OT & Industrial Cybersecurity

Create Secure File, Device and Unidirectional Data Transfer Processes

Deliver Security and Trust for the Convergence of IT, OT and ICS Networks

The once clear distinction between information technology (IT), operational technology (OT) and Industrial Control System (ICS) networks is becoming blurred due to increased demand for connectivity. This convergence exposes OT and ICS assets to cyberattacks, which can propagate from the IT domain into operational environments. Specifically, transferring files and devices into, across, and out of secure environments is a key potential avenue for security incidents.

Removable (USB) media and transient devices present a risk since they may contain infected files, malware in hidden partitions, and malicious hardware/firmware. And business stakeholders require access to industrial operational data; however, this breaks network segmentation and air-gaps, exposing the OT/ICS environments to vulnerabilities.

OPSWAT solutions enable safe and compliant usage of removable media, transient devices and enforce unidirectional data transfers.

Experience OPSWAT’s Comprehensive OT Cybersecurity Platform

Benefits of OT & Industrial Cybersecurity Solutions

Prevent Breaches with Multiscanning

Malware continues to bypass defenses since cybercriminals develop increasingly sophisticated threats. OPSWAT ensures security and minimizes supply chain risks by leveraging 30+ antimalware engines, and file vulnerability assessment, preventing the introduction of unsafe files and binaries.

Protect Against Malicious Devices

Removable media and transient devices containing rogue firmware, malware in files/hidden partitions can directly compromise OT endpoints. OPSWAT prevents media and file-based attacks, enforces usage of trusted devices, and verifies all media and files have been scanned and approved.

Secure Multiple Content and Device Delivery Routes

OPSWAT serves as a secure channel protecting both inbound (ingress) and outbound (egress) delivery routes. Files can be uploaded over the internet, delivered across network segments, or transported via removable media. Every file and device being transferred is scanned to ensure its safety, and inspected to prevent the loss of sensitive information.

Enable Access to Industrial Data without Disruptions

Isolate your secured networks against attack propagation, while providing access to real-time OT/ICS data and enabling secure IT-OT data and file transfers. OPSWAT Unidirectional and Bilateral Security Gateways support a wide range of Industrial OT and corporate IT protocols, with complete reliability and no data loss.

Over 1,500 of the world’s premier critical infrastructure organizations trust OPSWAT for cybersecurity and compliance.
Opswat Logo Rgb White@2X

Products that Help Manage OT & Industrial Cybersecurity

OPSWAT solutions support multiple use cases for OT and Industrial cybersecurity and compliance. And they can leverage OPSWAT Central Management, offering a single pane of glass for globally managing multiple deployments, policies, settings, and health monitoring of all systems.

MetaDefender Kiosk

MetaDefender Kiosk acts as a digital security guard - inspecting all media for malware, vulnerabilities, and sensitive data. The Kiosk is designed for installation at the physical entry point of secure facilities. More about MetaDefender Kiosk.

MetaDefender Vault

MetaDefender Vault is a secure file storage and retrieval solution, enabling remote uploads and secure transfer across network segments. The Vault works alongside the Kiosk to provide a secure and efficient way to manage threat protection. More about MetaDefender Vault.

MetaDefender Drive

MetaDefender Drive is a portable USB-based solution to inspect transient devices for malware, vulnerabilities, and sensitive data before they enter or leave any organization. The Drive is designed to use with devices that cannot be directly installed with security solutions, when a network connection is not available, or to mitigate supply chain risks. More about MetaDefender Drive.


OPSWAT Client blocks all unauthorized removable media usage on all endpoints and scans them for malware before any files are copied over to the internal systems. The client can also enforce the usage of any media only processed and approved by MetaDefender Kiosk at the entry of your organization. More about OPSWAT Client.

MetaDefender USB Firewall

MetaDefender USB Firewall provides a plug-and-play, hardware-based device to enforce usage of removable media only if it was processed by MetaDefender Kiosk. The device easily connects to ICS/SCADA endpoints such as engineering stations, HMIs and PLCs, without requiring software installation, ensuring the boot sector and files on the media are approved prior to use. More about MetaDefender USB Firewall.

NetWall Security Gateway

OPSWAT NetWall provides access to real-time OT data and enables secure data transfers, without compromising the security and integrity of Industrial systems. NetWall USG (Unidirectional Security Gateway) enforces one-way IT-OT data transfers, with an assured delivery mechanism. NetWall BSG (Bilateral Security Gateway) supports applications requiring a secure data response.


OPSWAT OTfuse is an industrial security appliance and intelligent Intrusion Detection and Prevention System (IDPS) that sits in front of industrial endpoints to protect mission critical PLCs, VFDs, DCSs, and other industrial assets. More about OPSWAT OTfuse.

OPSWAT Neuralyzer

OPSWAT Neuralyzer is an AI-based security solution that offers full visibility into OT assets as well as network activity, enabling OT personnel to effectively prevent threats from IT/OT convergence. Neuralyzer is designed to be seamlessly integrated into various security systems without requiring major changes.

See OT protection on wheels! Check out the OPSWAT CyberTrailer

OT & Industrial Security Deployment Scenarios

MetaDefender Kiosk - Standalone

A common portable and removable media protection mitigation that meets and exceeds NIST, NEI, NERC CIP, ISO/IEC, and ISA/IEC requirements is to place OPSWAT MetaDefender Kiosks at key check point entrances, critical SCADA network locations, and research facilities to verify all media before use.

OPSWAT MetaDefender Kiosk software security policies are enforced to require that all portable media be scanned, sanitized, and approved prior to use in the facility.

The kiosk confirms the user, the source, and the file types; looks for any malicious partitions and malware; and determines whether the device is secure or if it requires further inspection.

  • Allowlisting: An administrator can also add enforcement (allowlisting) of the specific media devices that are allowed into the facility. The kiosk can restrict media usage to specific pre-screened vendors and types.
  • Client Certified Media: Organizations can also provide their own certified media for the copied destination of all sanitized/validated files. In this case, only these media devices would be allowed into the facility with the employee/contractor or under escort.

MetaDefender Kiosk – Standalone with Closed Loop Media Control

Other popular use cases are available to further enhance compliance. Specifically, the kiosks provide “closed-loop” media control via the OPSWAT software client or the OPSWAT USB Firewall. A closed-loop system prevents any introduction of malicious content or changes to content while in transit from the kiosk to the destined system.

For critical environments where software installation could affect vendor warranty on existing systems, the USB Firewall provides a no-install option for closed-loop control.

MetaDefender Kiosk can be obtained as a turnkey system or installed on the client’s preferred hardware or VM based systems.

MetaDefender Kiosk to Vault with Unidirectional File Transfers

The 3rd Closed Loop option for MetaDefender Kiosk provides for the security of Data at Rest and Data in Transit. In this use case, the Kiosk provides workflow control where files are delivered unidirectionally using NetWall USG to MetaDefender Vault, hosted on the target network.

MetaDefender Vault provides tiered supervisory authentication, authorization, approval, and audit reporting when transferring, storing and retrieving files into and out of protected network segments.

  • Users enter all media into the Kiosk and select MetaDefender Vault as the destination
  • File processing begins immediately by Vault in parallel to the facility entry workflow so the user does not need to wait on local processing but can proceed into the facility
  • The Kiosk Ticketing system provides the user with a unique temporary printed code that provides timed network access to the validated/sanitized files stored in MetaDefender Vault hosted by the client from within the facility
  • Unidirectional Security Gateway option: For high security “Security-in-Transit” environments, NetWall USG and Data Diodes can be added to further secure network transfers from MetaDefender Kiosk to Vault. This network device can be added to secure traffic as one-way only and guard against the potential misconfiguration (intentional or malicious) of firewalls.

All files in MetaDefender Vault are AES encryption secured, monitored, and checked for malware using 30+ anti-malware engines, sanitized, and quarantined based on configuration and workflow policies.

MetaDefender Vault to Kiosk (Data Loss Prevention)

Vendors and contractors often need to extract files from a facility for debugging and analysis purposes. In this use case, the data flow originates with MetaDefender Vault and flows to the Kiosk where the authenticated and authorized user can extract the files using approved media. Data Security and Data Privacy rules are enforced through pre-defined data redaction rules assigned to the relevant workflow(s).

These data redaction and workflow rules are designed to enhance GDPR, NIST, HIPAA, HITRUST, ISO/IEC, and ISA/IEC data security and data privacy compliance. All data transfers and workflow configuration changes are logged for detailed audit reporting.

MetaDefender Vault to Vault (Data in Transit Protection)

Whether you are working with NIST, NERC CIP, AWIA, ISO/IEC, or ISA/IEC, cybersecurity standards generally recommend that systems be profiled and grouped according to risk (threats, vulnerabilities, and consequence of compromise). These grouped systems share similar security profiles and therefore can be more efficiently and effectively secured.

System groupings are referred to in various industries with differing nomenclature. The more common terms are “Operational Network,” “Protected Network,” “Classified Network,” “Security Domains,” or “Security Zones.” Data in Transit between these Domains or Zones are then referred to as “Cross Domain” transfers, or “IT/OT” transfers, and transfers across “Network Segments.”

For operational purposes, files will need to be securely transferred between these security zones in a controlled, monitored, and logged process.

With OPSWAT MetaDefender Vault installed in each Security Zone, movement of files between zones can be multi-tier supervisory approved, secured in transit, audited, and secured at rest.

MetaDefender Drive

MetaDefender Drive can be used to scan laptops, workstations, and servers to identify any risks associated with malware, sensitive data loss, vulnerable binaries, and foreign country originated software. This can include remote use laptops, assets from employees, contractor machines, etc.

  • OPSWAT Central Management: A detailed audit report is provided and can be centralized for multiple instances via the OPSWAT central management software.
  • MetaDefender Vault: Drive can use MetaDefender Vault as a destination target.
  • Forensics: Drive can copy all good files to another USB device
  • Critical Infrastructure: MetaDefender Drive can handle older resource constrained systems as low as 1G RAM.

Use cases include:

  • Inspection: Inspect all transient assets coming from outside the entity’s digital security perimeter which are intended to be reconnected to secure systems and networks.
  • Supply Chain Final Check: Final inspection of purpose-built turnkey systems to be shipped to other entities.

Why Choose OPSWAT

See the technologies that power OPSWAT OT solutions

Deep Content Disarm and Reconstruction (CDR)

Cyberthreat prevention without relying on detection

OPSWAT Deep CDR is an advanced threat prevention technology that does not rely on detection. Deep CDR assumes all files are malicious and sanitizes and rebuilds each file ensuring full usability with safe content. We call it “deep” because we do it recursively, completely regenerate all files, and support 100+ file types.



Advanced threat prevention with simultaneous anti-malware engines

OPSWAT Multiscanning is an advanced threat detection and prevention technology that leverages the power of up to 30+ anti-malware engines to increase detection rates, decrease outbreak detection times and provide resiliency to anti-malware vendor issues. Detection rates can be increased up to 99% vs. 40-80% for many single engine solutions.


Proactive Data Loss Prevention (DLP)

Sensitive data detection and blocking in files and emails

OPSWAT Proactive Data Loss Prevention (Proactive DLP) can help prevent potential data breaches and regulatory compliance violations by detecting and blocking sensitive data in files and emails, including credit card and social security numbers. OPSWAT Proactive DLP supports over 30 file types, including Microsoft Office, PDF, CSV, HTML and image files.


File-based Vulnerability Assessment

Detect application vulnerabilities before they are installed

File-Based Vulnerability Assessment technology detects application and file based vulnerabilities before they are installed. We use our patented technology (U.S. 9749349) to correlate vulnerabilities to software components, product installers, firmware packages and other types of binary files, collected from a vast community of users and enterprise customers.

Vulnerabilities 3

Country of Origin

Detect risks in your supply chain

One of the abilities of MetaDefender Drive is to scan binaries on the target system and determine in which country the publisher resides. Many organizations are experiencing heightened requirements to examine the supply chain security of software running on their systems, particularly ones from Foreign Adversaries. With this Country of Origin capability, you can automate what was previously a time-consuming and tedious process.

Filebased Slide
"Our MetaDefender Kiosks give us the added confidence in our ability to help keep our network malware-free."

Ed Koeller

Security Analyst, Ameren

Schedule a demo