# Whisper for Energy

**energy.whisper.online · DER & grid-edge security**

# A stolen token shouldn't be able to command a gigawatt of DER.

The attacker mints a token against your fleet's cloud API — or reuses one valid across two platforms — enumerates every inverter behind it, and dispatches *legitimate-looking* setpoints from ordinary egress. Your IP allowlists pass it; your logs record a meaningless *last IP*. It works for one reason: your DER devices have no identity they can prove.

**We give them one.** The address **is** the inverter — a routable, DNSSEC-anchored **/128** bound to the `LFDI` it already carries, that no one can forge and you can revoke worldwide in a single call. **Give every DER an identity it can prove — and an off-switch its own PKI never had.**

[Secure your fleet →](https://console.whisper.security/sign-up) · [Trace the attack ↓](#the-attack-step-by-step)

`whisper verify --trustless` — anchored at the IANA DNS root. Our own API is not in the trust path.

### The numbers

- **~35k** solar devices from 42 vendors sit exposed on the open internet
- **~195 GW** of solar coordinated by one platform pair — a stolen token took over any account
- **<2%** of inverters (~4.5 GW) modeled enough to force EU grid load-shedding
- **~800** PV monitors hijacked into Mirai — the first confirmed attack on PV generation
- **10+/yr** solar-vendor vulns for 3 years — 80% high/critical, 32% CVSS 9.8–10
- **0** revocation — IEEE 2030.5 device certs are life-long, no CRL, no OCSP

---

## The attack, step by step

### This is how a fleet you built gets dispatched by someone who never owned an inverter.

No zero-day required. Just a bearer token and an aggregator API used exactly as built — at fleet scale.

**01 · RECON — Find the control plane.** An internet-exposed gateway (~35k found on Shodan) or, higher-value, the *vendor cloud / aggregator API* that fronts a whole fleet.

**02 · TOKEN — Mint or steal the bearer.** Hit an unauthenticated `/oauth2/token`, exploit a broken-authorization endpoint, or lift a hard-coded key. Now you hold a valid token — *the* fleet authority.

**03 · ENUMERATE — One token, one fleet.** Iterate account and org IDs and the LFDIs behind them. "Many small devices, one control plane" becomes "one token, thousands of inverters."

**04 · COMMAND — Legitimate-looking dispatch.** Push active-power setpoints, forced disconnect/reconnect, coordinated on/off, or malicious firmware. The token is valid; the egress is ordinary.

**05 · ROTATE — Every last IP is disposable.** Hop across Amazon, Google and Azure, or a residential-proxy swarm, every few requests. Your SOC sees a fresh last IP and correlates nothing.

**06 · STRESS — Swing the aggregate.** Synchronize the fleet to move real power. Research models `<2%` of inverters as grid-relevant — and the token stays valid until one vendor rotates it.

Invisible at the network layer by design: a real operator is *one head-end to a fleet it owns*; the abuser is *one token to a fleet it doesn't* — and every IP it ever shows you is disposable. This is not hypothetical: a single cloud-platform pair coordinating ~195 GW of solar could be made to mint a token for any account and take it over, and ~800 monitoring devices were hijacked into Mirai through one unauthenticated command-injection flaw.

---

## Two gaps. Every DER program has both.

### Strip the incident down and it isn't a hundred bugs. It's two.

Every step in that chain leans on exactly two structural gaps that every distributed-energy program shares. Close both and the attack has nowhere left to stand.

### Gap 1 · you can't follow them when the IP rotates

Rate-limit an IP and they spin up a fresh one. The egress is disposable; the last IP *was never the attacker*. So you block noise while the operator keeps dispatching.

**The answer — the graph.** A live internet-infrastructure graph — **7.44B** nodes and **39.3B** relationships of fused BGP, DNS, WHOIS, TLS, hosting and threat intelligence, answering in under 300 ms — fingerprints the *operator*, not the IP. Two levers, kept honestly separate: for **cloud rotation** it clusters shared ASN, hosting and certificate lineage into one infrastructure genealogy; for a **residential-proxy swarm** — where a subscriber IP gives an infra graph nothing to grab — a `JA4/JA3` client fingerprint travels with the *tooling*, invisible to the proxy because it lives in the TLS handshake, and collapses the swarm to one operator. Every answer returns a reproducible **evidence chain** your OT SOC, your auditors and a regulator can replay.

The verbs your analysts run — or your agent runs for them: `identify(ip)` (who really operates a host, even behind a CDN) · `origins(prefix)` + `walk(node,depth)` (cluster rotating IPs into one genealogy) · `history` / `watch` (a timeline and a standing sentinel) · arbitrary read-only Cypher (express *"one source touching N distinct DER identities in a window"* as a query, not a ticket).

> Attribution survives rotation because it tracks the infrastructure and the tooling, not the ephemeral egress IP. The one thing we never rely on is the last IP.

> **"When a hijacked fleet phones home through rotating residential proxies and fresh cloud IPs, can you actually attribute it — or just rate-limit an IP and move on?"**
>
> **Attribute it.** Infrastructure genealogy collapses the cloud rotation; a JA4 client fingerprint collapses the residential swarm. The egress IP is the one thing we don't rely on — and the finding feeds straight into your OT sensor and SIEM.

### Gap 2 · a stolen token looks exactly like your aggregator

A minted or reused bearer token *is* a valid credential. Behaviorally it's the operator. Nothing at the perimeter separates it, because the token is a bearer instrument — whoever holds it can present it — and the device on the other end has no identity to check it against.

**The answer — identity.** Bind the command path to the inverter's own forge-proof **/128** — an address derived from the key behind the **LFDI** the device already carries. A stolen token that can't prove the target DER's identity simply *fails*, and IEEE 2030.5's own certificate — *life-long, no CRL, no OCSP* — finally gets the off-switch it never had.

> **"IEEE 2030.5 already gives every inverter a certificate. Why isn't that enough?"**
>
> **Because it can't be revoked and no one outside the utility can verify it.** The LFDI is a SHA-256 of the device's own certificate — a genuinely good key-derived name — but it lives in a private SERCA→MICA root, is allow-listed per-utility out-of-band, isn't addressable, and *"cannot be updated or revoked."* Whisper keeps the key-derived property and makes it publicly verifiable, addressable, and revocable at DNS-TTL.

Gap 1 is detection made durable. Gap 2 is the root cause. Here's the root-cause cure.

---

## The root-cause cure · identity

### Give every DER an identity it can prove — and no one can forge.

Stop treating fleet takeover as a detection problem and make it an *identity* problem — strictly stronger. Whisper has one primitive: **the address is the identity.**

A routable IPv6 **/128** out of `2a04:2a01::/32` (announced by **AS219419**), deterministically derived from a key, DNSSEC-anchored, **DANE-EE** pinned, RDAP/WHOIS-registered — re-derivable and verifiable by anyone with `dig`. `whisper verify --trustless` checks it against the IANA root; *our own API is not in the trust path.*

**Point it at devices.** Derive each inverter's — or each gateway's or EVSE's — /128 from the public key behind the identifier it *already* carries: the IEEE **2030.5 LFDI** (itself a SHA-256 of the device's X.509 cert), a SunSpec/Kyrio device cert, a secure element, or a TPM — with the **LFDI or serial as the domain separator**. The private key never leaves the device; the address is a one-way function of its public half and that identifier. No re-flashing the 25M+ inverters already in the field — you bind the identity they were born with.

> The IEEE 2030.5 LFDI is already a SHA-256 of the device's certificate — a good key-derived name trapped in a private, non-revocable root. Whisper binds it to a routable, publicly verifiable /128 and gives it the off-switch its own PKI explicitly lacks.

**What it removes:**

- **"One token → a whole fleet" becomes physically impossible.** You cannot present thousands of DER identities whose keys you don't hold. Every forgery is a DNSSEC/DANE inconsistency any verifier catches.
- **IP rotation becomes irrelevant.** Identity is not the source IP. The "last IP" was never the credential — so rotating it, across clouds or residential proxies, changes nothing.
- **Stolen tokens fail.** A minted or reused bearer with no device key behind it authenticates to nothing. The dispatch path checks the inverter, not the bearer.
- **One `revoke` kills a compromised inverter worldwide.** At DNS-TTL speed: `dig -x` returns nothing; verify returns false. The revocation IEEE 2030.5's life-long certs never had.

**Attaches to what you already ship — it does not replace it.** Whisper complements the anchors you already trust — the IEEE 2030.5 / SunSpec / Kyrio device certificate, IEC 62351 on the substation bus, ISO 15118 Plug & Charge, TPM/HSM/secure elements. It is the publicly verifiable, DNSSEC/DANE-anchored layer *on top*, anchoring the device↔cloud boundary: no bespoke CA trust store to push to every inverter, and revocation at DNS-TTL speed instead of a certificate that can never be revoked. You can even **DANE-pin your existing 2030.5 endpoint's certificate** to DNSSEC and cut single-CA trust risk.

**The LFDI is the public fingerprint — the /128 is its cryptographic counterpart.** The LFDI is a known, structured identifier flowing through every CSIP deployment; that's useful for interoperability but it's not a secret. The /128 is bound to the device's key *and* the LFDI — so the LFDI alone yields nothing. You cannot go LFDI → /128 without the key, there is no enumerable directory, and RDAP/reverse-DNS return the registry object, never the device's whereabouts. Because the derivation is **tenant-bound**, the same device under two aggregators yields two unrelated /128s — no one can link a unit across operators.

**Lifecycle, end to end.** Factory key → in-life dispatch → incident `revoke`. A module swap or repower re-keys to a new /128 and revokes the old one; a decommission or a change of aggregator is one `revoke` and a re-register to the new owner. Compromise one inverter and you've compromised *that inverter*, not the fleet — the fleet-takeover failure mode is structurally removed. And nothing is issued in the dark: every mint and every revoke lands in a public, Bitcoin-anchored [transparency log](/docs/energy-compliance) you and your regulator can audit.

Maps to **NERC CIP-013 / CIP-005** vendor-remote-access controls, **EU NIS2** and the **EU Network Code on Cybersecurity**, **NISTIR 7628** device identification, and Sandia's DER guidance — delivered as a network primitive, not a compliance binder. [See the compliance map →](/for-grid-security)

---

## The surface no one else has · see & govern

### See who's enumerating your fleet — before the command lands.

An identity you can prove is also an identity you can *watch*. Because every DER's name resolves through Whisper's own authoritative DNS and RDAP, the owner sees exactly who looked — a reconnaissance tripwire the LFDI's private registry never gave you — and can govern precisely what each device may talk to.

- **Who checked this inverter is a query.** `op:lookups` returns who resolved or RDAP-queried a DER's identity — an early warning that someone is enumerating your fleet, not a post-mortem after the dispatch.
- **Govern what each device may reach.** A graph-first resolver and source-bound egress enforce **default-deny** per device — allow the DERMS head-end and the OTA endpoint, block everything else, by name or subdomain.
- **Per-device firewall, budget, kill-switch.** `op:firewall` allow/deny by host, cidr or port; `op:budget` caps a device's traffic; `op:revoke` cuts a compromised unit off worldwide in one call.
- **Non-repudiable telemetry.** Bind each dispatch and telemetry stream to the DER's forge-proof /128 so the ISO, the utility and your own market settlement trust the numbers came from the real device.

The same *address-is-identity* primitive that governs a compromised inverter also governs the AI agents your VPP and trading desk are about to run — per-agent /128, per-agent logs, default-deny egress, one `revoke`. From day one.

---

## Prove it in 60 seconds · no account

### Don't take our word for it — our API isn't in the trust path.

Two tiers, by design. **No key:** anyone can verify a DER's identity, resolve it, and back-trace a suspicious controller — trustless, anchored at the IANA root. **Your key:** bind a device to the LFDI it carries, govern its egress, revoke it worldwide.

### verify & attribute — no key required

```bash
# keyless — re-derive and verify any inverter's identity, trustless
$ whisper verify --trustless 2a04:2a01:5e0::50c
  ✓ DNSSEC chain valid to the IANA root
  ✓ DANE-EE (TLSA) leaf matches the identity's key
  ✓ RDAP: registered under AS219419 · 2a04:2a01::/32
  identity: VERIFIED — and our own API was never trusted

# the address is the inverter — reverse DNS names it
$ dig -x 2a04:2a01:5e0::50c +short
  lfdi-3f2504e0.der.example-vpp.whisper.online.

# who really operates a suspicious controller — the real graph API, a CALL whisper.identify()
$ curl -s https://graph.whisper.security/api/query -H "X-API-Key: whisper_live_xxx" \
    -H 'content-type: application/json' -d '{"query":"CALL whisper.identify(\"34.90.x.x\")"}'
  operator:  <fingerprinted> · seen across AWS / GCP / Azure
  residential swarm collapsed by JA4: same tooling, 41 exit IPs → 1 operator
```

### provision & govern — with your key

```bash
# bind an inverter to the LFDI it already carries, and govern it
$ export WHISPER_API_KEY=whisper_live_xxx
$ curl -s https://graph.whisper.security/api/query -H "X-API-Key: $WHISPER_API_KEY" --data-urlencode "q=CALL whisper.agents({op:'connect', args:{tier:'wireguard',
       identity_public_key:'<base64 SPKI of the device key>',
       device_id:'3F2504E04F8911D39A0C0305E82C3301'}})"   # device_id = the LFDI
  → identity 2a04:2a01:5e0::50c   DNSSEC + DANE live
$ whisper policy set --default deny --allow derms.example-vpp.com,ota.example-vpp.com
$ whisper kill --revoke 2a04:2a01:5e0::50c   # worldwide, at DNS-TTL
```

[Secure your fleet →](https://console.whisper.security/sign-up) · [Read the docs](/docs)

---

## Where Whisper fits

### Your OT sensor sees *that* a DER is misbehaving. Whisper proves *who* commanded it — and follows them when the IP rotates.

The OT-detection incumbents — Dragos, Claroty, Nozomi, Armis, Forescout — are excellent at what's on your network and whether it's behaving, and that's necessary. But their device identity is *observational* — inferred from behavior, scoped to the monitored network, and non-revocable off-box. Your DERMS *consumes* the manufacturer's IEEE 2030.5 certificate; it doesn't mint identity and inherits the life-long, no-CRL/OCSP model. Whisper adds the two layers no one else owns: an **internet-infrastructure attribution graph** that fingerprints the operator across rotating clouds and residential proxies, and a **publicly verifiable device-identity plane** that is addressable and revocable at DNS-TTL. Exactly the two gaps the fleet-takeover attacks exploit.

|  | OT detection | DERMS + 2030.5 PKI | Whisper |
|---|---|---|---|
| OT visibility & anomaly detection | ✓ | — | additive feed |
| **Publicly verifiable** device identity (DNS/DANE, not a private CA) | — | — | ✓ |
| Revocation at DNS-TTL, cross-operator | — | — | ✓ |
| Operator attribution across rotating egress | — | — | ✓ |

It's depth on top of the stack you already run — it can DANE-pin the same 2030.5 certificate your CSIP head-end already speaks, and it lands as a machine-readable feed into your SIEM — the Splunk and Microsoft Sentinel connectors ship today — enrichment that makes your OT sensor and threat-intel sharper. It doesn't replace them, and it doesn't add a console your analysts babysit.

[See the full comparison →](/compare)

---

## Built for the people who have to sign off

### Additive to your stack. Mapped to your standards. Availability-safe by construction.

**Three planes on one primitive** — and all three exit into the stack you already run, not a new silo:

- **Identity** — device /128 · DNSSEC · DANE-EE · bound to the LFDI — who is this, provably. *(2030.5 · SunSpec · 15118)*
- **Attribution graph** — operator fingerprint across rotating clouds + residential — who's really behind this. *(7.44B nodes · BGP·DNS·TLS·JA4)*
- **Egress governance** — per-device /128 · policy · lookups · firewall · budget · revoke — what may talk to what. *(default-deny)*

**THE ADDRESS IS THE IDENTITY** — AS219419 · 2a04:2a01::/32

Exits into your existing stack: **Your SIEM** (Splunk & Sentinel today) · **Machine-readable** (STIX 2.1 / TAXII · CEF / ECS) · **Your standards** (CIP-013/005 · NIS2 · NISTIR 7628).

**Turnkey CIP-013 / CIP-005 evidence.** Enumerate and kill any vendor device's connection in one call — direct evidence for **CIP-005 R3.1/R3.2** (determine & disable active vendor remote access) and **CIP-013 R1.2.3/R1.2.6**. Also maps to NIS2 Art.21, the EU Network Code's zero-trust/traceability, and NISTIR 7628 SG.IA/SG.AU. [See the map →](/for-grid-security)

**Nothing issued in the dark.** Every identity mint and every revoke lands in a public, append-only **RFC 6962 Merkle transparency log**, Ed25519-signed and anchored to Bitcoin via OpenTimestamps — an auditable, non-repudiable issuance trail for your regulator. *Honest status:* tamper-evident today, independent witnessing is the next step.

**Additive & availability-safe.** It rides existing DNS/IPv6 and adds **no inline OT chokepoint**. If your head-end authorizes against the DANE/verify path, that plane is built to **fail open** — a Whisper outage never bricks an inverter; checks degrade to your existing anchors. Anycast on AS219419, no single node in the path.

**One identity fabric, every vendor.** Derived from the key already in the device — no second PKI, no BOM cost, no re-flashing the fielded fleet. Whether it's an inverter, a battery gateway, or an EVSE, it's one verifiable /128 you and the ISO can both check.

**Flat, predictable pricing.** Per-device/year and flat — not per-transaction, not usage-metered. Against fleet-scale economics that's a line item you can forecast. Clear ROI: analyst-hours saved on disposable-IP correlation, one revoke instead of a fleet-wide reset. [See pricing →](/pricing)

**A vendor that will still be here.** Real routable address space (AS219419), run by people who ran the internet's regional address registry and operated one of its root DNS servers. POC → pilot → enterprise, keyless to start.

---

## Give every DER an identity it can prove.

The address is the inverter — routable, DNSSEC-anchored, bound to the LFDI it already carries, revocable worldwide in one call. Keyless to try, one call to provision, one more to revoke.

[Secure your fleet →](https://console.whisper.security/sign-up) · [For grid security →](/for-grid-security)

Or run `whisper verify --trustless` right now.

---

*Identity on the wire for distributed energy resources. AS219419 · 2a04:2a01::/32.*

© 2026 viaGraph B.V. (dba Whisper Security)
