# Whisper for Energy — device identity on the wire for the grid edge. This is energy.whisper.online. The marketing story here is told for the utility, DER-aggregator, and grid-security team; the /docs library, the console, and the whole system behind it are identical to whisper.online. Read it in full — written so both an agent and a person can act on it. ## The problem it solves Third parties reverse-engineer a utility's or aggregator's DER-management and metering APIs (IEEE 2030.5 / SEP2, OpenADR, proprietary inverter clouds), authenticate with a phished credential or a bearer token portable to any IP, and read or command whole fleets of grid-edge devices contract-free — indistinguishable from the real controller because it is the controller's protocol. On the grid this is not just data loss: a forged session can curtail or trip distributed energy resources. The root cause is broken authentication (OWASP API BOLA): the token authenticates a claim, never the machine. Undetectable at the network layer, because the attacker rotates egress across clouds and residential proxies. ## The cure — make it an identity problem Give every DER, meter, inverter, or charger a routable IPv6 /128 (from 2a04:2a01::/32, AS219419) DETERMINISTICALLY derived from the hardware key it already holds (secure element / TPM / IEEE 802.1AR IDevID), with the IEEE 2030.5 LFDI or DER serial as the domain separator. DNSSEC-anchored, DANE-EE pinned, RDAP-registered, verifiable trustlessly with `whisper verify --trustless`. The head-end / DERMS then authorizes on the device's pinned identity, not a stealable token: one IP to thousands of devices becomes impossible, IP rotation is irrelevant, stolen sessions fail, and one revoke kills a compromised device worldwide at DNS-TTL. Additive to the X.509/mTLS and the SIEM you already run; complements IEEE 2030.5 / IEC 62351 / DNP3 Secure Authentication PKI, never replaces. ## Shipped & live Derive a /128 from your device's PUBLIC key + its native identifier as `device_id` (pass your IEEE 2030.5 LFDI or DER serial here). The private key never leaves the device — only the public SPKI is an input. A first-class typed `--lfdi` arg is on the roadmap. Every mint and every revocation lands in a public, append-only RFC 6962 Merkle transparency log with Ed25519-signed, Bitcoin-anchored checkpoints (tamper-evident and independently co-signable; not yet independently witnessed). ## Pages - / Home — the problem, the cure, and the two structural gaps - /grid-api-abuse The grid-API-abuse cure, end to end - /platform The three planes + where they fit the stack you already run - /for-grid-security For grid security: SOC/OT + SIEM fit, NERC CIP / IEC 62443 / NIS2 / E-ISAC - /compare Honest comparison — additive, not a replacement - /pricing Flat, predictable pricing - /docs The full technical documentation (identical to whisper.online/docs) ## Verify it yourself (keyless — no API key, real value) whisper verify --trustless dig -x # forward-confirmed reverse DNS curl https://whisper.online/verify-identity/ curl https://whisper.online/ip/ # RDAP + ownership history curl https://whisper.online/ip//lookups # who has been resolving this identity ## Provision & govern (with a Whisper API key) Control plane: POST https://graph.whisper.security/api/query Header: X-API-Key: whisper_live_xxx # your key — redacted here CALL whisper.agents({op:'connect', args:{tier:'wireguard', identity_public_key:'', device_id:''}}) # mints the /128 identity CALL whisper.agents({op:'policy', args:{...}}) # govern CALL whisper.agents({op:'logs', args:{...}}) # the identity's own egress CALL whisper.agents({op:'revoke', args:{...}}) # kill worldwide at DNS-TTL Console: https://console.whisper.security ## The operator Operator: Whisper Security (viaGraph B.V.), Amsterdam, NL. Network: AS219419, IPv6-only, RPKI-signed, MANRS-compliant. AS219419 announces 2a04:2a01::/32.