Your standard says determine and disable active vendor remote access. The DER's own certificate can't be revoked.
NERC CIP-005 R3, CIP-013, NIS2 — every one of them turns on identifying a vendor's connection to a device and cutting it off on demand. But the identity the DER actually carries — the IEEE 2030.5 LFDI — lives in a private root that, in its own guidance, issues "life-long certificates that cannot be updated or revoked." You cannot disable what you cannot address.
whisper verify --trustless — anchored at the IANA DNS root. Our own API is not in the trust path.
Four buyers across the DER chain. One missing primitive between all of them.
The utility that has to pass a CIP audit, the aggregator running the fleet, the OEM shipping the inverter, and the CPO running the chargers all face the same structural gap: the device has an identity it cannot prove off-ecosystem and no one can revoke. Here is each of them in their own words — the trigger that brings them in, the vocabulary they speak, and the one line that lands.
Utility OT / NERC-CIP compliance lead
TRIGGER · CIP audit · CIP-013 rollout · DERMS deployment
"Enumerate and kill any vendor connection in one call." Attribution determines every active vendor remote-access session; one revoke disables it worldwide at DNS-TTL. Direct evidence for CIP-005 R3.1/R3.2 and CIP-013 R1.2.3/R1.2.6 — additive, out-of-band, and availability-safe: no inline OT chokepoint sits between your head-end and the field.
ESP · BES Cyber System · EACMS/PACS · IRA · determine & disable · RSAW · availability
DER aggregator / VPP security lead
TRIGGER · ISO market-cyber clauses · spoofed-telemetry incident · scaling past 10k endpoints
"One identity fabric across every vendor's device — from the key already in the inverter." Non-repudiable telemetry the ISO and your settlement can trust, and instant fleet-wide offboarding when a vendor or a unit goes bad. One verifiable /128 per EndDevice, whatever make it is — no per-vendor silo, no re-provisioning campaign.
fleet · provisioning · telemetry integrity · non-repudiation · dispatch · multi-vendor
Inverter / DER OEM product security & PSIRT
TRIGGER · UL 1741-SB / CSIP cert · CVE-driven recall · utility RFP requiring identity + revocation
"Derive a network identity from the key you already provision — no second PKI, no BOM cost." Reuse the SunSpec/Kyrio device cert or secure-element key you already ship; DANE-pin your 2030.5 endpoint; and when a model line has a CVE, field-revoke the compromised units worldwide in one call instead of a recall. Identity-ready at type test, live-revocable in the field.
SunSpec · CSIP · ECC · secure element · cert lifecycle · revocation · OTA · NIST IR 8498 · BOM cost
EV-charging CPO / eMSP security lead
TRIGGER · Plug & Charge rollout · OCPP 2.0.1 · NIS2 deadline · tampered-charger incident
"A verifiable network identity per EVSE, revocable in one call — alongside your 15118 PKI." Instant containment for a compromised charger without waiting on the closed contract-cert root, and an audit trail your CSMS and NIS2 file can both use. It sits beside ISO 15118 Plug & Charge and OCPP — it never touches the charging handshake.
CPO/eMSP · CSMS · Plug & Charge · V2G · contract cert · EVSE · OCPP · roaming · audit trail
Different words, one primitive underneath all four: the address is the DER. A device identity that is publicly verifiable, addressable, and revocable at DNS-TTL — the three properties the mandated DER PKI structurally lacks.
Strip the incident down and it isn't a hundred bugs. It's two.
The fleet-takeover pattern — steal a bearer token, enumerate the LFDIs behind it, dispatch legitimate-looking setpoints from rotating egress — leans on exactly two structural gaps that every distributed-energy program shares. Close both and the attack, and the audit finding, have nowhere left to stand.
Rate-limit an IP and they spin up a fresh one. The egress is disposable; the last IP was never the attacker. So your OT sensor blocks noise while the operator keeps dispatching — and CIP-005 R3.1 asks you to determine an active session you can't even attribute.
The answer — the graph. A live internet-infrastructure graph — 7.44B nodes and 39.3B relationships of fused BGP, DNS, WHOIS, TLS, hosting and threat intelligence, answering in under 300 ms — fingerprints the operator, not the IP. Two levers, kept honestly separate: for cloud rotation it clusters shared ASN, hosting and certificate lineage into one infrastructure genealogy; for a residential-proxy swarm — where a subscriber IP gives an infra graph nothing to grab — a JA4/JA3 client fingerprint travels with the tooling, invisible to the proxy because it lives in the TLS handshake, and collapses the swarm to one operator. Every answer returns a reproducible evidence chain your OT SOC, your auditors and a regulator can replay.
"When a hijacked fleet phones home through rotating residential proxies and fresh cloud IPs, can you actually attribute it — or just rate-limit an IP and move on?"
Attribute it. Infrastructure genealogy collapses the cloud rotation; a JA4 client fingerprint collapses the residential swarm. The egress IP is the one thing we don't rely on, and the finding lands in your OT sensor and SIEM as a reproducible, replayable evidence chain, ready for the RSAW, not a hunch.
A minted or reused bearer token is a valid credential. Behaviorally it's the operator. Nothing at the perimeter separates it, because the token is a bearer instrument — whoever holds it can present it — and the EndDevice on the other end has no identity to check it against. And even when it does, the 2030.5 certificate behind the LFDI can never be turned off.
The answer — identity. Bind the command path to the inverter's own forge-proof /128 — an address derived from the key behind the LFDI the device already carries. A stolen token that can't prove the target DER's identity simply fails, and IEEE 2030.5's own certificate — life-long, no CRL, no OCSP — finally gets the off-switch that CIP-005 R3.2 requires and its own PKI never had.
"IEEE 2030.5 already gives every inverter a certificate. Why isn't that enough for a CIP-005 R3 disable?"
Because it can't be revoked and no one outside the utility can verify it. The LFDI is the leftmost 160 bits of a SHA-256 over the device's X.509 certificate — a genuinely good key-derived name — but it lives in a private SERCA→MCA→MICA root, is allow-listed per-utility out-of-band, isn't addressable, and, in the standard's own words, "cannot be updated or revoked." Whisper keeps the key-derived property and makes it publicly verifiable, addressable, and revocable at DNS-TTL — so "disable active vendor remote access" becomes one call with a log behind it.
Gap 1 makes detection durable enough to determine. Gap 2 gives you the identity to disable. Together they are exactly the two verbs your standard asks for.
Three planes on one primitive — and all three exit into the stack you already run.
The primitive is one line: the address is the identity — a routable IPv6 /128 out of 2a04:2a01::/32 (announced by AS219419), DNSSEC-anchored, DANE-EE pinned, verifiable by anyone with dig. Point it at your fleet and you get three planes, no new silo, and no re-flashing the 25M+ inverters already in the field.
Identity
Each EndDevice's /128 is derived from the key behind the identifier it already carries — the IEEE 2030.5 LFDI, a SunSpec/Kyrio device cert, a secure element or TPM, with the LFDI or serial as the domain separator. The private key never leaves the device. The head-end authorizes on the DER's pinned identity, not a stealable token. Who is this, provably.
Attribution graph
The operator fingerprint across rotating clouds and residential proxies — infrastructure genealogy plus JA4/JA3 — with a reproducible evidence chain on every answer. Who's really behind this vendor session, when the IP rotates.
Egress governance
Per-device /128, default-deny policy, an op:lookups reconnaissance tripwire, op:firewall allow/deny, op:budget caps, and one op:revoke kill-switch. What each device may talk to — and the off-switch when it goes bad.
Mapped where it's defensible — and explicit about where it isn't.
A compliance claim you can't defend in front of an auditor is worse than none. So we split this into what Whisper is direct-additive evidence for, what it merely sits alongside, and — plainly — what it does not claim. Read the last two boxes first if you're the skeptic in the room; that's where trust is earned.
Direct-additive — Whisper produces the evidence artifact
| Standard & clause | What it requires | How Whisper is direct evidence | Artifact |
|---|---|---|---|
| NERC CIP-005-7 R3.1 | Determine active vendor remote-access sessions | Attribution enumerates every connection to a device; op:lookups shows who resolved or RDAP-queried its identity | Signed evidence chain · lookups log |
| NERC CIP-005-7 R3.2 | Disable active vendor remote access | One op:revoke tears down the /128, PTR and DANE pin worldwide at DNS-TTL | Revoke log · transparency-log leaf |
| NERC CIP-013-2 R1.2.3 | Vendor notification when remote access should no longer be granted | Per-device revocable identity; the revoke is the disable event, timestamped and non-repudiable | Transparency-log entry |
| NERC CIP-013-2 R1.2.6 | Coordinate controls for vendor IRA + system-to-system remote access | Attributable per-device identity + default-deny egress that scopes what a vendor connection may reach | Policy · firewall · identity register |
| EU NIS2 Art.21 | Access control, identity & asset management, logging, supply-chain security | Verifiable per-device identity + per-/128 activity logs + one-call offboarding | Identity register · per-/128 logs |
| EU NCCS Reg. 2024/1366 Art.33 (⚠ binding control text finalizing ~2027) | Zero-trust access control + ICT-lifecycle asset traceability | Addressable, DANE-anchored device identity with a full mint→revoke lifecycle trail | Transparency log · lifecycle record |
| NISTIR 7628 r1 — SG.IA / SG.AU | Device identification & authentication (IA) + audit & accountability (AU) | Key-derived /128 for IA; append-only Merkle log + per-/128 logs for AU | Verify transcript · audit trail |
| Sandia SAND2019-1490 (guidance) | Verify the identity of devices + enforce access control | Publicly verifiable identity + egress governance, without trusting a private single root | Verify transcript · policy log |
Complementary — Whisper sits alongside & can DANE-pin it, never replaces it
| Standard | What it is | How Whisper complements it |
|---|---|---|
| CA Rule 21 / IEEE 2030.5 CSIP | The mandated app-layer DER protocol & LFDI | We bind the LFDI it already issues; DANE-pin the endpoint cert — never re-key the fleet |
| UL 1741-SB | Grid-support inverter type certification | Identity-ready at type test; live-revocable per unit in the field |
| SunSpec / Kyrio SERCA→MICA PKI | The private-CA root behind the device cert | The publicly verifiable layer on top; closes the no-CRL/OCSP revocation gap |
| IEC 62351-9 | Key & certificate lifecycle / revocation for power systems | DNS-TTL revocation + transparency log complement the standard's lifecycle model |
| ISO 15118 Plug & Charge | The EV contract-cert / V2G Root CA PKI | DANE-pin the endpoint; a per-EVSE revocable identity beside the closed billing root |
What Whisper does NOT claim
We are not your whole CIP program, and we won't pretend to be. Whisper does not map to CIP-010 (configuration change management & baselines), CIP-005 R2 (we are not an Intermediate System and do not provide encrypted-IRA or MFA), or CIP-007 R5 (system access control / account management). Those are real controls — they're just not this layer. Anyone who sells you all of NERC CIP in one box is selling you a binder, not a control.
The BES-scope caveat — where this evidence actually lands
NERC CIP applies to the Bulk Electric System. In practice that means the utility, the aggregation head-end and the vendor-access layer — not most behind-the-meter DER, which sits below the BES cut. So the CIP-005/CIP-013 evidence above is strongest at the utility↔aggregator↔vendor boundary; the residential/behind-the-meter tail is where NIS2, the EU NCCS, and your own program's identity requirements carry the weight instead. We'd rather tell you where the line is than let an auditor find it for you.
# R3.1 — DETERMINE: who is querying this vendor DER's identity right now?
$ export WHISPER_API_KEY=whisper_live_xxx
$ curl -s https://graph.whisper.security/api/query -H "X-API-Key: $WHISPER_API_KEY" \
--data-urlencode "q=CALL whisper.agents({op:'lookups',
args:{addr:'2a04:2a01:5e0::50c'}})"
→ 3 resolvers · 1 RDAP access in the window
→ source fingerprinted: 41 exit IPs (AWS/GCP/Azure + residential) → 1 operator
# R3.2 — DISABLE: cut that vendor connection off, worldwide, in one call
$ whisper kill --revoke 2a04:2a01:5e0::50c
✓ /128 · PTR · DANE pin torn down — gone at DNS-TTL
✓ written to the transparency log (Ed25519-signed, OTS-anchored)
→ RSAW-ready: determination + disablement, both timestamped & replayable
Every capability lands on a clause and produces an artifact you can file — not a dashboard you screenshot. See the full mapping in the docs →
Nothing is issued — or revoked — in the dark.
For a regulated program, "we revoked it" is a claim; "here is the signed, timestamped, append-only proof that we revoked it" is evidence. Every identity mint and every revocation lands in a public log built for exactly that.
Append-only, signed, Bitcoin-anchored
Every mint and every revoke is a leaf in a public, append-only RFC 6962 Merkle log (tlog-tiles), with C2SP signed-note checkpoints (Ed25519) and each root anchored to Bitcoin via OpenTimestamps. Endpoints /checkpoint, /checkpoint/key and /ledger are public — your auditor reads them without asking us.
The honest status
It is tamper-evident today — signed and Bitcoin-anchored — but not yet independently witnessed; our two servers co-signing is availability, not independence. The log speaks C2SP tlog-witness, so any external witness can co-sign, and that is the next step. We state this plainly rather than overclaim it.
GDPR-compatible by construction
Leaves are salted opaque commitments with selective disclosure; an op:erase destroys the salt so the leaf's meaning is unrecoverable while the Merkle proofs stay valid. Auditable and right-to-erasure — for a European utility, both at once.
The reconnaissance tripwire
op:lookups turns "who is enumerating my fleet?" into a query: it returns who resolved or RDAP-queried a DER's identity — an early warning that an operator is walking your LFDIs, not a post-mortem after the dispatch. The mandated LFDI's private registry never gave you that.
Out-of-band, no inline OT chokepoint — and it fails open.
For the utility OT lead, availability is not a feature, it's the whole job. Whisper rides existing DNS and IPv6 and adds no inline chokepoint between your head-end and the field. And if your head-end authorizes against the DANE/verify path, that plane is built to fail open.
"An identity layer that can go down and take my grid-edge with it is a non-starter. Is this inline?"
No — and it fails open. The identity and revocation planes ride DNS/IPv6 out-of-band; there is no Whisper box wedged into your OT command path. If we're slow or unreachable, the check degrades to the anchors you already ship and the DER keeps operating. That's an availability property your assessors can test, not a promise.
Additive to your stack. Mapped to your standards. Availability-safe by construction.
Turnkey CIP-013 / CIP-005 evidence
Enumerate and kill any vendor device's connection in one call — direct evidence for CIP-005 R3.1/R3.2 and CIP-013 R1.2.3/R1.2.6, plus NIS2 Art.21, the EU NCCS's zero-trust/traceability, NISTIR 7628 SG.IA/SG.AU and Sandia guidance. See the map →
One identity fabric, every vendor
Derived from the key already in the device — no second PKI, no BOM cost, no re-flashing the fielded fleet. Whether it's an inverter, a battery gateway or an EVSE, it's one verifiable /128 you and the ISO can both check. Non-repudiable telemetry, instant fleet-wide offboarding.
Additive & availability-safe
Rides existing DNS/IPv6, adds no inline OT chokepoint, and fails open — a Whisper outage never bricks or curtails a DER; checks degrade to your existing anchors. Anycast on AS219419, no single node in the path.
Feeds the SIEM you already run
Depth on top of the stack you own — a machine-readable feed that makes your OT sensor and threat-intel sharper. The Splunk connector ships today; STIX 2.1 over TAXII is on the roadmap. It doesn't replace them, and it doesn't add a console your analysts babysit. See the comparison →
Flat, predictable pricing
Per-device/year and flat — not per-transaction, not usage-metered. Against fleet-scale economics that's a line item you can forecast. Clear ROI: analyst-hours saved on disposable-IP correlation, one revoke instead of a fleet-wide reset or recall. See pricing →
A vendor that will still be here
Real routable address space (AS219419), run by people who ran the internet's regional address registry and operated one of its root DNS servers. Registry-anchored, RDAP-resolvable space — operated with the discipline that implies. POC → pilot → enterprise, keyless to start.
Don't take our word for it — our API isn't in the trust path.
Two tiers, by design. No key: anyone on your team can verify a DER's identity, resolve it, and see who's been checking it — trustless, anchored at the IANA root. Your key: bind a device to the LFDI it carries, govern its egress, and produce the CIP-005 R3 evidence in two calls.
# keyless — re-derive and verify any inverter's identity, trustless
$ whisper verify --trustless 2a04:2a01:5e0::50c
✓ DNSSEC chain valid to the IANA root
✓ DANE-EE (TLSA) leaf matches the identity's key
✓ RDAP: registered under AS219419 · 2a04:2a01::/32
identity: VERIFIED — and our own API was never trusted
# the address is the inverter — reverse DNS names it by its LFDI
$ dig -x 2a04:2a01:5e0::50c +short
lfdi-3f2504e0.der.example-vpp.whisper.online.
# its ordered lifecycle — every mint and revoke, from the public transparency log
$ curl -s https://whisper.online/ip/2a04:2a01:5e0::50c/transparency
# bind an inverter to the LFDI it already carries (pass the LFDI as device_id)
$ export WHISPER_API_KEY=whisper_live_xxx
$ curl -s https://graph.whisper.security/api/query -H "X-API-Key: $WHISPER_API_KEY" --data-urlencode "q=CALL whisper.agents({op:'connect', args:{tier:'wireguard',
identity_public_key:'<base64 SPKI of the device key>',
device_id:'3F2504E04F8911D39A0C0305E82C3301'}})" # device_id = the LFDI
→ identity 2a04:2a01:5e0::50c DNSSEC + DANE live
$ whisper policy set --default deny --allow derms.example-vpp.com,ota.example-vpp.com
$ whisper logs 2a04:2a01:5e0::50c # per-/128 activity — NIS2 / NISTIR 7628 SG.AU evidence
$ whisper kill --revoke 2a04:2a01:5e0::50c # CIP-005 R3.2 disable — worldwide, at DNS-TTL
Determine and disable — with the evidence to prove it.
Bind the LFDI your DER already carries to a routable, revocable /128. Direct-additive evidence for CIP-005 R3, CIP-013, NIS2 and the EU NCCS — additive, out-of-band, availability-safe, and honest about where the line is. Keyless to try, one call to provision, one more to revoke.
Or run whisper verify --trustless right now.