# For grid security — CIP-013/005 evidence, NIS2, and the DER wave

> energy.whisper.online · for grid security & compliance teams

## Your standard says determine and disable active vendor remote access. The DER's own certificate can't be revoked.

NERC CIP-005 R3, CIP-013, NIS2 — every one of them turns on *identifying* a vendor's connection to a device and *cutting it off* on demand. But the identity the DER actually carries — the IEEE 2030.5 `LFDI` — lives in a private root that, in its own guidance, issues *"life-long certificates that cannot be updated or revoked."* You cannot disable what you cannot address.

**We give the DER an off-switch.** Bind the **LFDI** it already carries to a routable, DNSSEC-anchored **/128** you can enumerate, attribute, and revoke worldwide in a single call — **additive, out-of-band, availability-safe.** The determine-and-disable evidence writes itself.

`whisper verify --trustless` — anchored at the IANA DNS root. Our own API is not in the trust path.

- **0 revocation** — IEEE 2030.5 device certs are life-long: no CRL, no OCSP, "cannot be updated or revoked."
- **R3.1 / R3.2** — determine & disable active vendor remote access, in one call, with the log to prove it.
- **R1.2.3 / R1.2.6** — CIP-013 vendor-access controls, delivered as a per-device off-switch.
- **NIS2 · NCCS** — Art.21 access control + Reg. 2024/1366 Art.33 zero-trust & traceability.
- **fail-open** — additive, out-of-band; no inline OT chokepoint — never bricks a DER.
- **DNS-TTL** — one compromised device, revoked worldwide, in a single call.

---

## Four buyers across the DER chain. One missing primitive between all of them.

The utility that has to pass a CIP audit, the aggregator running the fleet, the OEM shipping the inverter, and the CPO running the chargers all face the same structural gap: the device has an identity it cannot prove off-ecosystem and no one can revoke. Here is each of them in their own words — the trigger that brings them in, the vocabulary they speak, and the one line that lands.

### A · Utility OT / NERC-CIP compliance lead
**Trigger:** CIP audit · CIP-013 rollout · DERMS deployment

**"Enumerate and kill any vendor connection in one call."** Attribution determines every active vendor remote-access session; one `revoke` disables it worldwide at DNS-TTL. Direct evidence for CIP-005 R3.1/R3.2 and CIP-013 R1.2.3/R1.2.6 — additive, out-of-band, and availability-safe: no inline OT chokepoint sits between your head-end and the field.

*Vocabulary:* ESP · BES Cyber System · EACMS/PACS · IRA · determine & disable · RSAW · availability.

### B · DER aggregator / VPP security lead
**Trigger:** ISO market-cyber clauses · spoofed-telemetry incident · scaling past 10k endpoints

**"One identity fabric across every vendor's device — from the key already in the inverter."** Non-repudiable telemetry the ISO and your settlement can trust, and instant fleet-wide offboarding when a vendor or a unit goes bad. One verifiable /128 per EndDevice, whatever make it is — no per-vendor silo, no re-provisioning campaign.

*Vocabulary:* fleet · provisioning · telemetry integrity · non-repudiation · dispatch · multi-vendor.

### C · Inverter / DER OEM product security & PSIRT
**Trigger:** UL 1741-SB / CSIP cert · CVE-driven recall · utility RFP requiring identity + revocation

**"Derive a network identity from the key you already provision — no second PKI, no BOM cost."** Reuse the SunSpec/Kyrio device cert or secure-element key you already ship; DANE-pin your 2030.5 endpoint; and when a model line has a CVE, field-revoke the compromised units worldwide in one call instead of a recall. Identity-ready at type test, live-revocable in the field.

*Vocabulary:* SunSpec · CSIP · ECC · secure element · cert lifecycle · revocation · OTA · NIST IR 8498 · BOM cost.

### D · EV-charging CPO / eMSP security lead
**Trigger:** Plug & Charge rollout · OCPP 2.0.1 · NIS2 deadline · tampered-charger incident

**"A verifiable network identity per EVSE, revocable in one call — alongside your 15118 PKI."** Instant containment for a compromised charger without waiting on the closed contract-cert root, and an audit trail your CSMS and NIS2 file can both use. It sits beside ISO 15118 Plug & Charge and OCPP — it never touches the charging handshake.

*Vocabulary:* CPO/eMSP · CSMS · Plug & Charge · V2G · contract cert · EVSE · OCPP · roaming · audit trail.

Different words, one primitive underneath all four: **the address is the DER.** A device identity that is *publicly verifiable*, *addressable*, and *revocable at DNS-TTL* — the three properties the mandated DER PKI structurally lacks.

---

## Strip the incident down and it isn't a hundred bugs. It's two.

The fleet-takeover pattern — steal a bearer token, enumerate the LFDIs behind it, dispatch legitimate-looking setpoints from rotating egress — leans on exactly two structural gaps that every distributed-energy program shares. Close both and the attack, and the audit finding, have nowhere left to stand.

### Gap 1 · you can't follow them when the IP rotates

Rate-limit an IP and they spin up a fresh one. The egress is disposable; the last IP *was never the attacker*. So your OT sensor blocks noise while the operator keeps dispatching — and CIP-005 R3.1 asks you to *determine* an active session you can't even attribute.

**The answer — the graph.** A live internet-infrastructure graph — billions of nodes and tens of billions of relationships of fused BGP, DNS, WHOIS, TLS, hosting and threat intelligence, answering in under 300 ms — fingerprints the *operator*, not the IP. Two levers, kept honestly separate: for **cloud rotation** it clusters shared ASN, hosting and certificate lineage into one infrastructure genealogy; for a **residential-proxy swarm** — where a subscriber IP gives an infra graph nothing to grab — a `JA4/JA3` client fingerprint travels with the *tooling*, invisible to the proxy because it lives in the TLS handshake, and collapses the swarm to one operator. Every answer returns a reproducible evidence chain your OT SOC, your auditors and a regulator can replay.

> *"When a hijacked fleet phones home through rotating residential proxies and fresh cloud IPs, can you actually attribute it — or just rate-limit an IP and move on?"*
>
> **Attribute it.** Infrastructure genealogy collapses the cloud rotation; a JA4 client fingerprint collapses the residential swarm. The egress IP is the one thing we don't rely on, and the finding lands in your OT sensor and SIEM as a reproducible, replayable evidence chain, ready for the RSAW, not a hunch.

### Gap 2 · a stolen token looks exactly like your aggregator

A minted or reused bearer token *is* a valid credential. Behaviorally it's the operator. Nothing at the perimeter separates it, because the token is a bearer instrument — whoever holds it can present it — and the EndDevice on the other end has no identity to check it against. And even when it does, the 2030.5 certificate behind the LFDI can never be turned off.

**The answer — identity.** Bind the command path to the inverter's own forge-proof **/128** — an address derived from the key behind the **LFDI** the device already carries. A stolen token that can't prove the target DER's identity simply *fails*, and IEEE 2030.5's own certificate — *life-long, no CRL, no OCSP* — finally gets the off-switch that CIP-005 R3.2 requires and its own PKI never had.

> *"IEEE 2030.5 already gives every inverter a certificate. Why isn't that enough for a CIP-005 R3 disable?"*
>
> **Because it can't be revoked and no one outside the utility can verify it.** The LFDI is the leftmost 160 bits of a SHA-256 over the device's X.509 certificate — a genuinely good key-derived name — but it lives in a private SERCA→MCA→MICA root, is allow-listed per-utility out-of-band, isn't addressable, and, in the standard's own words, "cannot be updated or revoked." Whisper keeps the key-derived property and makes it publicly verifiable, addressable, and revocable at DNS-TTL — so "disable active vendor remote access" becomes one call with a log behind it.

Gap 1 makes detection durable enough to *determine*. Gap 2 gives you the identity to *disable*. Together they are exactly the two verbs your standard asks for.

---

## Three planes on one primitive — and all three exit into the stack you already run.

The primitive is one line: **the address is the identity** — a routable IPv6 /128 out of `2a04:2a01::/32` (announced by **AS219419**), DNSSEC-anchored, DANE-EE pinned, verifiable by anyone with `dig`. Point it at your fleet and you get three planes, no new silo, and no re-flashing the 25M+ inverters already in the field.

- **Identity** — each EndDevice's /128 is derived from the key behind the identifier it already carries — the IEEE 2030.5 LFDI, a SunSpec/Kyrio device cert, a secure element or TPM, with the LFDI or serial as the domain separator. The private key never leaves the device. The head-end authorizes on the DER's pinned identity, not a stealable token. *Who is this, provably.*
- **Attribution graph** — the operator fingerprint across rotating clouds and residential proxies (infrastructure genealogy plus JA4/JA3), with a reproducible evidence chain on every answer. *Who's really behind this vendor session, when the IP rotates.*
- **Egress governance** — per-device /128, default-deny policy, an `op:lookups` reconnaissance tripwire, `op:firewall` allow/deny, `op:budget` caps, and one `op:revoke` kill-switch. *What each device may talk to — and the off-switch when it goes bad.*

**Additive to what you already ship — it does not replace it.** Whisper complements the anchors you already trust — the IEEE 2030.5 / SunSpec / Kyrio device certificate, IEC 62351 on the substation bus, ISO 15118 Plug & Charge, TPM/HSM/secure elements. It is the publicly verifiable, DNSSEC/DANE-anchored layer *on top*, anchoring the device↔cloud boundary at the IP/DNS/transport layer — it never sits inside the substation bus, the DNP3 link, or the charging handshake. No bespoke CA trust store to push to every inverter, and revocation at DNS-TTL speed instead of a certificate that can never be revoked. You can even DANE-pin your existing 2030.5 endpoint's certificate to DNSSEC and cut single-CA trust risk. One key per identity, never a shared root — compromise one inverter and you've compromised *that inverter*, not the fleet.

---

## The honest compliance map — mapped where it's defensible, and explicit about where it isn't.

A compliance claim you can't defend in front of an auditor is worse than none. So we split this into what Whisper is **direct-additive evidence** for, what it merely **sits alongside**, and — plainly — what it does **not** claim. Read the last two tables first if you're the skeptic in the room; that's where trust is earned.

### Direct-additive — Whisper produces the evidence artifact

| Standard & clause | What it requires | How Whisper is direct evidence | Artifact |
|---|---|---|---|
| **NERC CIP-005-7 R3.1** | Determine active vendor remote-access sessions | Attribution enumerates every connection to a device; `op:lookups` shows who resolved or RDAP-queried its identity | Signed evidence chain · lookups log |
| **NERC CIP-005-7 R3.2** | Disable active vendor remote access | One `op:revoke` tears down the /128, PTR and DANE pin worldwide at DNS-TTL | Revoke log · transparency-log leaf |
| **NERC CIP-013-2 R1.2.3** | Vendor notification when remote access should no longer be granted | Per-device revocable identity; the revoke *is* the disable event, timestamped and non-repudiable | Transparency-log entry |
| **NERC CIP-013-2 R1.2.6** | Coordinate controls for vendor IRA + system-to-system remote access | Attributable per-device identity + default-deny egress that scopes what a vendor connection may reach | Policy · firewall · identity register |
| **EU NIS2 Art.21** | Access control, identity & asset management, logging, supply-chain security | Verifiable per-device identity + per-/128 activity logs + one-call offboarding | Identity register · per-/128 logs |
| **EU NCCS Reg. 2024/1366 Art.33** (⚠ binding control text finalizing ~2027) | Zero-trust access control + ICT-lifecycle asset traceability | Addressable, DANE-anchored device identity with a full mint→revoke lifecycle trail | Transparency log · lifecycle record |
| **NISTIR 7628 r1 — SG.IA / SG.AU** | Device identification & authentication (IA) + audit & accountability (AU) | Key-derived /128 for IA; append-only Merkle log + per-/128 logs for AU | Verify transcript · audit trail |
| **Sandia SAND2019-1490** (guidance) | Verify the identity of devices + enforce access control | Publicly verifiable identity + egress governance, without trusting a private single root | Verify transcript · policy log |

### Complementary — Whisper sits alongside & can DANE-pin it, never replaces it

| Standard | What it is | How Whisper complements it |
|---|---|---|
| CA Rule 21 / IEEE 2030.5 CSIP | The mandated app-layer DER protocol & LFDI | We bind the LFDI it already issues; DANE-pin the endpoint cert — never re-key the fleet |
| UL 1741-SB | Grid-support inverter type certification | Identity-ready at type test; live-revocable per unit in the field |
| SunSpec / Kyrio SERCA→MICA PKI | The private-CA root behind the device cert | The publicly verifiable layer on top; closes the no-CRL/OCSP revocation gap |
| IEC 62351-9 | Key & certificate lifecycle / revocation for power systems | DNS-TTL revocation + transparency log complement the standard's lifecycle model |
| ISO 15118 Plug & Charge | The EV contract-cert / V2G Root CA PKI | DANE-pin the endpoint; a per-EVSE revocable identity beside the closed billing root |

### What Whisper does NOT claim

We are not your whole CIP program, and we won't pretend to be. Whisper does **not** map to **CIP-010** (configuration change management & baselines), **CIP-005 R2** (we are *not* an Intermediate System and do not provide encrypted-IRA or MFA), or **CIP-007 R5** (system access control / account management). Those are real controls — they're just not this layer. Anyone who sells you all of NERC CIP in one box is selling you a binder, not a control.

### The BES-scope caveat — where this evidence actually lands

**NERC CIP applies to the Bulk Electric System.** In practice that means the utility, the aggregation head-end and the *vendor-access* layer — **not most behind-the-meter DER**, which sits below the BES cut. So the CIP-005/CIP-013 evidence above is strongest at the utility↔aggregator↔vendor boundary; the residential/behind-the-meter tail is where NIS2, the EU NCCS, and your own program's identity requirements carry the weight instead. We'd rather tell you where the line is than let an auditor find it for you.

### CIP-005 R3 — determine & disable active vendor remote access, in two calls

```bash
# R3.1 — DETERMINE: who is querying this vendor DER's identity right now?
$ export WHISPER_API_KEY=whisper_live_xxx
$ curl -s https://graph.whisper.security/api/query -H "X-API-Key: $WHISPER_API_KEY" \
    --data-urlencode "q=CALL whisper.agents({op:'lookups',
       args:{addr:'2a04:2a01:5e0::50c'}})"
  → 3 resolvers · 1 RDAP access in the window
  → source fingerprinted: 41 exit IPs (AWS/GCP/Azure + residential) → 1 operator

# R3.2 — DISABLE: cut that vendor connection off, worldwide, in one call
$ whisper kill --revoke 2a04:2a01:5e0::50c
  ✓ /128 · PTR · DANE pin torn down — gone at DNS-TTL
  ✓ written to the transparency log (Ed25519-signed, OTS-anchored)
  → RSAW-ready: determination + disablement, both timestamped & replayable
```

Every capability lands on a clause and produces an artifact you can file — not a dashboard you screenshot. [See the full mapping in the docs →](/docs/energy-compliance)

---

## Nothing is issued — or revoked — in the dark.

For a regulated program, "we revoked it" is a claim; "here is the signed, timestamped, append-only proof that we revoked it" is evidence. Every identity mint and every revocation lands in a public log built for exactly that.

- **Append-only, signed, Bitcoin-anchored** — every mint and every `revoke` is a leaf in a public, append-only RFC 6962 Merkle log (`tlog-tiles`), with C2SP signed-note checkpoints (Ed25519) and each root anchored to Bitcoin via OpenTimestamps. Endpoints `/checkpoint`, `/checkpoint/key` and `/ledger` are public — your auditor reads them without asking us.
- **The honest status** — it is **tamper-evident today** (signed and Bitcoin-anchored) but **not yet independently witnessed**; our two servers co-signing is availability, not independence. The log speaks C2SP `tlog-witness`, so any external witness can co-sign, and that is the next step. We state this plainly rather than overclaim it.
- **GDPR-compatible by construction** — leaves are salted opaque commitments with selective disclosure; an `op:erase` destroys the salt so the leaf's meaning is unrecoverable while the Merkle proofs stay valid. Auditable *and* right-to-erasure — for a European utility, both at once.
- **The reconnaissance tripwire** — `op:lookups` turns "who is enumerating my fleet?" into a query: it returns who resolved or RDAP-queried a DER's identity — an early warning that an operator is walking your LFDIs, not a post-mortem after the dispatch. The mandated LFDI's private registry never gave you that.

---

## Out-of-band, no inline OT chokepoint — and it fails open.

For the utility OT lead, availability is not a feature, it's the whole job. Whisper rides existing DNS and IPv6 and adds **no inline chokepoint** between your head-end and the field. And if your head-end authorizes against the DANE/verify path, that plane is built to fail *open*.

```
DERMS dispatch ──▶ Head-end checks identity: is Whisper reachable?
  ├─ reachable   ─▶ Bind to the DER's /128 · DANE + verify → identity-enforced (stolen tokens fail)
  └─ unreachable ─▶ Fail open → your existing anchors (2030.5 · SunSpec) → dispatch preserved
```

Anycast on AS219419, no single node in the path. When the identity plane is reachable it hardens dispatch; when it isn't, it steps aside — a Whisper outage degrades to your existing anchors, never a curtailed or bricked inverter. Conservative in what we emit, liberal in what we accept.

> *"An identity layer that can go down and take my grid-edge with it is a non-starter. Is this inline?"*
>
> **No — and it fails open.** The identity and revocation planes ride DNS/IPv6 out-of-band; there is no Whisper box wedged into your OT command path. If we're slow or unreachable, the check degrades to the anchors you already ship and the DER keeps operating. That's an availability property your assessors can test, not a promise.

---

## Additive to your stack. Mapped to your standards. Availability-safe by construction.

Three planes on one primitive — and all three exit into the stack you already run, not a new silo:

- **Identity** — device /128 · DNSSEC · DANE-EE · bound to the LFDI → *who is this, provably* (2030.5 · SunSpec · 15118)
- **Attribution graph** — operator fingerprint across rotating clouds + residential → *who's really behind this* (BGP · DNS · TLS · JA4)
- **Egress governance** — per-device /128 · policy · lookups · firewall · budget · revoke → *what may talk to what* (default-deny)

...exiting into **your SIEM** (Splunk & Sentinel today), **machine-readable** formats (STIX 2.1 / TAXII · CEF / ECS — on the roadmap), and **your standards** (CIP-013/005 · NIS2 · NISTIR 7628). The Splunk connector ships today; the rest of the machine-readable exports are on the roadmap.

- **Turnkey CIP-013 / CIP-005 evidence** — enumerate and kill any vendor device's connection in one call — direct evidence for CIP-005 R3.1/R3.2 and CIP-013 R1.2.3/R1.2.6, plus NIS2 Art.21, the EU NCCS's zero-trust/traceability, NISTIR 7628 SG.IA/SG.AU and Sandia guidance.
- **One identity fabric, every vendor** — derived from the key already in the device — no second PKI, no BOM cost, no re-flashing the fielded fleet. Whether it's an inverter, a battery gateway or an EVSE, it's one verifiable /128 you and the ISO can both check. Non-repudiable telemetry, instant fleet-wide offboarding.
- **Additive & availability-safe** — rides existing DNS/IPv6, adds no inline OT chokepoint, and fails open — a Whisper outage never bricks or curtails a DER; checks degrade to your existing anchors. Anycast on AS219419, no single node in the path.
- **Feeds the SIEM you already run** — depth on top of the stack you own, a machine-readable feed that makes your OT sensor and threat-intel sharper. The Splunk, Microsoft Sentinel and OpenCTI connectors ship today; STIX 2.1 over TAXII is on the roadmap. It doesn't replace them, and it doesn't add a console your analysts babysit.
- **Flat, predictable pricing** — per-device/year and flat, not per-transaction, not usage-metered. Against fleet-scale economics that's a line item you can forecast. Clear ROI: analyst-hours saved on disposable-IP correlation, one `revoke` instead of a fleet-wide reset or recall.
- **A vendor that will still be here** — real routable address space (AS219419), run by people who ran the internet's regional address registry and operated one of its root DNS servers. Registry-anchored, RDAP-resolvable space, operated with the discipline that implies. POC → pilot → enterprise, keyless to start.

---

## Prove it in 60 seconds — no account. Our API isn't in the trust path.

Two tiers, by design. **No key:** anyone on your team can verify a DER's identity, resolve it, and see who's been checking it — trustless, anchored at the IANA root. **Your key:** bind a device to the LFDI it carries, govern its egress, and produce the CIP-005 R3 evidence in two calls.

### verify & watch — no key required

```bash
# keyless — re-derive and verify any inverter's identity, trustless
$ whisper verify --trustless 2a04:2a01:5e0::50c
  ✓ DNSSEC chain valid to the IANA root
  ✓ DANE-EE (TLSA) leaf matches the identity's key
  ✓ RDAP: registered under AS219419 · 2a04:2a01::/32
  identity: VERIFIED — and our own API was never trusted

# the address is the inverter — reverse DNS names it by its LFDI
$ dig -x 2a04:2a01:5e0::50c +short
  lfdi-3f2504e0.der.example-vpp.whisper.online.

# its ordered lifecycle — every mint and revoke, from the public transparency log
$ curl -s https://whisper.online/ip/2a04:2a01:5e0::50c/transparency
```

### provision, govern & revoke — with your key

```bash
# bind an inverter to the LFDI it already carries (pass the LFDI as device_id)
$ export WHISPER_API_KEY=whisper_live_xxx
$ curl -s https://graph.whisper.security/api/query -H "X-API-Key: $WHISPER_API_KEY" --data-urlencode "q=CALL whisper.agents({op:'connect', args:{tier:'wireguard',
       identity_public_key:'<base64 SPKI of the device key>',
       device_id:'3F2504E04F8911D39A0C0305E82C3301'}})"   # device_id = the LFDI
  → identity 2a04:2a01:5e0::50c   DNSSEC + DANE live
$ whisper policy set --default deny --allow derms.example-vpp.com,ota.example-vpp.com
$ whisper logs 2a04:2a01:5e0::50c            # per-/128 activity — NIS2 / NISTIR 7628 SG.AU evidence
$ whisper kill --revoke 2a04:2a01:5e0::50c   # CIP-005 R3.2 disable — worldwide, at DNS-TTL
```

---

## Determine and disable — with the evidence to prove it.

Bind the LFDI your DER already carries to a routable, revocable /128. Direct-additive evidence for CIP-005 R3, CIP-013, NIS2 and the EU NCCS — additive, out-of-band, availability-safe, and honest about where the line is. Keyless to try, one call to provision, one more to revoke.

[Secure your fleet →](https://console.whisper.security/sign-up) · [See the comparison →](/compare)

Or run `whisper verify --trustless` right now.

---

Identity on the wire for distributed energy resources. AS219419 · 2a04:2a01::/32 · [whisper.online](https://whisper.online/)
