Every modern industrial plant in Singapore, Malaysia, and Vietnam faces the same architectural problem: you cannot run a refinery, a fab, or a substation without periodically moving files between your corporate IT network and the air-gapped OT side. Vendor firmware, configuration backups, PLC logic, batch records, calibration data, third-party audit reports β they all have to cross that boundary. And every transfer is a potential attack vector: USB-borne malware, supply-chain implants, exfiltration of sensitive recipes, or unauthorised changes that bypass change-control.
Our previous deep-dive, MetaDefender Kiosk: The USB Security Checkpoint for OT Plants, covered the perimeter scanning checkpoint. This article picks up where Kiosk leaves off. Once files have been scanned, sanitised, and signed at the Kiosk, you need a secure, audited, policy-controlled way to transport those files into the OT zone and put them in the right hands. That is the job of MetaDefender Vault, recently rebranded as MetaDefender Managed File Transfer (MFT).
This guide explains what Vault/MFT actually does, how it integrates with the rest of the OPSWAT defence chain, what regulatory obligations it satisfies for Singapore CCoP 2.0, Vietnam Cybersecurity Law No. 116/2025/QH15, and Malaysia NCII, and how to scope a deployment for your plant. The article is the third in our OPSWAT cluster, after the OT Cybersecurity Guide for Singapore, Malaysia & Vietnam pillar and the Kiosk deep-dive.
The file-transfer problem in OT
Three structural realities make IT-to-OT file transfer harder than ordinary enterprise file sharing:
- The OT zone is air-gapped or near-air-gapped by design. You cannot just spin up an SFTP server with an Active Directory account and let engineers drop files there. Anything that punches a network hole into OT is itself a security incident.
- Operators need policy, not just transport. A maintenance technician’s upload of new PLC logic should not go straight to the controller. Someone with authority β a control-systems engineer, a shift supervisor β needs to review, approve, and timestamp that change.
- Auditors need evidence. Under Singapore CCoP 2.0, Vietnam’s Cybersecurity Law, Malaysia’s NCII framework, IEC 62443, NERC CIP, and NIS2-style regulations, you have to prove who moved which file, when, with what classification, and who approved its release into production. Email + a shared drive does not produce auditable evidence.
Conventional managed file transfer (MFT) products β Globalscape EFT, IBM Sterling Secure File Transfer, Progress MOVEit, Forcepoint Secure File Transfer β solve the enterprise-grade file-movement and audit problem. They are not built around the OT realities: deep content sanitisation, cross-domain unidirectional gateways, integration with USB scanning kiosks, or the regulatory framing of critical-infrastructure protection. That is the gap MetaDefender Vault/MFT fills.
What MetaDefender Vault (MFT) does
At a high level, Vault/MFT is a four-stage pipeline:
- Drop. A file lands in Vault from one of several sources: directly uploaded via the web UI, pulled in from a MetaDefender Kiosk, transferred through a NetWall USG data diode, or pushed via the MetaDefender REST API.
- Scan and sanitise. Every file passes through the full OPSWAT detection stack on the way in, and again on the way out: Metascan multiscanning with 30+ anti-malware engines, Deep Content Disarm & Reconstruction (Deep CDR) for 200+ file types, Proactive Data Loss Prevention (DLP), File-Based Vulnerability Assessment, Adaptive Sandbox, and Threat Intelligence correlation. Allowed files are tagged as approved; suspect files are quarantined with reason codes.
- Approve. Files routed through the approval workflow wait for a human (or chain of humans) to authorise release. The workflow supports single-stage approvals (one supervisor) or multi-stage approvals (initial approver β senior approver β release authority). Every action is logged.
- Release. Approved files are exposed to their final destination β an engineering workstation through the OPSWAT Client driver, a downstream MFT instance via MFT-to-MFT replication, or a watched folder consumed by an automation script.
Vault/MFT is the only point in the architecture where a human says “yes, this file may enter production.” That is its job: to be the auditable, policy-controlled choke point for IT/OT data exchange.
The detection stack in detail
Files routed through Vault are subjected to a defence-in-depth scan that combines six distinct OPSWAT technologies:
- Metascan multiscanning. Up to 30+ anti-malware engines run in parallel on every file. OPSWAT documents detection rates exceeding 99% β no single AV vendor catches everything; thirty in parallel close the gap. Engine updates are delivered via OPSWAT’s threat-intel update channel.
- Deep CDR. The most differentiating capability in the stack. Office documents, PDFs, archives, images, and CAD files are structurally rebuilt with macros, embedded objects, scripts, and active content stripped. The output is a clean, structurally identical file that defeats most zero-day and unknown-malware vectors. Coverage spans 200+ file types.
- Proactive DLP. Outbound files (leaving OT toward IT) are inspected for sensitive content β recipes, P&IDs, network diagrams, personal data β and can be redacted, blocked, or routed to a higher-tier approval based on policy.
- File-Based Vulnerability Assessment. Installer packages and binaries are checked against OPSWAT’s vulnerability database. A Kepware installer that ships with a known CVE will be flagged before it touches an engineering workstation. So will a vendor firmware package with embedded vulnerable components.
- Adaptive Sandbox. Suspect files are detonated in a controlled environment, with behaviour observed across registry, file-system, and network channels. This catches malware that evades signature-based detection.
- Threat Intelligence. File hashes and indicators are checked against OPSWAT’s threat-intel feed, which incorporates third-party intelligence partners and OPSWAT’s own research.
Each layer is independent and additive: a file must pass all the layers it is subjected to before it can be approved. Layers can be tuned per workflow β e.g., DLP applies only to outbound transfers, sandbox detonation runs only on executables.
Approval workflow patterns
The workflow engine is where Vault/MFT distinguishes itself from generic MFT products. The patterns we deploy most often for Southeast Asia clients:
Pattern 1: Single-tier approval (mid-trust environments)
One designated approver (e.g., the shift control-systems engineer) reviews every file before release. Suitable for less-regulated environments β discrete manufacturing, F&B, light-process plants. Average approval latency: minutes during business hours.
Pattern 2: Two-tier approval (most CII deployments)
An initial approver triages and recommends; a senior approver (department head, plant manager) ratifies. Required for most CII operators in Singapore under CCoP 2.0 and for energy/finance/healthcare operators in Vietnam under Law No. 116/2025/QH15. Typical approval latency: hours during business hours, with on-call escalation paths.
Pattern 3: N-tier with conditional routing
Files are routed to different approval chains based on classification, source, destination, and content. A vendor firmware package bound for a turbine controller might require a chain of three approvers (control engineer β cybersecurity team β plant operations head); a routine calibration data file might only need one. Adaptive routing keeps friction low for routine transfers while applying full scrutiny where it matters.
Pattern 4: MFT-to-MFT replication
Some operators run multiple Vault/MFT instances β one in the IT DMZ, one in the OT zone β and replicate approved files between them. The IT-side Vault becomes the initial drop point with first-tier scrutiny; the OT-side Vault enforces the final release decision. This pattern is common in oil & gas, refining, and large-scale utilities.
How Vault fits in the full OPSWAT defence chain
Vault is the storage and approval layer in OPSWAT’s reference architecture. The other components:
- MetaDefender Kiosk β the perimeter scanning checkpoint. USB sticks, optical media, mobile phones, and SD cards are scanned and signed here. The Kiosk can push clean files directly to Vault.
- NetWall USG (Unidirectional Security Gateway) β the data diode that physically prevents traffic flowing back out of the OT zone. A typical flow has Vault on both sides of the diode, with the IT-side Vault feeding the OT-side Vault through NetWall.
- OPSWAT Client β the endpoint enforcement driver on engineering workstations. The Client refuses to mount any removable media or read any file that lacks a valid Vault/Kiosk validation signature.
- MetaDefender USB Firewall β the in-line hardware enforcement device for HMI and SCADA workstations that cannot run the OPSWAT Client (vendor-locked appliances, legacy Windows installs).
- MetaDefender Drive β the portable forensic scanner used when a file or device fails Vault validation and you need to investigate the host system without trusting it.
The chain is designed so that no file can reach a controller without:
- Being scanned at the Kiosk (entry signature),
- Crossing the air gap through NetWall (no return path),
- Passing Vault scrutiny + human approval (audit trail),
- Being read on an endpoint with an OPSWAT Client (signature enforcement) or through a USB Firewall (hardware enforcement).
Skip any layer and the chain is incomplete β but for most plants, Kiosk + Vault is the minimum viable starting point, with NetWall and USB Firewall added in later phases.
Regulatory mapping for Southeast Asia
Singapore: Cybersecurity Code of Practice 2.0
Vault/MFT directly satisfies several CCoP 2.0 requirements for Critical Information Infrastructure (CII) operators in energy, water, banking, healthcare, transport, and the other designated sectors:
- Removable media control β Vault provides the post-Kiosk staging and approval layer for media-borne file ingress.
- Network segregation β when deployed with NetWall, Vault enables file transfer across a physically segregated boundary.
- Change management β every file release through Vault is an auditable, attributable change-control event.
- Logging and monitoring β Vault produces a complete audit trail for every file lifecycle event, suitable for CSA inspection.
Vietnam: Cybersecurity Law No. 116/2025/QH15 (effective 1 July 2026)
Vietnam’s new Cybersecurity Law takes effect on 1 July 2026. Article 18 introduces a National List of critical information systems with stricter protection measures, security clearances, and regular inspections. For operators in energy, finance, healthcare, defence, and other listed sectors, Vault/MFT provides the demonstrable file-transfer control regulators will look for. The implementing decree is expected to be finalised in late 2026; the Law also extends and partially supersedes Decree 53/2022/ND-CP which already applied to operators of important information systems.
Malaysia: NCII and IEC 62443
Malaysia’s National Critical Information Infrastructure (NCII) framework, administered by NACSA, imposes baseline cybersecurity controls on 11 sectors. Vault is the documented control for the file-transfer and change-management portions of the framework. At the global standard level, the IEC 62443-3-3 system-security requirements that map most directly to Vault are SR 2.1 (Authorization Enforcement) via its tiered approval workflow, SR 2.3 (Use Control for Portable and Mobile Devices) when files originate from Kiosk-scanned media, and SR 6.1 (Audit Log Accessibility) via the complete per-file audit trail. When paired with NetWall, the chain also addresses SR 5.1 (Network Segmentation).
Where to deploy Vault in your architecture
Three deployment patterns we run most often for Southeast Asia clients:
Phase 1: Single Vault, IT-side staging
For plants new to OT cybersecurity, the entry deployment is a single Vault instance in the IT DMZ. The Kiosk pushes scanned files there; engineering staff retrieve them via the web UI after one-tier approval. Cost-effective starting point with full audit trail. Adds clear value within weeks.
Phase 2: Dual Vault across NetWall
For mature CII operators, two Vault instances β one in IT, one in OT β replicate approved files through a NetWall USG. The OT-side Vault is the final release point. This pattern provides full air-gap protection while preserving operational throughput. Most Singapore CCoP and Vietnam Law 116/2025 deployments end up here.
Phase 3: Full chain with USB Firewall on critical endpoints
For the highest-assurance sites (substations, refineries, nuclear, defence), the chain extends to MetaDefender USB Firewall hardware on the HMI/SCADA endpoints that cannot run the OPSWAT Client. This is also the pattern recommended for OEM-locked appliances where you cannot install endpoint software.
MetaDefender Vault vs alternative MFT products
The MFT market is mature, but few products are purpose-built for OT. A short honest comparison:
- Globalscape EFT, Progress MOVEit, IBM Sterling. Enterprise-grade MFT with strong workflow, audit, and protocol support. Lack OT-specific content sanitisation (no Deep CDR), no Kiosk/USB Firewall ecosystem, and no integration with unidirectional gateways. Best fit when the workload is IT-to-IT.
- Forcepoint Trusted Gateway System. Strong cross-domain story, mature in defence and intelligence environments where it handles multi-directional file movement between networks of varying classification. Vault/MFT is more cost-effective for non-defence critical infrastructure and integrates more cleanly with the OPSWAT scanning ecosystem.
- Owl Cyber Defense, Waterfall Security. Strong on the data-diode side specifically, less on the MFT workflow side. Often deployed alongside Vault/MFT (Vault as the workflow engine, Owl/Waterfall as the diode) rather than as a replacement.
For Southeast Asia industrial customers buying an OT cybersecurity stack from scratch, MetaDefender Vault/MFT is usually the right MFT choice because it lives inside the same vendor ecosystem as your Kiosk, NetWall, and endpoint enforcement.
Frequently asked questions
Is MetaDefender Vault different from MetaDefender Managed File Transfer (MFT)?
No. OPSWAT renamed the product from Vault to Managed File Transfer (MFT) at the end of 2023 / start of 2024, with an expanded capability set. The same documentation portal serves both names. Most existing literature and product pages still use “Vault” β the names are interchangeable for now.
What file types and sizes does Vault support?
Vault handles individual files up to 100 GB+ and arbitrary file types. Deep CDR coverage spans 200+ file types including Office, PDF, archives (ZIP, TAR, RAR), images, CAD, and structured data formats. Engine-update bundles, vendor firmware, and PLC project archives are all routinely transferred.
How does Vault integrate with Active Directory?
Vault supports AD authentication, SAML/SSO, MFA, and role-based access control. User identity is bound to every transfer for audit. SSO is standard for organisations consolidating identity through Azure AD, Okta, or PingFederate.
Can Vault transfer files programmatically?
Yes. The MetaDefender MFT REST API (current v3.6.1) supports upload, download, approval, and status queries. Automation scripts, build pipelines, vendor portals, and customer data exchanges can all integrate through the API.
Does Vault need an internet connection?
No. Vault runs fully on-premise. Engine and policy updates can be delivered via a dedicated update channel or air-gap update process. Suitable for fully isolated CII deployments.
How long does an approval typically take?
For business-hours single-tier approvals, latency is usually minutes. Multi-tier approvals run in hours to a working day. Most deployments include emergency override paths for time-sensitive incidents, with elevated audit attention attached to those flows.
Can Vault be phased into an existing OT cybersecurity programme?
Yes. The most common phased rollout is: Phase 1 β single Vault for IT-side scanning of inbound files; Phase 2 β add NetWall and an OT-side Vault for cross-domain transfer; Phase 3 β extend to USB Firewall on legacy endpoints. Each phase is independently auditable.
Next steps
If you run a CII-designated or industrial site in Singapore, Malaysia, or Vietnam and you do not yet have an auditable file-transfer process across the IT/OT boundary, the right next step is a 30-minute scoping conversation. We can map your existing file flows, identify the regulatory pressure points (CCoP 2.0, Law 116/2025, NCII, IEC 62443), and return a sized deployment proposal β how many Vault instances, what approval workflow, which endpoint enforcement, and a phased rollout plan.
For deeper context on the rest of the OPSWAT stack, read the pillar guide and the Kiosk deep-dive:
Contact the team:
Allied Solutions Global is an authorised OPSWAT distributor across Southeast Asia. MetaDefender, MetaDefender Vault, MetaDefender Managed File Transfer, NetWall, MetaScan, and OPSWAT are trademarks of OPSWAT, Inc. Globalscape EFT, Progress MOVEit, IBM Sterling, Forcepoint, Owl Cyber Defense, and Waterfall Security are trademarks of their respective owners; we are not affiliated with these vendors.
