authorizes on the DER's pinned identity, not a stealable token. Who is this, provably.

Attribution graph

The operator fingerprint across rotating clouds and residential proxies — infrastructure genealogy plus JA4/JA3 — with a reproducible evidence chain on every answer. Who's really behind this vendor session, when the IP rotates.

Egress governance

Per-device /128, default-deny policy, an op:lookups reconnaissance tripwire, op:firewall allow/deny, op:budget caps, and one op:revoke kill-switch. What each device may talk to — and the off-switch when it goes bad.

Additive to what you already ship — it does not replace it. Whisper complements the anchors you already trust — the IEEE 2030.5 / SunSpec / Kyrio device certificate, IEC 62351 on the substation bus, ISO 15118 Plug & Charge, TPM/HSM/secure elements. It is the publicly verifiable, DNSSEC/DANE-anchored layer on top, anchoring the device↔cloud boundary at the IP/DNS/transport layer — it never sits inside the substation bus, the DNP3 link, or the charging handshake. No bespoke CA trust store to push to every inverter, and revocation at DNS-TTL speed instead of a certificate that can never be revoked. You can even DANE-pin your existing 2030.5 endpoint's certificate to DNSSEC and cut single-CA trust risk. One key per identity, never a shared root — compromise one inverter and you've compromised that inverter, not the fleet.

Mapped where it's defensible — and explicit about where it isn't.

A compliance claim you can't defend in front of an auditor is worse than none. So we split this into what Whisper is direct-additive evidence for, what it merely sits alongside, and — plainly — what it does not claim. Read the last two boxes first if you're the skeptic in the room; that's where trust is earned.

Direct-additive — Whisper produces the evidence artifact

Standard & clauseWhat it requiresHow Whisper is direct evidenceArtifact
NERC CIP-005-7 R3.1Determine active vendor remote-access sessionsAttribution enumerates every connection to a device; op:lookups shows who resolved or RDAP-queried its identitySigned evidence chain · lookups log
NERC CIP-005-7 R3.2Disable active vendor remote accessOne op:revoke tears down the /128, PTR and DANE pin worldwide at DNS-TTLRevoke log · transparency-log leaf
NERC CIP-013-2 R1.2.3Vendor notification when remote access should no longer be grantedPer-device revocable identity; the revoke is the disable event, timestamped and non-repudiableTransparency-log entry
NERC CIP-013-2 R1.2.6Coordinate controls for vendor IRA + system-to-system remote accessAttributable per-device identity + default-deny egress that scopes what a vendor connection may reachPolicy · firewall · identity register
EU NIS2 Art.21Access control, identity & asset management, logging, supply-chain securityVerifiable per-device identity + per-/128 activity logs + one-call offboardingIdentity register · per-/128 logs
EU NCCS Reg. 2024/1366 Art.33 (⚠ binding control text finalizing ~2027)Zero-trust access control + ICT-lifecycle asset traceabilityAddressable, DANE-anchored device identity with a full mint→revoke lifecycle trailTransparency log · lifecycle record
NISTIR 7628 r1 — SG.IA / SG.AUDevice identification & authentication (IA) + audit & accountability (AU)Key-derived /128 for IA; append-only Merkle log + per-/128 logs for AUVerify transcript · audit trail
Sandia SAND2019-1490 (guidance)Verify the identity of devices + enforce access controlPublicly verifiable identity + egress governance, without trusting a private single rootVerify transcript · policy log

Complementary — Whisper sits alongside & can DANE-pin it, never replaces it

StandardWhat it isHow Whisper complements it
CA Rule 21 / IEEE 2030.5 CSIPThe mandated app-layer DER protocol & LFDIWe bind the LFDI it already issues; DANE-pin the endpoint cert — never re-key the fleet
UL 1741-SBGrid-support inverter type certificationIdentity-ready at type test; live-revocable per unit in the field
SunSpec / Kyrio SERCA→MICA PKIThe private-CA root behind the device certThe publicly verifiable layer on top; closes the no-CRL/OCSP revocation gap
IEC 62351-9Key & certificate lifecycle / revocation for power systemsDNS-TTL revocation + transparency log complement the standard's lifecycle model
ISO 15118 Plug & ChargeThe EV contract-cert / V2G Root CA PKIDANE-pin the endpoint; a per-EVSE revocable identity beside the closed billing root

What Whisper does NOT claim

We are not your whole CIP program, and we won't pretend to be. Whisper does not map to CIP-010 (configuration change management & baselines), CIP-005 R2 (we are not an Intermediate System and do not provide encrypted-IRA or MFA), or CIP-007 R5 (system access control / account management). Those are real controls — they're just not this layer. Anyone who sells you all of NERC CIP in one box is selling you a binder, not a control.

The BES-scope caveat — where this evidence actually lands

NERC CIP applies to the Bulk Electric System. In practice that means the utility, the aggregation head-end and the vendor-access layer — not most behind-the-meter DER, which sits below the BES cut. So the CIP-005/CIP-013 evidence above is strongest at the utility↔aggregator↔vendor boundary; the residential/behind-the-meter tail is where NIS2, the EU NCCS, and your own program's identity requirements carry the weight instead. We'd rather tell you where the line is than let an auditor find it for you.

CIP-005 R3 — determine & disable active vendor remote access, in two calls
# R3.1 — DETERMINE: who is querying this vendor DER's identity right now?
$ export WHISPER_API_KEY=whisper_live_xxx
$ curl -s https://graph.whisper.security/api/query -H "X-API-Key: $WHISPER_API_KEY" \
    --data-urlencode "q=CALL whisper.agents({op:'lookups',
       args:{addr:'2a04:2a01:5e0::50c'}})"
  → 3 resolvers · 1 RDAP access in the window
  → source fingerprinted: 41 exit IPs (AWS/GCP/Azure + residential) → 1 operator

# R3.2 — DISABLE: cut that vendor connection off, worldwide, in one call
$ whisper kill --revoke 2a04:2a01:5e0::50c
  ✓ /128 · PTR · DANE pin torn down — gone at DNS-TTL
  ✓ written to the transparency log (Ed25519-signed, OTS-anchored)
  → RSAW-ready: determination + disablement, both timestamped & replayable

Every capability lands on a clause and produces an artifact you can file — not a dashboard you screenshot. See the full mapping in the docs →

Nothing is issued — or revoked — in the dark.

For a regulated program, "we revoked it" is a claim; "here is the signed, timestamped, append-only proof that we revoked it" is evidence. Every identity mint and every revocation lands in a public log built for exactly that.

Append-only, signed, Bitcoin-anchored

Every mint and every revoke is a leaf in a public, append-only RFC 6962 Merkle log (tlog-tiles), with C2SP signed-note checkpoints (Ed25519) and each root anchored to Bitcoin via OpenTimestamps. Endpoints /checkpoint, /checkpoint/key and /ledger are public — your auditor reads them without asking us.

The honest status

It is tamper-evident today — signed and Bitcoin-anchored — but not yet independently witnessed; our two servers co-signing is availability, not independence. The log speaks C2SP tlog-witness, so any external witness can co-sign, and that is the next step. We state this plainly rather than overclaim it.

GDPR-compatible by construction

Leaves are salted opaque commitments with selective disclosure; an op:erase destroys the salt so the leaf's meaning is unrecoverable while the Merkle proofs stay valid. Auditable and right-to-erasure — for a European utility, both at once.

The reconnaissance tripwire

op:lookups turns "who is enumerating my fleet?" into a query: it returns who resolved or RDAP-queried a DER's identity — an early warning that an operator is walking your LFDIs, not a post-mortem after the dispatch. The mandated LFDI's private registry never gave you that.

Out-of-band, no inline OT chokepoint — and it fails open.

For the utility OT lead, availability is not a feature, it's the whole job. Whisper rides existing DNS and IPv6 and adds no inline chokepoint between your head-end and the field. And if your head-end authorizes against the DANE/verify path, that plane is built to fail open.

DERMS dispatch setpoint · connect · curtail Head-end checks identity is Whisper reachable? reachable Bind to the DER's /128 · DANE + verify identity-enforced — stolen tokens fail unreachable Fail open → your existing anchors 2030.5 · SunSpec — dispatch preserved
Anycast on AS219419, no single node in the path. When the identity plane is reachable it hardens dispatch; when it isn't, it steps aside — a Whisper outage degrades to your existing anchors, never a curtailed or bricked inverter. Conservative in what we emit, liberal in what we accept.

"An identity layer that can go down and take my grid-edge with it is a non-starter. Is this inline?"

No — and it fails open. The identity and revocation planes ride DNS/IPv6 out-of-band; there is no Whisper box wedged into your OT command path. If we're slow or unreachable, the check degrades to the anchors you already ship and the DER keeps operating. That's an availability property your assessors can test, not a promise.

Additive to your stack. Mapped to your standards. Availability-safe by construction.

Identity device /128 · DNSSEC · DANE-EE · bound to the LFDI — who is this, provably 2030.5 · SunSpec · 15118 Attribution graph operator fingerprint across rotating clouds + residential — who's really behind this 7.44B nodes · BGP·DNS·TLS·JA4 Egress governance per-device /128 · policy · lookups · firewall · budget · revoke — what may talk to what default-deny THE ADDRESS IS THE IDENTITY AS219419 · 2a04:2a01::/32 Your SIEM Splunk & Sentinel today Machine-readable STIX 2.1 / TAXII · CEF / ECS — roadmap Your standards CIP-013/005 · NIS2 · NISTIR 7628
Three planes on one primitive — and all three exit into the stack you already run, not a new silo. The Splunk connector ships today; the rest of the machine-readable exports are on the roadmap.

Turnkey CIP-013 / CIP-005 evidence

Enumerate and kill any vendor device's connection in one call — direct evidence for CIP-005 R3.1/R3.2 and CIP-013 R1.2.3/R1.2.6, plus NIS2 Art.21, the EU NCCS's zero-trust/traceability, NISTIR 7628 SG.IA/SG.AU and Sandia guidance. See the map →

One identity fabric, every vendor

Derived from the key already in the device — no second PKI, no BOM cost, no re-flashing the fielded fleet. Whether it's an inverter, a battery gateway or an EVSE, it's one verifiable /128 you and the ISO can both check. Non-repudiable telemetry, instant fleet-wide offboarding.

Additive & availability-safe

Rides existing DNS/IPv6, adds no inline OT chokepoint, and fails open — a Whisper outage never bricks or curtails a DER; checks degrade to your existing anchors. Anycast on AS219419, no single node in the path.

Feeds the SIEM you already run

Depth on top of the stack you own — a machine-readable feed that makes your OT sensor and threat-intel sharper. The Splunk connector ships today; STIX 2.1 over TAXII is on the roadmap. It doesn't replace them, and it doesn't add a console your analysts babysit. See the comparison →

Flat, predictable pricing

Per-device/year and flat — not per-transaction, not usage-metered. Against fleet-scale economics that's a line item you can forecast. Clear ROI: analyst-hours saved on disposable-IP correlation, one revoke instead of a fleet-wide reset or recall. See pricing →

A vendor that will still be here

Real routable address space (AS219419), run by people who ran the internet's regional address registry and operated one of its root DNS servers. Registry-anchored, RDAP-resolvable space — operated with the discipline that implies. POC → pilot → enterprise, keyless to start.

Don't take our word for it — our API isn't in the trust path.

Two tiers, by design. No key: anyone on your team can verify a DER's identity, resolve it, and see who's been checking it — trustless, anchored at the IANA root. Your key: bind a device to the LFDI it carries, govern its egress, and produce the CIP-005 R3 evidence in two calls.

verify & watch — no key required
# keyless — re-derive and verify any inverter's identity, trustless
$ whisper verify --trustless 2a04:2a01:5e0::50c
  ✓ DNSSEC chain valid to the IANA root
  ✓ DANE-EE (TLSA) leaf matches the identity's key
  ✓ RDAP: registered under AS219419 · 2a04:2a01::/32
  identity: VERIFIED — and our own API was never trusted

# the address is the inverter — reverse DNS names it by its LFDI
$ dig -x 2a04:2a01:5e0::50c +short
  lfdi-3f2504e0.der.example-vpp.whisper.online.

# its ordered lifecycle — every mint and revoke, from the public transparency log
$ curl -s https://whisper.online/ip/2a04:2a01:5e0::50c/transparency
provision, govern & revoke — with your key
# bind an inverter to the LFDI it already carries (pass the LFDI as device_id)
$ export WHISPER_API_KEY=whisper_live_xxx
$ curl -s https://graph.whisper.security/api/query -H "X-API-Key: $WHISPER_API_KEY" --data-urlencode "q=CALL whisper.agents({op:'connect', args:{tier:'wireguard',
       identity_public_key:'<base64 SPKI of the device key>',
       device_id:'3F2504E04F8911D39A0C0305E82C3301'}})"   # device_id = the LFDI
  → identity 2a04:2a01:5e0::50c   DNSSEC + DANE live
$ whisper policy set --default deny --allow derms.example-vpp.com,ota.example-vpp.com
$ whisper logs 2a04:2a01:5e0::50c            # per-/128 activity — NIS2 / NISTIR 7628 SG.AU evidence
$ whisper kill --revoke 2a04:2a01:5e0::50c   # CIP-005 R3.2 disable — worldwide, at DNS-TTL

Determine and disable — with the evidence to prove it.

Bind the LFDI your DER already carries to a routable, revocable /128. Direct-additive evidence for CIP-005 R3, CIP-013, NIS2 and the EU NCCS — additive, out-of-band, availability-safe, and honest about where the line is. Keyless to try, one call to provision, one more to revoke.

Or run whisper verify --trustless right now.