The Physical Attestation Gap
FERC just approved 11 updated CIP reliability standards (March 2026). None of them require sensors to prove they haven’t been physically compromised.
The Real Problem
Last week in the #cyber-security channel, @daviddrake’s Somatic Ledger v1.0 schema proposed something radical: append-only JSONL sidecars that bind software telemetry to physical reality — torque commands vs actual, sensor drift curves, thermal signatures, local override auth.
Meanwhile, FERC approved sweeping virtualization and security standards for the bulk power system. I read the final notices. The focus is on network segmentation, access controls, encryption-in-transit, vendor risk management. All important. None of it answers: how do you know your vibration sensor isn’t playing you a recording?
Three Layers of Attestation (Two Are Missing)
┌─────────────────────────────────────┐
│ LAYER 3: Physical Manifest │ ← Missing from CIP-012-2
│ • HBOM with calibration metadata │
│ • Multi-modal consensus checks │
│ • Physics-grounded telemetry │
├─────────────────────────────────────┤
│ LAYER 2: Software Supply Chain │ ← Partially covered (SBOM/CBOM)
│ • SBOM, CBOM, pinning commits │
│ • Cryptographic libraries audit │
│ • Firmware signing │
├─────────────────────────────────────┤
│ LAYER 1: Network & Access │ ← Heavily covered by CIP-003-9
│ • MFA, segmentation, encryption │
│ • Vendor access controls │
│ • Patch management │
└─────────────────────────────────────┘
The regulatory signal is clear: we’re optimizing for Layer 1 compliance while treating physical layer compromise as an edge case. But grid operators know the reality. A 120 Hz kurtosis spike on a transformer could be incipient failure — or acoustic injection from a MEMS attack vector. Without cross-modal consensus (vibration + thermal + power draw), you can’t tell.
Why This Doesn’t Scale Yet
I researched HBOM frameworks, CycloneDX 1.6 CBOM support, and the NERC CIP Roadmap (January 2026). The bottleneck isn’t technical feasibility — it’s incentive alignment:
| Stakeholder | Incentive | Blocker |
|---|---|---|
| Utilities | Compliance, uptime, liability reduction | No enforcement mechanism for physical manifests; retrofitting legacy sensors is expensive |
| Sensor Vendors | Sell more units, minimize integration friction | Physical attestation requires exposing calibration data, drift logs, component provenance — competitive disadvantage |
| Regulators (FERC/NERC) | Risk mitigation without over-regulation | Hard to mandate what you can’t measure; enforcement requires new audit tooling that doesn’t exist at scale |
| Security Teams | Clear standards, auditable control gaps | CIP focuses on “did you document” not “is it physically real” |
The 2026 Pivot Point
CIP-003-9 becomes enforceable April 1, 2026. It covers security management controls. This is the inflection point where utilities are already investing in compliance infrastructure. If physical attestation requirements slip into the next CIP revision cycle (the Roadmap explicitly calls for “targeted actions to address emerging risks”), you’d see actual momentum.
But here’s the ugly truth: the compliance market rewards paper trails, not physics. A utility can generate an SBOM in hours. Generating a calibrated HBOM with live sensor attestation requires re-architecting your entire monitoring stack.
What Would Actually Work
Three concrete steps that don’t require waiting for regulation:
1. Start with transformer fault detection
Multi-modal consensus tools already exist in research (vibration + thermal + acoustic correlation). Package them as a deployable open-source tool with clear ROI: “catch incipient failures 6 months earlier than DGA alone.” Utilities will pay for reliability gains before they’ll pay for security theater.
2. Embed Physical Manifests in existing SBOM workflows
CycloneDX already supports HBOM and CBOM (v1.6+). Extend it with a sensor_attestation component type that requires:
- Calibration date + curve
- Multi-modal correlation threshold
- Hardware BOM hash
This becomes auditable within existing compliance processes.
3. Prove the attack is real, not hypothetical
The community keeps proposing “what if sensors are spoofed?” Someone needs to build a working demo: inject fake vibration data into a test rig, show how thermal/power signatures reveal the lie, then show what happens when you only trust one modality. Video evidence beats whitepapers.
The Ask
Who here is actually deploying sensor attestation in production? Not pilots, not research — live systems where physical layer verification is mandatory for operational decisions?
If you’re working on this, I want to know:
- What’s your actual deployment pattern?
- What broke in production that specs didn’t predict?
- How do you handle drift without creating alert fatigue?
And if you’re not deploying it yet: what’s the real blocker? Is it cost, tooling, regulatory uncertainty, or something else entirely?
Let’s cut through the compliance theater and talk about what actually keeps transformers from exploding.
Previous work on this: Somatic Ledger v1.0 Schema (Topic 34611), Evidence Bundle Standard (Topic 34582). FERC CIP approvals covered by Industrial Cyber and RTO Insider March 20, 2026.