# Whisper for OT — give every industrial asset an identity it can prove

> In OT a device can't prove who it is — and a controller can't verify what it's told.
> The address **is** the asset — a routable, DNSSEC-anchored /128 bound to the OPC UA
> ApplicationUri already in its certificate, cross-org revocable at DNS-TTL. Additive to
> your OT-visibility stack and SIEM.

A valid-looking command from anywhere with reachability is obeyed as if it came from the
plant operator — because Modbus, PROFINET and DNP3 were built with *no authentication* and
the network is flat. Whoever reaches the PLC is trusted by it, and the SOC that watches it
can't say *which* session did anything. No zero-day required. Reachability is the whole
exploit. **We give it one.**

`whisper verify --trustless` — anchored at the IANA DNS root. Our own API is not in the trust path.

- **145k+** — internet-exposed ICS services across 175 countries
- **1,693** — ransomware attacks on industrial orgs in 2024, +87% YoY
- **25%** — of OT ransomware caused a full-site shutdown; 75% operational disruption
- **13%** — of mission-critical OT assets have an insecure internet connection (36% of exposed EWS/HMIs carry a KEV)
- **55%** — of OT environments run 4+ remote-access tools (33% run 6+)
- **400+** — CISA ICS advisories a year, and rising

---

## The attack, step by step

**This is how a plant you commissioned gets commanded by someone who never set foot in it.**
No zero-day required. Just a reachable socket and a protocol that was built to obey whoever
speaks it — at internet scale.

1. **DISCOVER** — The plant is already indexed: Shodan and Censys catalogue `145,000+` internet-exposed ICS services across 175 countries. Opportunistic crews scan for exposed VNC/HMI panels.
2. **ACCESS** — No credential worth the name: default, weak or absent creds. A documented class took over dozens of internet-reachable PLCs through a factory-default password like `1111` — or none at all — plus brute-forced SSH/Telnet.
3. **BRIDGE** — IT/OT convergence carries it in: an IT foothold (ransomware, a stolen vendor account) flows into OT because there's *no independent identity boundary*. Remote-access sprawl widens it — `55%` of OT runs 4+ remote-access tools.
4. **FLAT NETWORK** — IP trust, already defeated: segmentation is by IP and VLAN, so a foothold that owns an address inherits trust. The EWS and HMI are the crown jewels — and exposed: `13%` insecure internet connection, `36%` of exposed EWS/HMIs carry a KEV.
5. **MANIPULATE** — The protocol obeys anyone: Modbus, DNP3 and PROFINET carry no auth — plaintext, spoofable, replayable. A landmark malware family weaponized `Modbus/TCP:502` register writes and cut heating to ~600 buildings for two sub-zero days. OPC UA is no refuge — >50% of exposed servers allow unauthenticated sessions.
6. **IMPACT + NO ATTRIBUTION** — `1,693` industrial ransomware attacks in 2024, 25% a full-site shutdown. Over shared, rotating egress with no device identity, you can't say which controller or session issued the destructive write — nor revoke it across the vendor boundary.

Invisible by design: the network trusts an IP and a topology, not an identity. A real
engineer is *one workstation to a cell it owns*; the abuser is *one reachable socket to a
plant it doesn't* — and neither the PLC nor the SOC can tell them apart. Not hypothetical:
a landmark Modbus attack cut heat to ~600 buildings, and ~46,000 Modbus devices and 14,220
OPC UA servers — most accepting unauthenticated sessions — sit exposed on the open internet
right now.

---

## Strip the incident down and it isn't a hundred bugs. It's two.

Every step in that chain leans on exactly two structural gaps that every OT environment
shares. Close both and the attack has nowhere left to stand.

### Gap 1 · you can't follow them when the connection rotates

Quarantine a switch port and they come back through a fresh remote-access exit. The egress
is disposable; the last IP *was never the attacker*. Behavioral OT monitoring is excellent
inside the plant — but it stops at the Purdue boundary and the firewall.

**The answer — the graph.** A live internet-infrastructure graph — **7.44B**
nodes and **39.3B** relationships of fused BGP, DNS, WHOIS, TLS, hosting and
threat intelligence, answering in under 300 ms — fingerprints the *operator*, not the IP.
Two levers, kept honestly separate:

- **Cloud rotation** — the graph clusters shared ASN, hosting and certificate lineage into one infrastructure genealogy.
- **Rotating remote-access / proxy pool** — where a subscriber IP gives an infra graph nothing to grab, a `JA4/JA3` client fingerprint travels with the *tooling* regardless of the exit and collapses the pool to one operator.

Every answer returns a reproducible **evidence chain** your OT SOC, your auditors and a
regulator can replay. The verbs: `identify(ip)`, `origins(prefix)` + `walk(node,depth)`,
`history` / `watch`, and arbitrary read-only Cypher ("one source touching N distinct asset
identities in a window").

> **"When a compromised remote-access tool phones home through fresh cloud IPs and a proxy pool, can you actually attribute it — or just quarantine a switch port and move on?"**
> Attribute it. Infrastructure genealogy collapses the cloud rotation; a JA4 client
> fingerprint collapses the proxy pool. The egress IP is the one thing we don't rely on —
> and the finding feeds straight into your OT sensor and SIEM.

### Gap 2 · a valid-looking command looks exactly like the operator

Modbus, DNP3 and PROFINET have no notion of *who* is speaking. The PLC obeys whoever
reaches it, and nothing at the conduit separates a real engineering workstation from a
foothold on the same flat network — because the asset has no identity to check the speaker
against, and the network trusts an IP.

**The answer — identity.** Bind the transport boundary — every conduit, every remote-access
channel, every cross-org link — to the asset's own forge-proof **/128**, an address derived
from the key behind the OPC UA **ApplicationUri**, the 802.1AR **IDevID** or the serial the
asset already carries. A source that can't prove the asset's identity can't establish a
session across that boundary — the reachability that made *"trusted"* true is gone. (The
last inch — a purely-internal write from a foothold already on the segment — is enforced in
the command path; the honest-scope section says so plainly.)

> **"OPC UA already binds a globally-unique ApplicationUri into every application-instance certificate. Why isn't that enough?"**
> Because it's trapped in a local TrustList and can't be verified or revoked across an org
> boundary. OPC UA explicitly discourages public CAs, trust is a per-site TrustList, and
> revocation is a local CRL edit invisible to your integrator, your vendor, or a regulator.
> Whisper keeps the key-derived ApplicationUri and makes it publicly verifiable,
> addressable, and revocable at DNS-TTL — across the vendor/integrator/asset-owner boundary.

Gap 1 is detection made durable. Gap 2 is the root cause. Here's the root-cause cure.

---

## The root-cause cure · identity

**Give every asset an identity it can prove — and no one can forge.** Stop treating "anyone
with reachability is trusted" as a detection problem and make it an *identity* problem —
strictly stronger. Whisper has one primitive: **the address is the identity.**

A routable IPv6 **/128** out of `2a04:2a01::/32` (announced by **AS219419**),
deterministically derived from a key, DNSSEC-anchored, **DANE-EE** pinned,
RDAP/WHOIS-registered — re-derivable and verifiable by anyone with `dig`.
`whisper verify --trustless` checks it against the IANA root; *our own API is not in the trust path.*

**Point it at assets.** Derive each PLC's — or each RTU's, HMI's, gateway's or historian's —
/128 from the public key behind the identifier it *already* carries: the OPC UA
**ApplicationUri** (already bound into the application-instance certificate SAN), an IEEE
**802.1AR IDevID**, a TPM or secure element, or the asset **serial** — with the
ApplicationUri or serial as the domain separator. The private key never leaves the asset;
the address is a one-way function of its public half and that identifier. No re-flashing the
brownfield fleet — you bind the identity the asset was born with, and even a bare Modbus PLC
behind a gateway gets a verifiable network identity, a PTR and an RDAP object for the first time.

```
asset key                ──pubkey + URI──▶  /128                 ──DNSSEC+DANE-EE──▶  a name anyone can verify
(ApplicationUri /                           2a04:2a01:7a2::4840                       whisper verify --trustless
 802.1AR IDevID / TPM,                      routable identity                         our API not in the trust path
 private key sealed)                                                                  op:revoke → gone at DNS-TTL
```

What becomes true the moment you do this:

- **"Reachable = trusted" stops being true across the conduit.** You cannot present an asset identity whose key you don't hold; every forgery is a DNSSEC/DANE inconsistency any verifier catches.
- **IP and topology trust become irrelevant.** Identity is not the source IP or the VLAN; the "last IP" was never the credential.
- **A command from an unproven, off-segment source fails to land.** A reachable socket with no asset key behind it authenticates to nothing at the transport boundary — it governs *who may reach and speak to* the asset (the in-path insecure-protocol write is the honest exception below).
- **One `revoke` cuts a compromised asset off worldwide** at DNS-TTL speed — `dig -x` returns nothing, verify returns false, the DANE pin is gone. The cross-org revocation a local OPC UA TrustList never had.

**Attaches to what you already ship — it does not replace it.** Whisper complements the OPC
UA application-instance certificate, the 802.1AR IDevID, IEC 62443 zones & conduits,
TPM/HSM/secure elements, your local TrustList and your device's MUD profile. It is the
publicly verifiable, DNSSEC/DANE-anchored layer *on top*: no bespoke CA trust store to push
to every PLC, and cross-org revocation at DNS-TTL instead of a TrustList edit only the local
site can see. You can even DANE-pin your existing OPC UA endpoint's certificate.

**The ApplicationUri is the public fingerprint — the /128 is its cryptographic counterpart.**
The ApplicationUri is a known, structured identifier flowing through every OPC UA
deployment, but it's not a secret. The /128 is bound to the asset's key *and* the
ApplicationUri, so ApplicationUri alone yields nothing: you cannot go ApplicationUri → /128
without the key, there is no enumerable directory, and RDAP/reverse-DNS return the registry
object, never the asset's live whereabouts. Because the derivation is **tenant-bound**, the
same asset under two operators yields two unrelated /128s — no cross-org linkage.

**Lifecycle, end to end.** Commissioning → in-life → decommission. A module swap or repower
re-keys to a new /128 and revokes the old one; a change of integrator or owner is one
`revoke` and a re-register to the new party. Compromise one asset and you've compromised
*that asset*, not the plant — the flat-network blast radius is structurally contained. And
nothing is issued in the dark: every mint and every revoke lands in a public,
Bitcoin-anchored transparency log you and your assessor can audit.

Maps to **EU CRA** Annex I identity & attack-surface duties, **IEC 62443-4-2 CR 1.2** and
**62443-3-3** zones & conduits, **CISA CPG 2.0** IPv6 asset inventory, and **NIST SP
800-82r3** — delivered as a network primitive, not a compliance binder. [See the compliance map →](/for-ot-security)

---

## The OT differentiator · see & govern with MUD

**Your device already declares what it may talk to. Whisper makes the declaration *proof* —
and enforces it.** Under **MUD (RFC 8520)** a device already emits a manifest — over DHCP,
LLDP or its X.509 cert — declaring exactly what it should communicate with. MUD's fatal
weakness: the rules are *"only a suggestion, enforced at the nearest switch,"* so a
compromised device still reaches anything the local admin didn't think to block. Whisper
binds that declaration to the asset's verifiable **/128** and *enforces* it as egress
governance where traffic actually leaves — default-deny, allow only the manifest's
destinations, cross-org, checkable by anyone.

```
MUD manifest (RFC 8520)          ┌─ today:   enforced at the nearest switch → only a suggestion
device declares its egress  ─────┤           a compromised device still reaches anything
(DHCP / LLDP / X.509)            └─ Whisper: bound to the asset's /128 (DNSSEC/DANE)
                                             default-deny egress governance, enforced where traffic leaves
                                             historian ✓  controller ✓  vendor OTA ✓   ·   everything else ✕
                                             op:policy · op:firewall · op:budget · op:revoke
```

- **Who probed this asset is a query.** `op:lookups` returns who resolved or RDAP-queried an asset's identity — an early warning that someone is enumerating your plant, not a post-mortem after the write. The reconnaissance tripwire a local OPC UA TrustList never gave you.
- **Bind the MUD manifest to a verifiable identity.** The device's own `from-device`/`to-device` ACLs, pinned to its /128 and enforced as **default-deny** — allow the historian, the controller and the vendor OTA endpoint; block everything else, by name or subnet. The declaration becomes proof.
- **Per-asset firewall, budget, kill-switch.** `op:firewall` allow/deny by host, cidr or port; `op:budget` caps an asset's traffic; `op:revoke` cuts a compromised unit off worldwide in one call — a conduit at asset granularity, not a VLAN.
- **Non-repudiable telemetry.** `sign-outputs` binds each historian feed and telemetry stream to the asset's forge-proof /128 so the integrator, the auditor and settlement trust the numbers came from the real asset — not a spoofed source on the flat network.

The same *address-is-identity* primitive that governs a compromised PLC also governs the AI
agents your plant, your integrator and your vendors are about to run — per-agent /128,
per-agent logs, default-deny egress, one `revoke`. From day one.

---

## Prove it in 60 seconds · no account

Two tiers, by design. **No key:** anyone can verify an asset's identity, resolve it, and
back-trace a suspicious controller — trustless, anchored at the IANA root. **Your key:**
bind an asset to the ApplicationUri it carries, govern its egress, revoke it worldwide.

```sh
# keyless — re-derive and verify any asset's identity, trustless
$ whisper verify --trustless 2a04:2a01:7a2::4840
  ✓ DNSSEC chain valid to the IANA root
  ✓ DANE-EE (TLSA) leaf matches the asset's OPC UA cert key
  ✓ RDAP: registered under AS219419 · 2a04:2a01::/32
  identity: VERIFIED — and our own API was never trusted

# the address is the asset — reverse DNS names it
$ dig -x 2a04:2a01:7a2::4840 +short
  opcua-plc7.line2.example-plant.whisper.online.

# who really operates a suspicious controller — the real graph API, a CALL whisper.identify()
$ curl -s https://graph.whisper.security/api/query -H "X-API-Key: whisper_live_xxx" \
    -H 'content-type: application/json' -d '{"query":"CALL whisper.identify(\"45.83.x.x\")"}'
  operator:  <fingerprinted> · seen across AWS / GCP / Azure
  proxy pool collapsed by JA4: same tooling, 41 exit IPs → 1 operator
```

```sh
# bind a PLC to the OPC UA ApplicationUri it already carries, and govern it
$ export WHISPER_API_KEY=whisper_live_xxx
$ curl -s https://graph.whisper.security/api/query -H "X-API-Key: $WHISPER_API_KEY" --data-urlencode "q=CALL whisper.agents({op:'connect', args:{tier:'wireguard',
       identity_public_key:'<base64 SPKI of the asset key>',
       device_id:'urn:example-plant:line2:PLC7:server'}})"   # device_id = the ApplicationUri
  → identity 2a04:2a01:7a2::4840   DNSSEC + DANE live
$ whisper policy set --default deny --allow historian.example-plant.com,controller.line2.local,ota.vendor.com  # the MUD manifest, enforced
$ whisper kill --revoke 2a04:2a01:7a2::4840   # worldwide, at DNS-TTL
```

Secure your assets → <https://console.whisper.security/sign-up> · Read the [docs](/docs).

---

## Honest scope · what this does and does not do

This changes *who may reach and speak to* an asset, and makes every party attributable and
cross-org revocable. It is additive to your 62443 program — never a replacement. Where it
stops, we say so.

**What it closes.** Forge-proof asset identity (kills "trusted because it reached an IP");
publicly verifiable identity *across* the asset-owner/integrator/vendor boundary without a
shared flat network; attribution across rotating egress and cross-org revocation at DNS-TTL;
and MUD-style default-deny egress governance that contains C2, exfil and lateral movement —
attacking the access, convergence-bridge, flat-network and remote-access stages of the chain.

**What it does not.** It does **not** stop a purely-internal Modbus/DNP3 write if the
attacker already has a foothold on the segment and the PLC can't verify command authority —
that needs identity enforced *in the command path* (at the PLC, a protocol-aware
broker/gateway, or the EWS), else the FrostyGoop-class local write still lands. It does
**not** add authentication to Modbus/DNP3/PROFINET on the wire — it changes who may reach the
asset, not what the asset accepts once reached. And weak key custody on end-of-life assets
without a TPM or secure element remains a limitation.

**Shipped & live vs. roadmap — stated plainly.** Live today: the generic device **/128**
(public key + `device_id`, pass your ApplicationUri or serial here), the attribution graph,
the control plane (`policy` / `firewall` / `budget` / `revoke` / `lookups`), keyless
`verify`, and the **Splunk** connector. On the roadmap, labelled as such: a Microsoft
**Sentinel** connector, OpenCTI, STIX 2.1 over TAXII, per-sector machine-readable export, and
a first-class typed `--applicationuri` argument. The transparency log is tamper-evident,
Ed25519-signed and Bitcoin-anchored today; independent third-party witnessing is the next step.

The positioning, in one line: OT moves from *"anyone with reachability is trusted"* to *"only
cryptographically-identified, egress-governed, attributable, cross-org-revocable parties are
trusted"* — candid that the last-inch insecure-protocol write must still be enforced in-path.

---

## Where Whisper fits

**Your OT platform sees *that* an asset is misbehaving. Whisper proves *who* commanded it —
and follows them when the connection rotates.** The OT-visibility incumbents — Dragos,
Claroty, Nozomi, Armis, Forescout, Tenable OT — are excellent at what's on your network and
whether it's behaving, and that's necessary. But their device identity is *observational* —
inferred from behavior, scoped to the monitored network, non-revocable off-box, and
attribution stops at the firewall. Xage is the genuine OT-identity neighbor — real zero-trust
identity — but it's rooted in its own private fabric, enforced at Xage nodes, not publicly
DNS/DANE-verifiable without Xage, and it needs the mesh in the path. Whisper adds the two
layers no one else owns: an internet-infrastructure attribution graph that fingerprints the
operator across rotating clouds and remote-access pools, and a publicly verifiable
device-identity plane — from the asset's own key, no new appliance inline — that is
addressable and revocable at DNS-TTL. Exactly the two gaps the OT kill chain exploits.

| | OT visibility/detection | OT zero-trust identity (Xage) | Whisper |
|---|---|---|---|
| OT protocol visibility, discovery & anomaly detection | ✓ | — | *additive feed* |
| **Publicly verifiable** device identity (DNS/DANE, no vendor platform in the loop) | inferred | private root | ✓ |
| Identity from the asset's **existing key**, no new agent/appliance inline | — | needs mesh | ✓ |
| Cross-org attribution across rotating cloud/remote-access egress | in-network | — | ✓ |
| Revocation at DNS-TTL, cross-org | — | in-fabric | ✓ |
| MUD (RFC 8520) egress governance bound to a verifiable identity | local allowlist | broker policy | ✓ |

It's depth on top of the stack you already run — it can DANE-pin the same OPC UA certificate
your SCADA head-end already speaks, and it lands as a machine-readable feed into your SIEM —
the Splunk and Microsoft Sentinel connectors ship today — enrichment that
makes your OT sensor and threat-intel sharper. It doesn't replace them, and it doesn't add a
console your analysts babysit. [See the full comparison →](/compare)

---

## Built for the people who have to sign off

**Additive to your stack. Mapped to your standards. Availability-safe by construction.**
Three planes on one primitive — identity, attribution graph, egress governance — and all
three exit into the stack you already run, not a new silo.

- **Turnkey EU CRA & 62443 evidence.** A verifiable per-asset identity for **CRA Annex I 2(d)**, default-deny egress for **2(j)** attack-surface, per-/128 attribution and egress logs for **2(l)** — with a 2027 CE deadline. Maps to **IEC 62443-4-2 CR 1.2** and 62443-3-3 zones & conduits, CISA CPG 2.0 IPv6 inventory, NIST 800-82r3. *Honest:* identity + key-pinning, not full device auth — you keep SBOM, patching and host audit. [See the map →](/for-ot-security)
- **Nothing issued in the dark.** Every identity mint and every revoke lands in a public, append-only **RFC 6962 Merkle transparency log**, Ed25519-signed and anchored to Bitcoin via OpenTimestamps — an auditable, non-repudiable issuance trail for your assessor. *Honest status:* tamper-evident today, independent witnessing is the next step.
- **Additive & availability-safe.** It rides existing DNS/IPv6 and adds **no inline OT chokepoint**. If your head-end authorizes against the DANE/verify path, that plane is built to **fail open** — a Whisper outage never bricks a PLC; checks degrade to your existing anchors. Anycast on AS219419, no single node in the path.
- **One identity fabric, every vendor & brownfield asset.** Derived from the key already in the asset — no second PKI, no BOM cost, no re-flashing the fielded fleet. Whether it's a PLC, an RTU, an HMI, a gateway, or a bare Modbus device behind a gateway, it's one verifiable /128 you and your integrator can both check.
- **Flat, predictable pricing.** Per-asset/year and flat — not per-transaction, not usage-metered. A line item you can forecast across every brownfield site. Clear ROI: analyst-hours saved on disposable-IP correlation, one revoke instead of a plant-wide reset. [See pricing →](/pricing)
- **A vendor that will still be here.** Real routable address space (AS219419), run by people who ran the internet's regional address registry and operated one of its root DNS servers. POC → pilot → enterprise, keyless to start.

---

## Give every industrial asset an identity it can prove.

The address is the asset — routable, DNSSEC-anchored, bound to the ApplicationUri it already
carries, revocable worldwide in one call. Keyless to try, one call to provision, one more to revoke.

Secure your assets → <https://console.whisper.security/sign-up> · [For OT security →](/for-ot-security)

Or run `whisper verify --trustless` right now.

---

*Whisper for OT · Identity on the wire for industrial assets · AS219419 · 2a04:2a01::/32*
*© viaGraph B.V. (dba Whisper Security)*
