If you operate a plant, refinery, water treatment facility, substation, or any other industrial site in Singapore, Malaysia, or Vietnam, the single most common way malware gets into your operational technology (OT) network is not your firewall, your VPN, or your remote-access gateway. It is a contractor walking in with a USB stick.
This is not theoretical. Honeywell’s 2025 Cyber Threat Report, drawn from its Secure Media Exchange telemetry, found that one in four OT cyber incidents handled by its response team involved a USB plug-and-play event, and that 13% of all OT threats were introduced via removable media. In Q1 2025 alone, 1,826 unique USB-borne threats were detected, of which 124 had never been seen before. And the techniques used by Stuxnet in 2010 — specifically the CVE-2010-2568 LNK-file exploit — are still being deployed today against industrial environments that have not patched, segmented, or scanned their removable media.
This article is about the security checkpoint we recommend for that problem: OPSWAT MetaDefender Kiosk. We will walk through what it does, the five hardware variants you can buy (K3001, K1001, L1001, K2100, and the Kiosk App), how each one fits into a defence-in-depth OT architecture, and the regulatory drivers in Singapore (Cybersecurity Code of Practice 2.0), Malaysia, and Vietnam (Cybersecurity Law No. 116/2025/QH15, effective 1 July 2026) that are pushing critical-information-infrastructure operators to deploy a kiosk-based removable-media programme this year.
This guide is the deep-dive on the “removable-media control” layer in our pillar, OT Cybersecurity Guide for Singapore, Malaysia & Vietnam. If you have not read the pillar, that document maps the full control stack — network segregation, endpoint protection, removable media, data-in-transit encryption — and explains how MetaDefender Kiosk fits into the picture alongside OPSWAT OTfuse and NetWall USG.
Why USB is still the OT attack vector
Air-gapped plants — and “near-air-gapped” plants where IT/OT segmentation is enforced — have one structural problem: data has to get in and out somehow. Vendor patches, configuration backups, PLC logic uploads, controller firmware, calibration files, audit reports, third-party engineering data — all of this moves on physical media. The more rigorous the network segmentation, the more the operational burden falls on USB sticks, SD cards, and optical media.
This is why threat actors target removable media specifically. Offline malware attacks in Southeast Asia have surged in the last two years — Singapore recorded an 88% year-on-year increase in on-device attacks, Malaysia 47%, and Vietnam 25% — and a significant portion of those campaigns are designed to ride into segmented OT networks on a USB device that an operator inserts into an engineering workstation. The proportion of malware variants designed for USB-based delivery has grown roughly six-fold since 2019.
The defensive answer is not to ban removable media — you cannot run a plant that way. The answer is to route every piece of removable media through a scanning checkpoint before it touches an engineering workstation, and to enforce that policy on the endpoints so that unscanned media is rejected at the USB port.
What MetaDefender Kiosk does
MetaDefender Kiosk is purpose-built hardware (or, in one variant, software on approved hardware) that operates as a one-stop scanning station for removable media. The workflow is three steps:
- Insert media. The kiosk accepts more than 20 media types — USB Type-A, USB Type-C, SD, microSD, Compact Flash, CD/DVD/Blu-Ray, 3.5″ diskette, mobile phones, external hard drives. The user is prompted on-screen, optionally authenticated through Active Directory.
- Process files. Every file on the media is analysed in parallel by the OPSWAT detection stack (described below). Allowed files are sanitised and signed; blocked files are quarantined with a reason code.
- Review results. A detailed scan report is generated. Cleaned files can be written to a fresh, signed USB drive, sent to a downstream MetaDefender Vault for tiered approval, or printed for the visitor management log.
The technology behind step 2 is what separates MetaDefender Kiosk from “we put antivirus on a laptop and called it a kiosk.” There are six detection layers running in parallel on each file:
- Metascan multiscanning. Up to 30+ anti-malware engines scan every file simultaneously, with detection rates documented by OPSWAT to exceed 99%. No single AV vendor catches every variant; using thirty in parallel closes the gap.
- Deep Content Disarm & Reconstruction (Deep CDR). For 200+ file types — Office documents, PDFs, images, archives, CAD files — the kiosk strips macros, embedded objects, scripts, and other “active content” and rebuilds a clean, structurally identical file. This is how MetaDefender catches zero-day malware that signature-based engines miss.
- File vulnerability assessment. Installer packages and binaries are checked against OPSWAT’s database of known-vulnerable software versions. A KEPServerEX installer that ships with a known CVE will be flagged before it lands on an engineering workstation.
- Proactive Data Loss Prevention (DLP). Outbound files (data leaving the OT network) are inspected for sensitive content — recipe formulas, P&IDs, network diagrams — and can be redacted or blocked according to policy.
- Country-of-origin scanning. Each file’s binary metadata is checked against a country attribution. Useful for regulated industries with sanctions-compliance obligations.
- Policy enforcement and visitor management. Active Directory integration ties every scan to a user identity. Audit trails are retained for regulator-driven evidence.
The cleaned file then receives a cryptographic digital signature. Downstream, the OPSWAT Client driver installed on engineering workstations refuses to mount any USB device whose contents have not been signed by an approved MetaDefender Kiosk. That is the enforcement leg that closes the loop.
The five MetaDefender Kiosk variants
OPSWAT publishes the Kiosk in five configurations — one of them software-only. Choosing the right one is a sizing exercise based on plant footprint, environmental conditions, and IT-staff availability on site.
K3001 — the full-size floor-standing kiosk
The K3001 is the largest model: free-standing, ruggedized, 2 mm high-grade steel casing, tamper-resistant, powder coated. It supports the widest media variety in the line: 2 × USB Type-C, 2 × USB Type-A, a 15-in-1 card reader covering SD / microSD / Compact Flash, a CD/DVD/Blu-Ray drive, and a 3.5″ diskette reader. Optional industrial touchscreen, optional printer for visitor logs, and the casing can be custom-branded with your organization’s colours and logo. The K3001 is the right choice for plant main entrances, contractor check-in points, and high-traffic locations where “establish a culture of cybersecurity awareness” is part of the value proposition.
K1001 — desktop or wall-mounted
The K1001 runs on Windows like the K3001 but in a smaller footprint suitable for table-stand, floor-stand, or wall-mount installation. Media support is 1 × USB Type-C, 1 × USB Type-A, a 3-in-1 card reader, and CD/DVD — enough for most engineering-room and control-room deployments. Best for control rooms, engineering offices, and secondary scanning points where the K3001’s footprint is overkill.
L1001 — Linux turnkey appliance
The L1001 is hardware-identical to the K1001 but runs a hardened Linux operating system rather than Windows. The key advantages are automatic updates without local IT intervention and a smaller attack surface. If your site does not have on-site IT staff to manage Windows patches on the kiosk itself, the L1001 is the operationally lighter option.
K2100 — mobile, military-grade rugged
The K2100 is a portable tablet variant designed for field deployment. It is ruggedized to military standards, water- and dust-resistant, glove-capable touchscreen, and rated for -29°C to +63°C (-20°F to +145°F) operation. Media support is 1 × USB Type-C, 1 × USB Type-A, and microSD. The K2100 ships with floor-stand, dock, and wall-mount options. Use cases: substation maintenance, oil & gas wellheads, port and shipyard inspections, offshore platforms, mobile contractor scanning where the operator needs to scan in the field before walking back to a control room. The K2100 is also the model that aligns with NERC CIP and similar critical-infrastructure programmes that require scanning at the asset, not just at a fixed gatehouse.
MetaDefender Kiosk App — software on approved hardware
The Kiosk App is the OPSWAT scanning engine packaged as Windows software, deployable on customer-approved hardware. Media support varies based on the host PC’s ports and readers. This is the right option for organizations that already standardize on a specific industrial PC vendor or that need to integrate kiosk scanning into a custom enclosure (for example, a turnstile-integrated security gate).
How MetaDefender Kiosk fits into a defence-in-depth OT architecture
A kiosk by itself is not a complete removable-media programme. It is the entry-point scanner; you also need a way to transfer the cleaned files into the protected OT zone and a way to enforce that nothing unscanned ever reaches a controller. OPSWAT publishes a reference architecture that pairs the Kiosk with four other products we distribute:
- Step 1 — Scan. The visitor or contractor inserts media into the MetaDefender Kiosk at the perimeter. Files are sanitised and digitally signed.
- Step 2 — Transfer. Cleaned files cross the air gap through NetWall Unidirectional Security Gateway — a one-way data diode that physically prevents traffic from flowing back out of the OT zone — or, where bidirectional transfer is required, through the NetWall Bilateral Security Gateway with policy-controlled return paths.
- Step 3 — Store and approve. Files land in MetaDefender Vault on the OT side. Vault enforces tiered supervisory approval before files are released to downstream consumers, and applies DLP again on exit to redact protected data.
- Step 4 — Endpoint enforcement. Engineering workstations run the OPSWAT Client driver, which refuses to mount any removable media that does not carry the validation signature from an approved kiosk.
- Step 5 — Last-mile to controllers. The MetaDefender USB Firewall sits in front of HMIs and SCADA workstations that cannot run the OPSWAT Client (older Windows versions, vendor-locked appliances), and enforces the same “only signed media allowed” policy in hardware.
For air-gapped plants that need forensic capability in the field — for example, when a contractor’s USB has been blocked and you want to investigate why — the MetaDefender Drive portable forensic scanner is the companion product. It boots a sterile Linux environment from a USB stick and scans the host system without writing to it.
Regulatory mapping for Singapore, Malaysia, and Vietnam
Removable-media scanning is not just an engineering best practice; in this region it is increasingly a compliance requirement.
Singapore: Cybersecurity Code of Practice 2.0
Under Singapore’s Cybersecurity Act, designated Critical Information Infrastructure (CII) operators must meet the CCoP 2.0 baseline, which includes explicit obligations to monitor and control removable media used in CII environments. Sectors covered include energy, water, banking, healthcare, info-comm, media, land transport, maritime, aviation, security & emergency services, and government. MetaDefender Kiosk is the documented control answer for the removable-media obligation, and the OPSWAT Client driver provides the corresponding endpoint enforcement evidence for audit.
Vietnam: Cybersecurity Law No. 116/2025/QH15 (effective 1 July 2026)
Vietnam’s new Cybersecurity Law takes effect 1 July 2026 — six weeks after this article is published. Article 18 introduces a “National List” of critical information systems covering national defence, intelligence, diplomacy, finance, energy, healthcare, telecommunications, transportation, and other key sectors. Operators on the National List face stricter protection measures, security clearance requirements, and regular inspections. Removable-media controls are an unavoidable line item in any such inspection. For Vietnamese industrial operators — particularly in energy, finance, and healthcare — now is the window to deploy a kiosk-based programme before the inspections begin.
The new Law extends and (in parts) supersedes Decree 53/2022/ND-CP, which already imposed network security obligations on operators of important information systems. An implementing decree was put out for public consultation in February 2026 and is expected to be finalized later this year.
Malaysia: NCII and CSA framework
Malaysia’s National Critical Information Infrastructure (NCII) framework, administered by the National Cyber Security Agency (NACSA), imposes baseline cybersecurity controls on operators in 11 sectors including energy, water, healthcare, and transportation. Removable media handling is among the controls expected of NCII operators; MetaDefender Kiosk satisfies the technical control while OPSWAT Client provides the enforcement evidence.
Cross-cutting: IEC 62443
At the global standard level, IEC 62443-3-3 SR 2.3 (Use Control for Portable and Mobile Devices) requires Industrial Automation and Control Systems to monitor and control portable and mobile device usage. MetaDefender Kiosk is the practical implementation of SR 2.3 for the removable-media class of portable devices. For sites also aligning to NIST SP 800-53 or NERC CIP, the same control discharges those mappings as well.
Where to deploy a kiosk inside the plant
A single kiosk at the front gate is the entry-level deployment. Real programmes use more than one, placed at points where media changes hands:
- Main gate / reception — K3001. Visitor check-in, contractor entry, vendor field-service technicians. The K3001’s large footprint also acts as a visible “we take this seriously” signal.
- Control room / engineering workstation area — K1001 or L1001. For operators who routinely move data between the engineering network and offline analytics PCs.
- Substation, wellhead, offshore platform — K2100. Mobile scanning at the asset; the K2100’s environmental tolerances mean it can sit in a substation outdoor enclosure year-round.
- Lab / quality control — K1001. For receiving calibration data, batch records, and third-party laboratory results.
- Loading dock / shipping — K2100 or App. For scanning USB sticks that arrive with vendor shipments and firmware updates.
The right number for a given site depends on contractor traffic, the count of engineering workstations, and how many separate physical zones the plant maintains. We can run a free site-walk scoping exercise for sites in Singapore, Malaysia, and Vietnam.
MetaDefender Kiosk vs Honeywell Secure Media Exchange (SMX)
The most common competitor we are asked about is Honeywell Secure Media Exchange (SMX). Both platforms solve the same problem and have a similar high-level architecture: a kiosk at the perimeter, an endpoint driver that enforces signature checking, and a back-end portal for policy and reporting. The practical differences:
- Engine breadth. MetaDefender Kiosk runs up to 30+ AV engines in parallel; Honeywell SMX uses a smaller engine set fronted by its own Cyber Threat Engine. For unknown-threat coverage, MetaDefender’s multiscan typically wins.
- Deep CDR. MetaDefender’s Deep CDR for 200+ file types is the most mature implementation on the market. SMX has content disarming but a narrower file-type coverage at the time of writing.
- Vendor neutrality. SMX is sold most commonly into Honeywell-centric process plants (Experion PKS, TDC 3000, TPS). MetaDefender is vendor-neutral and is more commonly deployed alongside multi-vendor SCADA architectures (AVEVA, Ignition, Proficy, Rockwell FactoryTalk).
- Form factors. MetaDefender publishes five hardware variants including the ultra-rugged K2100 mobile tablet. SMX is generally a single kiosk form factor.
- Linux option. The MetaDefender L1001 Linux turnkey appliance has no direct SMX equivalent. For sites without on-site Windows admins, L1001 is operationally lighter.
If your plant is a Honeywell account and your Experion PKS contract bundles SMX licensing, that is a legitimate reason to evaluate SMX first. For every other footprint — mixed-vendor, Linux-preferred, multi-zone, or field-mobile — MetaDefender Kiosk has the wider feature set.
Frequently asked questions
How long does a scan take?
A typical 16 GB USB drive with mostly small files clears multiscan + Deep CDR in well under five minutes on a K3001 or K1001. The K2100 is somewhat slower because it runs on tablet-class hardware, but still completes most scans within ten minutes. Throughput depends on file count more than total bytes, so 50,000 small files takes longer than one 8 GB ISO.
Does MetaDefender Kiosk need an internet connection?
No. The kiosk is air-gap friendly by design. Engine updates and policy updates can be delivered via a separate update USB, through an isolated update server, or over a controlled IT-side connection if your network architecture permits it. For NERC CIP and CII installations, fully offline operation is supported.
What happens to blocked files?
Blocked files are quarantined with a structured reason code (malware family, vulnerability ID, DLP rule, or country-of-origin policy violation) and are retained for forensic review according to your retention policy. The user receives an on-screen message; the security team receives an event in the management portal.
Can we customize the workflow?
Yes. Approved-user lists, mandatory authentication, allowed file types, allowed countries of origin, output media (clean USB vs printed report vs Vault transfer), and scan-policy templates per user role are all configurable. Visitor management ties scans to AD identity for audit.
How does MetaDefender Kiosk compare to MetaDefender Drive?
The Kiosk scans removable media. MetaDefender Drive scans the host computer itself by booting a sterile forensic environment from a USB stick. They are complementary: the Kiosk is the daily-operations checkpoint; Drive is the incident-response and audit tool.
What is the difference between the Kiosk and the USB Firewall?
The Kiosk scans and sanitises files at a checkpoint. The MetaDefender USB Firewall is an in-line hardware device that sits between a USB stick and the host computer (HMI, SCADA workstation, engineering PC) and enforces “only signed media allowed” policy at the port. The Kiosk is the producer; the USB Firewall is one of the enforcement endpoints.
Can we phase the deployment?
Yes — in fact we recommend it. Phase 1: one K3001 at the main gate plus OPSWAT Client on the most-exposed engineering workstations. Phase 2: control-room K1001s and a Vault. Phase 3: K2100 for field operations and USB Firewall for legacy HMI workstations. Each phase is independently auditable for CCoP / NCII / Cybersecurity Law evidence.
Next steps
If you operate a critical-infrastructure or industrial site in Singapore, Malaysia, or Vietnam and you do not yet have a kiosk-based removable-media programme, the right next step is a 30-minute scoping conversation. We can walk through your plant layout, contractor traffic patterns, and existing OT architecture, and return a sized recommendation — how many kiosks, which models, where to place them, and how they integrate with your existing engineering workflow.
Contact the team at the office nearest you:
For broader context on OT cybersecurity in this region, read the pillar guide: OT Cybersecurity Guide for Singapore, Malaysia & Vietnam. For the product datasheet, see the MetaDefender Kiosk product page.
Allied Solutions Global is an authorized OPSWAT distributor across Southeast Asia. MetaDefender, MetaScan, MetaDefender Kiosk, MetaDefender Vault, MetaDefender Drive, NetWall, OPSWAT Client, and OPSWAT are trademarks of OPSWAT, Inc. Honeywell Secure Media Exchange and SMX are trademarks of Honeywell International Inc. Threat statistics cited are drawn from the Honeywell 2025 Cyber Threat Report and from publicly reported Southeast Asia threat-intelligence figures; we are not affiliated with Honeywell.
