ot.whisper.online · OT & ICS identity

In OT a device can't prove who it is — and a controller can't verify what it's told.

A valid-looking command from anywhere with reachability is obeyed as if it came from the plant operator — because Modbus, PROFINET and DNP3 were built with no authentication and the network is flat. Whoever reaches the PLC is trusted by it, and the SOC that watches it can't say which session did anything. No zero-day required. Reachability is the whole exploit.

We give it one. The address is the asset — a routable, DNSSEC-anchored /128 bound to the OPC UA ApplicationUri already in its certificate SAN (or the asset serial), derived from the key it already holds, verifiable across the vendor / integrator / asset-owner boundary, revocable at DNS-TTL. Give every industrial asset an identity it can prove — and an off-switch its protocol never had.

whisper verify --trustless — anchored at the IANA DNS root. Our own API is not in the trust path.

145k+ internet-exposed ICS services across 175 countries
1,693 ransomware attacks on industrial orgs in 2024 — +87% YoY
25% of OT ransomware caused a full-site shutdown; 75% operational disruption
13% of mission-critical OT assets have an insecure internet connection — 36% of exposed EWS/HMIs carry a KEV
55% of OT environments run 4+ remote-access tools (33% run 6+)
400+ CISA ICS advisories a year, and rising

This is how a plant you commissioned gets commanded by someone who never set foot in it.

No zero-day required. Just a reachable socket and a protocol that was built to obey whoever speaks it — at internet scale.

01 · DISCOVER

The plant is already indexed

Shodan and Censys catalogue it: 145,000+ internet-exposed ICS services across 175 countries. Opportunistic crews scan for exposed VNC/HMI panels the way they scan for anything else.

02 · ACCESS

No credential worth the name

Default, weak or absent creds. A documented class took over dozens of internet-reachable PLCs through a factory-default password like 1111 — or none at all — plus brute-forced SSH/Telnet.

03 · BRIDGE

IT/OT convergence carries it in

An IT foothold — ransomware, a stolen vendor account — flows into OT because there's no independent identity boundary. Remote-access sprawl widens it: 55% of OT runs 4+ remote-access tools.

04 · FLAT NETWORK

IP trust, already defeated

Segmentation is by IP and VLAN, so a foothold that owns an address inherits trust. The EWS and HMI are the crown jewels — and exposed: 13% insecure internet connection, 36% of exposed EWS/HMIs carry a KEV.

05 · MANIPULATE

The protocol obeys anyone

Modbus, DNP3 and PROFINET carry no auth — plaintext, spoofable, replayable. A landmark malware family weaponized Modbus/TCP:502 register writes and cut heating to ~600 buildings for two sub-zero days. OPC UA is no refuge: >50% of exposed servers allow unauthenticated sessions.

06 · IMPACT + NO ATTRIBUTION

And you can't say who

1,693 industrial ransomware attacks in 2024, 25% a full-site shutdown. Over shared, rotating egress with no device identity, you can't say which controller or session issued the destructive write — nor revoke it across the vendor boundary.

Invisible by design: the network trusts an IP and a topology, not an identity. A real engineer is one workstation to a cell it owns; the abuser is one reachable socket to a plant it doesn't — and neither the PLC nor the SOC can tell them apart. This is not hypothetical: a landmark Modbus attack cut heat to ~600 buildings, and ~46,000 Modbus devices and 14,220 OPC UA servers — most of them accepting unauthenticated sessions — sit exposed on the open internet right now.

Strip the incident down and it isn't a hundred bugs. It's two.

Every step in that chain leans on exactly two structural gaps that every OT environment shares. Close both and the attack has nowhere left to stand.

Gap 1 · you can't follow them when the connection rotates

Quarantine a switch port and they come back through a fresh remote-access exit. The egress is disposable; the last IP was never the attacker. Behavioral OT monitoring is excellent inside the plant — but it stops at the Purdue boundary and the firewall, so you block noise while the operator keeps reaching in.

The answer — the graph. A live internet-infrastructure graph — 7.44B nodes and 39.3B relationships of fused BGP, DNS, WHOIS, TLS, hosting and threat intelligence, answering in under 300 ms — fingerprints the operator, not the IP. Two levers, kept honestly separate: for cloud rotation it clusters shared ASN, hosting and certificate lineage into one infrastructure genealogy; for a rotating remote-access or residential-proxy pool — where a subscriber IP gives an infra graph nothing to grab — a JA4/JA3 client fingerprint travels with the tooling, invisible to the proxy because it lives in the TLS handshake, and collapses the pool to one operator. Every answer returns a reproducible evidence chain your OT SOC, your auditors and a regulator can replay.

The verbs your analysts run — or your agent runs for them: identify(ip) (who really operates a host, even behind a CDN) · origins(prefix) + walk(node,depth) (cluster rotating IPs into one genealogy) · history / watch (a timeline and a standing sentinel) · arbitrary read-only Cypher (express "one source touching N distinct asset identities in a window" as a query, not a ticket).

what your OT SOC sees — a rotating, meaningless “last IP” Reachable session = obeyed by the asset AWS eu-central 3.68.x.x GCP europe-w4 34.90.x.x Azure westeu 20.61.x.x remote-access proxy pool 71.x · Comcast 82.x · KPN 99.x · Orange JA4-identical tooling infra genealogy JA4 fingerprint One operator ASN + hosting genealogy + JA4 / JA3 fingerprint evidence chain → your SIEM what the graph sees — one operator
Attribution survives rotation because it tracks the infrastructure and the tooling, not the ephemeral egress IP. The one thing we never rely on is the last IP — the same one your behavioral tool logged at the firewall.

"When a compromised remote-access tool phones home through fresh cloud IPs and a proxy pool, can you actually attribute it — or just quarantine a switch port and move on?"

Attribute it. Infrastructure genealogy collapses the cloud rotation; a JA4 client fingerprint collapses the proxy pool. The egress IP is the one thing we don't rely on — and the finding feeds straight into your OT sensor and SIEM.

Gap 2 · a valid-looking command looks exactly like the operator

Modbus, DNP3 and PROFINET have no notion of who is speaking. The PLC obeys whoever reaches it, and nothing at the conduit separates a real engineering workstation from a foothold on the same flat network — because the asset has no identity to check the speaker against, and the network trusts an IP.

The answer — identity. Bind the transport boundary — every conduit, every remote-access channel, every cross-org link — to the asset's own forge-proof /128, an address derived from the key behind the OPC UA ApplicationUri, the 802.1AR IDevID or the serial the asset already carries. A source that can't prove the asset's identity can't establish a session across that boundary — the reachability that made "trusted" true is gone — and OPC UA's own trust, a local per-site TrustList with revocation no one outside the plant can see, finally gets a publicly verifiable, cross-org-revocable anchor. (The last inch — a purely-internal write from a foothold already on the segment — is enforced in the command path; §7 says so plainly.)

"OPC UA already binds a globally-unique ApplicationUri into every application-instance certificate. Why isn't that enough?"

Because it's trapped in a local TrustList and can't be verified or revoked across an org boundary. The ApplicationUri is a genuinely good key-bound name — the session fails if it doesn't match the cert. But OPC UA explicitly discourages public CAs, trust is a per-site TrustList, and revocation is a local CRL edit invisible to your integrator, your vendor, or a regulator. Whisper keeps the key-derived ApplicationUri and makes it publicly verifiable, addressable, and revocable at DNS-TTL — across the vendor/integrator/asset-owner boundary.

Gap 1 is detection made durable. Gap 2 is the root cause. Here's the root-cause cure.

Give every asset an identity it can prove — and no one can forge.

Stop treating "anyone with reachability is trusted" as a detection problem and make it an identity problem — strictly stronger. Whisper has one primitive: the address is the identity.

A routable IPv6 /128 out of 2a04:2a01::/32 (announced by AS219419), deterministically derived from a key, DNSSEC-anchored, DANE-EE pinned, RDAP/WHOIS-registered — re-derivable and verifiable by anyone with dig. whisper verify --trustless checks it against the IANA root; our own API is not in the trust path.

Point it at assets. Derive each PLC's — or each RTU's, HMI's, gateway's or historian's — /128 from the public key behind the identifier it already carries: the OPC UA ApplicationUri (already bound into the application-instance certificate SAN), an IEEE 802.1AR IDevID, a TPM or secure element, or the asset serial — with the ApplicationUri or serial as the domain separator. The private key never leaves the asset; the address is a one-way function of its public half and that identifier. No re-flashing the brownfield fleet — you bind the identity the asset was born with, and even a bare Modbus PLC behind a gateway gets a verifiable network identity, a PTR and an RDAP object for the first time.

Asset key ApplicationUri · IDevID · TPM never leaves the asset private key sealed public key + URI /128 2a04:2a01:7a2::4840 routable identity DNSSEC + DANE-EE A name anyone can verify whisper verify --trustless our API not in the trust path op:revoke → gone worldwide at DNS-TTL
The OPC UA ApplicationUri is already a globally-unique name bound into the asset's certificate — a good key-derived identity trapped in a private, per-site TrustList. Whisper binds it to a routable, publicly verifiable /128 and gives it the cross-org off-switch a local CRL never had.

"Reachable = trusted" stops being true across the conduit

You cannot present an asset identity whose key you don't hold. A source with no key behind it can't establish a session across a governed boundary — and every forgery is a DNSSEC/DANE inconsistency any verifier catches.

IP and topology trust become irrelevant

Identity is not the source IP or the VLAN. The "last IP" was never the credential — so rotating it, across clouds or a proxy pool, changes nothing.

A command from an unproven, off-segment source fails to land

A reachable socket with no asset key behind it authenticates to nothing at the transport boundary. It governs who may reach and speak to the asset — the in-path insecure-protocol write is §7's honest exception.

One revoke cuts a compromised asset off worldwide

At DNS-TTL speed: dig -x returns nothing; verify returns false; the DANE pin is gone. The cross-org revocation a local OPC UA TrustList never had.

Attaches to what you already ship — it does not replace it. Whisper complements the anchors you already trust — the OPC UA application-instance certificate, the 802.1AR IDevID, IEC 62443 zones & conduits, TPM/HSM/secure elements, your local TrustList and your device's MUD profile. It is the publicly verifiable, DNSSEC/DANE-anchored layer on top, anchoring the asset↔network boundary: no bespoke CA trust store to push to every PLC, and cross-org revocation at DNS-TTL instead of a TrustList edit only the local site can see. You can even DANE-pin your existing OPC UA endpoint's certificate to DNSSEC and cut single-CA and self-signed trust risk.
The ApplicationUri is the public fingerprint — the /128 is its cryptographic counterpart. The ApplicationUri is a known, structured identifier flowing through every OPC UA deployment; that's useful for interoperability but it's not a secret. The /128 is bound to the asset's key and the ApplicationUri — so the ApplicationUri alone yields nothing. You cannot go ApplicationUri → /128 without the key, there is no enumerable directory, and RDAP/reverse-DNS return the registry object, never the asset's live whereabouts. Because the derivation is tenant-bound, the same asset under two operators yields two unrelated /128s — no one can link a unit across the vendor/integrator boundary.
Lifecycle, end to end. Commissioning → in-life → decommission. A module swap or a repower re-keys to a new /128 and revokes the old one; a change of integrator or owner is one revoke and a re-register to the new party. Compromise one asset and you've compromised that asset, not the plant — the flat-network blast radius is structurally contained. And nothing is issued in the dark: every mint and every revoke lands in a public, Bitcoin-anchored transparency log you and your assessor can audit.

Maps to EU CRA Annex I identity & attack-surface duties, IEC 62443-4-2 CR 1.2 and 62443-3-3 zones & conduits, CISA CPG 2.0 IPv6 asset inventory, and NIST SP 800-82r3 — delivered as a network primitive, not a compliance binder. See the compliance map →

Your device already declares what it may talk to. Whisper makes the declaration proof — and enforces it.

This is the OT differentiator. Under MUD (RFC 8520) a device already emits a manifest — over DHCP, LLDP or its X.509 cert — declaring exactly what it should communicate with. MUD's fatal weakness: the rules are "only a suggestion, enforced at the nearest switch," so a compromised device still reaches anything the local admin didn't think to block. Whisper binds that declaration to the asset's verifiable /128 and enforces it as egress governance where traffic actually leaves — default-deny, allow only the manifest's destinations, cross-org, checkable by anyone.

MUD manifest RFC 8520 · DHCP/LLDP/X.509 device declares its egress enforced at the nearest switch Today: only a suggestion a compromised device still reaches anything the local admin missed bound to the asset's /128 · DNSSEC/DANE Whisper: default-deny egress governance historian ✓ controller ✓ vendor OTA ✓ everything else ✕ · enforced where traffic leaves op:policy · op:firewall · op:budget · op:revoke
Same manifest, two fates. Pinned to a globally-verifiable identity and enforced at the /128 where traffic actually egresses, the manufacturer's declaration of intent finally becomes a cryptographic, cross-org control — not a suggestion at the nearest hop.

Who probed this asset is a query

op:lookups returns who resolved or RDAP-queried an asset's identity — an early warning that someone is enumerating your plant, not a post-mortem after the write. The reconnaissance tripwire a local OPC UA TrustList never gave you.

Bind the MUD manifest to a verifiable identity

The device's own from-device/to-device ACLs, pinned to its /128 and enforced as default-deny — allow the historian, the controller and the vendor OTA endpoint; block everything else, by name or subnet. The declaration becomes proof.

Per-asset firewall, budget, kill-switch

op:firewall allow/deny by host, cidr or port; op:budget caps an asset's traffic; op:revoke cuts a compromised unit off worldwide in one call — a conduit at asset granularity, not a VLAN.

Non-repudiable telemetry

sign-outputs binds each historian feed and telemetry stream to the asset's forge-proof /128 so the integrator, the auditor and settlement trust the numbers came from the real asset — not a spoofed source on the flat network.

The same address-is-identity primitive that governs a compromised PLC also governs the AI agents your plant, your integrator and your vendors are about to run — per-agent /128, per-agent logs, default-deny egress, one revoke. From day one.

Don't take our word for it — our API isn't in the trust path.

Two tiers, by design. No key: anyone can verify an asset's identity, resolve it, and back-trace a suspicious controller — trustless, anchored at the IANA root. Your key: bind an asset to the ApplicationUri it carries, govern its egress, revoke it worldwide.

verify & attribute — no key required
# keyless — re-derive and verify any asset's identity, trustless
$ whisper verify --trustless 2a04:2a01:7a2::4840
  ✓ DNSSEC chain valid to the IANA root
  ✓ DANE-EE (TLSA) leaf matches the asset's OPC UA cert key
  ✓ RDAP: registered under AS219419 · 2a04:2a01::/32
  identity: VERIFIED — and our own API was never trusted

# the address is the asset — reverse DNS names it
$ dig -x 2a04:2a01:7a2::4840 +short
  opcua-plc7.line2.example-plant.whisper.online.

# who really operates a suspicious controller — the real graph API, a CALL whisper.identify()
$ curl -s https://graph.whisper.security/api/query -H "X-API-Key: whisper_live_xxx" \
    -H 'content-type: application/json' -d '{"query":"CALL whisper.identify(\"45.83.x.x\")"}'
  operator:  <fingerprinted> · seen across AWS / GCP / Azure
  proxy pool collapsed by JA4: same tooling, 41 exit IPs → 1 operator
provision & govern — with your key
# bind a PLC to the OPC UA ApplicationUri it already carries, and govern it
$ export WHISPER_API_KEY=whisper_live_xxx
$ curl -s https://graph.whisper.security/api/query -H "X-API-Key: $WHISPER_API_KEY" --data-urlencode "q=CALL whisper.agents({op:'connect', args:{tier:'wireguard',
       identity_public_key:'<base64 SPKI of the asset key>',
       device_id:'urn:example-plant:line2:PLC7:server'}})"   # device_id = the ApplicationUri
  → identity 2a04:2a01:7a2::4840   DNSSEC + DANE live
$ whisper policy set --default deny --allow historian.example-plant.com,controller.line2.local,ota.vendor.com   # the MUD manifest, enforced
$ whisper kill --revoke 2a04:2a01:7a2::4840   # worldwide, at DNS-TTL

We'd rather you hear the boundaries from us than from your assessor.

This changes who may reach and speak to an asset, and makes every party attributable and cross-org revocable. It is additive to your 62443 program — never a replacement. Where it stops, we say so.

What it closes

Forge-proof asset identity (kills "trusted because it reached an IP"); publicly verifiable identity across the asset-owner/integrator/vendor boundary without a shared flat network; attribution across rotating egress and cross-org revocation at DNS-TTL; and MUD-style default-deny egress governance that contains C2, exfil and lateral movement — attacking the access, convergence-bridge, flat-network and remote-access stages of the chain.

What it does not

It does not stop a purely-internal Modbus/DNP3 write if the attacker already has a foothold on the segment and the PLC can't verify command authority — that needs identity enforced in the command path (at the PLC, a protocol-aware broker/gateway, or the EWS), else the FrostyGoop-class local write still lands. It does not add authentication to Modbus/DNP3/PROFINET on the wire — it changes who may reach the asset, not what the asset accepts once reached. And weak key custody on end-of-life assets without a TPM or secure element remains a limitation.

Shipped & live vs. roadmap — stated plainly. Live today: the generic device /128 (public key + device_id, pass your ApplicationUri or serial here), the attribution graph, the control plane (policy / firewall / budget / revoke / lookups), keyless verify, and the Splunk connector. On the roadmap, labelled as such: a Microsoft Sentinel connector, OpenCTI, STIX 2.1 over TAXII, per-sector machine-readable export, and a first-class typed --applicationuri argument. The transparency log is tamper-evident, Ed25519-signed and Bitcoin-anchored today; independent third-party witnessing is the next step.

The positioning, in one line: OT moves from "anyone with reachability is trusted" to "only cryptographically-identified, egress-governed, attributable, cross-org-revocable parties are trusted" — candid that the last-inch insecure-protocol write must still be enforced in-path.

Your OT platform sees that an asset is misbehaving. Whisper proves who commanded it — and follows them when the connection rotates.

The OT-visibility incumbents — Dragos, Claroty, Nozomi, Armis, Forescout, Tenable OT — are excellent at what's on your network and whether it's behaving, and that's necessary. But their device identity is observational — inferred from behavior, scoped to the monitored network, non-revocable off-box, and attribution stops at the firewall. Xage is the genuine OT-identity neighbor — real zero-trust identity — but it's rooted in its own private fabric, enforced at Xage nodes, not publicly DNS/DANE-verifiable without Xage, and it needs the mesh in the path. Whisper adds the two layers no one else owns: an internet-infrastructure attribution graph that fingerprints the operator across rotating clouds and remote-access pools, and a publicly verifiable device-identity plane — from the asset's own key, no new appliance inline — that is addressable and revocable at DNS-TTL. Exactly the two gaps the OT kill chain exploits.

OT visibility/detectionOT zero-trust identity (Xage)Whisper
OT protocol visibility, discovery & anomaly detectionadditive feed
Publicly verifiable device identity (DNS/DANE, no vendor platform in the loop)inferredprivate root
Identity from the asset's existing key, no new agent/appliance inlineneeds mesh
Cross-org attribution across rotating cloud/remote-access egressin-network
Revocation at DNS-TTL, cross-orgin-fabric
MUD (RFC 8520) egress governance bound to a verifiable identitylocal allowlistbroker policy

It's depth on top of the stack you already run — it can DANE-pin the same OPC UA certificate your SCADA head-end already speaks, and it lands as a machine-readable feed into your SIEM — the Splunk and Microsoft Sentinel connectors ship today — enrichment that makes your OT sensor and threat-intel sharper. It doesn't replace them, and it doesn't add a console your analysts babysit.

See the full comparison →

Additive to your stack. Mapped to your standards. Availability-safe by construction.

Identity asset /128 · DNSSEC · DANE-EE · bound to the ApplicationUri — who is this, provably OPC UA · IDevID · MUD Attribution graph operator fingerprint across rotating clouds + remote-access — who's really behind this 7.44B nodes · BGP·DNS·TLS·JA4 Egress governance per-asset /128 · policy · lookups · firewall · budget · revoke — what may talk to what default-deny · MUD THE ADDRESS IS THE IDENTITY AS219419 · 2a04:2a01::/32 Your SIEM Splunk & Sentinel today Machine-readable STIX 2.1 / TAXII · CEF / ECS Your standards EU CRA · 62443 · CPG 2.0
Three planes on one primitive — and all three exit into the stack you already run, not a new silo.

Turnkey EU CRA & 62443 evidence

A verifiable per-asset identity for CRA Annex I 2(d), default-deny egress for 2(j) attack-surface, per-/128 attribution and egress logs for 2(l) — with a 2027 CE deadline. Maps to IEC 62443-4-2 CR 1.2 and 62443-3-3 zones & conduits, CISA CPG 2.0 IPv6 inventory, NIST 800-82r3. Honest: identity + key-pinning, not full device auth — you keep SBOM, patching and host audit. See the map →

Nothing issued in the dark

Every identity mint and every revoke lands in a public, append-only RFC 6962 Merkle transparency log, Ed25519-signed and anchored to Bitcoin via OpenTimestamps — an auditable, non-repudiable issuance trail for your assessor. Honest status: tamper-evident today, independent witnessing is the next step.

Additive & availability-safe

It rides existing DNS/IPv6 and adds no inline OT chokepoint. If your head-end authorizes against the DANE/verify path, that plane is built to fail open — a Whisper outage never bricks a PLC; checks degrade to your existing anchors. Anycast on AS219419, no single node in the path.

One identity fabric, every vendor & brownfield asset

Derived from the key already in the asset — no second PKI, no BOM cost, no re-flashing the fielded fleet. Whether it's a PLC, an RTU, an HMI, a gateway, or a bare Modbus device behind a gateway, it's one verifiable /128 you and your integrator can both check.

Flat, predictable pricing

Per-asset/year and flat — not per-transaction, not usage-metered. A line item you can forecast across every brownfield site. Clear ROI: analyst-hours saved on disposable-IP correlation, one revoke instead of a plant-wide reset. See pricing →

A vendor that will still be here

Real routable address space (AS219419), run by people who ran the internet's regional address registry and operated one of its root DNS servers. POC → pilot → enterprise, keyless to start.

Give every industrial asset an identity it can prove.

The address is the asset — routable, DNSSEC-anchored, bound to the ApplicationUri it already carries, revocable worldwide in one call. Keyless to try, one call to provision, one more to revoke.

Or run whisper verify --trustless right now.