OT Cybersecurity Guide for Singapore, Malaysia & Vietnam

Operational-technology (OT) cybersecurity is the discipline of protecting the industrial control systems — PLCs, DCSs, HMIs, SCADA servers, historians, drives, and the networks that connect them — that run factories, refineries, water plants, ports, power grids, and other critical infrastructure. It is not the same problem as IT cybersecurity, and it cannot be solved with IT cybersecurity tools alone.

This guide is written for plant managers, OT engineers, and CISO teams in Singapore, Malaysia, and Vietnam who need to scope an OT cybersecurity programme that meets local regulatory requirements (Singapore’s Cybersecurity Code of Practice 2.0, Vietnam’s Law on Cybersecurity and Decree 53/2022/ND-CP) and aligns with the global standard, IEC 62443. We map each control layer to specific products that Allied Solutions Global distributes — OPSWAT’s MetaDefender and OTfuse families, and ST Engineering’s Data Diode and encryption series — so you can move from regulation to procurement in one document.

Why OT cybersecurity is a different problem from IT cybersecurity

In an IT environment, the priority order is confidentiality, integrity, availability. In an OT environment, that order inverts: availability and safety come first. A power station that loses control of a turbine is a safety event; a chemical reactor that misses its setpoint is a safety event; a city water-treatment plant that loses HMI visibility for ten minutes is a public-health event.

This inversion drives every design decision in OT cybersecurity:

• You cannot patch on Patch Tuesday. An OT controller often runs for years between maintenance windows. The protection has to assume the controller is vulnerable and contain the blast radius.
• You cannot install agents on a 1995-vintage PLC. Many OT assets cannot host endpoint software at all. Protection has to be applied at the network or perimeter level.
• You cannot block traffic that “looks suspicious.” A false positive that stops a Modbus poll can stop a production line. OT controls have to be precise about what they allow and what they reject.
• You cannot rely on the operator to plug in a clean USB stick. Removable media is one of the most common OT attack vectors precisely because air-gapped plants have nothing else to bring data in or out.

The four points above shape the four control layers we explore in this guide: network segregation, endpoint and PLC protection, removable media control, and data-in-transit encryption.

The regulatory landscape in Singapore, Vietnam, and Malaysia

Singapore: the Cybersecurity Act and CCoP 2.0

Singapore’s Cybersecurity Act empowers the Cyber Security Agency of Singapore (CSA) to designate Critical Information Infrastructure (CII) and impose mandatory cybersecurity practices on its owners. The current code in force is the Cybersecurity Code of Practice for Critical Information Infrastructure – Second Edition (CCoP 2.0), which came into effect on 4 July 2022.

CCoP 2.0 covers eleven critical sectors: energy, info-communications, water, healthcare, banking and finance, security and emergency services, aviation, land transport, maritime, government, and media. CII owners in those sectors are required to implement specified controls across governance, protection, detection, response, and cyber resilience domains. For OT operators, the most directly applicable requirements involve network segregation between corporate and operational networks, control of removable media into the OT zone, monitoring of OT-specific protocols, and incident reporting timelines.

Vietnam: the Law on Cybersecurity and Decree 53/2022

Vietnam’s Law on Cybersecurity took effect on 1 January 2019. The implementing decree, Decree No. 53/2022/ND-CP, was issued in August 2022 and came into effect on 1 October 2022. Together they define the obligations of enterprises operating “critical information systems,” including those in banking, finance, energy, telecommunications, and transportation.

For plant operators in Vietnam, the most operationally relevant elements of the framework are:

• Patch and vulnerability management as legal mandates, not optional best practice.
• Periodic assessment of information systems for exploitable weaknesses.
• Prompt incident reporting to the Ministry of Public Security (MPS).
• Data-localisation requirements for certain categories of data, which affect how cloud-hosted SCADA or remote-access platforms can be architected for Vietnamese sites.

If your plant is in Ho Chi Minh City (including the industrial zones formerly known as Binh Duong), Hai Phong, or any of the Vietnamese industrial corridors, the OT cybersecurity controls you choose need to be deployable on-premise or in a region that satisfies these data-residency rules.

The global reference: IEC 62443

Both the Singapore and Vietnamese frameworks reference, directly or indirectly, the IEC 62443 series of standards for industrial automation and control system (IACS) security. IEC 62443 introduces two concepts that every OT architect should be fluent in:

• Zones and conduits. A “zone” is a logical group of assets sharing a security requirement; a “conduit” is a communications path between zones. The model forces architects to draw an explicit security boundary around each part of the plant and to document what is allowed to cross it.
• Security Levels SL 1–SL 4. SL 1 protects against unintentional misuse; SL 2 against intentional misuse with simple means; SL 3 against sophisticated attacks with moderate resources; SL 4 against advanced threats with high motivation and resources. Each zone is assigned a target SL, and the conduits between zones are protected to match.

The product layers below map naturally to the zones-and-conduits model: network segregation hardens the conduits, endpoint and removable-media controls harden the zones, and encryption protects data wherever it leaves the protected envelope.

Layer 1: Network segregation between IT and OT

The single highest-impact control in OT cybersecurity is preventing IT-network compromise from cascading into the OT network. A firewall is not enough on its own — any device that can pass traffic in both directions can, in principle, be reconfigured to do so by an attacker. For the highest-risk boundaries (between the corporate network and a Purdue Level 2 control network, or between a control network and an enclave containing safety systems), the right answer is a hardware-enforced one-way data path.

ST Engineering Data Diode

The ST Engineering Data Diode is a hardware-enforced one-way data transmission solution. As described on the product page, it ensures “no data leakage” through information-assurance-by-design, uses a separate power supply to mitigate side-channel attacks, and supports an array of IT, IoT, and ICS/SCADA networking protocols for interoperability with existing systems. It is positioned for protecting the integrity and availability of critical assets, protecting ICS/SCADA networks, and protecting classified information systems.

A data diode is the right control where the use case is genuinely one-way: sending telemetry, historian data, or alarm streams out of an OT enclave to an analytics or business-IT system, without ever allowing a packet to flow back in. Because the one-way property is enforced in hardware, it is not bypassable by a software vulnerability on either side.

OPSWAT NetWall USG

Where ST Engineering Data Diode addresses the most stringent segregation needs, the OPSWAT NetWall USG (Unidirectional Security Gateway) is engineered for fast deployment at the OT/IT boundary with industrial protocol awareness built in. The product page lists native support for OPC DA, OPC A&E, OPC UA, Modbus/TCP, file transfers, and TCP/UDP sockets, with throughput options at 50 Mbit, 100 Mbit, 1 Gbit, or 10 Gbit. It is preconfigured for fast deployment and is marketed as enabling regulatory compliance with NERC CIP, NIST CSF / 800-82 / 800-53, IEC 62443, NRC 5.71, CFATS, ISO 27001/27032/27103, ANSSI, and IIC SF, and protecting against industrial attack techniques outlined by MITRE ATT&CK for ICS.

For most Southeast Asian manufacturers, NetWall USG is the practical entry point to one-way segregation: industrial-protocol-native, fast to deploy, and explicitly designed to satisfy the IEC 62443 conduit-hardening requirement.

Layer 2: Endpoint and PLC protection

Once the network boundary is enforced, the next layer is protecting the assets inside the OT zone — the PLCs, VFDs, DCS controllers, and engineering workstations — from threats that are already inside the perimeter, whether they arrived via removable media, a vendor laptop, or a compromised credential.

OPSWAT OTfuse

OPSWAT OTfuse is an intelligent intrusion detection and prevention system (IDPS) designed specifically for mission-critical PLCs, VFDs, DCSs, and other industrial assets. It installs at cabinet level and operates without requiring changes to existing network segmentation. The product page lists native protocol support for TCP, UDP, Modbus TCP, Ethernet/IP, S7, DNP3, BACnet, SLMP, FINS, EGD, plus native support for GE protocols (GEADL, GESDI, GESRTP) for iFIX and Cimplicity.

OTfuse’s protections include detection of unknown nodes or clients on the protected segment, prevention of rogue scanning or unauthorised communication, blocking of unscheduled reconfiguration or firmware updates, mitigation of very high message rates (denial-of-service attempts on PLCs), and defence against spoofed devices or IP addresses. For a plant that uses GE Vernova Proficy HMI/SCADA — also distributed by Allied Solutions Global — OTfuse’s native iFIX and Cimplicity awareness is particularly valuable.

OPSWAT MetaAccess OT

OPSWAT MetaAccess OT addresses a different problem: secure remote access to OT assets without VPNs. The product page describes it as enforcing granular access control “per protocol, per activity, per seat, per OT endpoint, with end-to-end encryption,” with no holes punched through the firewall and no ability for a remote user to manipulate OT assets beyond their authorised “line of sight.”

Deployment options include MetaAccess OT On-Premises (standard 1U industrial server or VMware ESXi virtual appliance) and a customer-dedicated AWS cloud instance. The on-premise option matters for Vietnamese sites where Decree 53 data-residency rules apply: MetaAccess OT can be deployed entirely inside Vietnam.

For maintenance contracts where a foreign OEM needs occasional access to a controller in a Southeast Asian plant, MetaAccess OT replaces the traditional “open a VPN tunnel and hope for the best” pattern with explicit, time-bound, protocol-scoped access. This is exactly the kind of third-party-risk control that CCoP 2.0 and Decree 53 are pushing operators toward.

Layer 3: Removable media control

USB sticks and external drives remain one of the most common ways malware crosses an air gap. Several high-profile ICS incidents over the last decade have been traced back to removable media, and CCoP 2.0 and IEC 62443 both call out removable-media control as a required practice. OPSWAT’s MetaDefender family is purpose-built for this layer.

MetaDefender Kiosk

MetaDefender Kiosk is positioned by OPSWAT as a “digital security guard” for transient media. The kiosk inspects all media for malware, vulnerabilities, and sensitive data before it is allowed to cross into the secure environment. According to the product page, it combines 35+ anti-malware engines in a single scanning device, which lets threat-detection rates exceed 99%. Deep Content Disarm & Reconstruction (Deep CDR) actively removes suspect and superfluous data from common file types including .doc and .pdf, outputting clean, usable files. Data-loss-prevention policy workflows govern the controlled extraction of files out of the secure environment, and the regulatory compliance scope listed on the product page includes NIST, HIPAA, PCI DSS, GDPR, NERC CIP, NEI 18-08, ISA/IEC, and ISO/IEC.

MetaDefender Drive

MetaDefender Drive takes the same scanning approach in a portable, bootable form factor. The device boots its target system from MetaDefender Drive’s own secure operating system, enabling kernel-level scanning of the target while it is not actively running. The product page describes scanning with up to five anti-malware engines to achieve detection rates above 99%, vulnerability scanning of installed software and firmware (including IoT controllers), country-of-origin detection that identifies software from foreign-adversary lists, and DLP detection of PII such as credit-card and social-security numbers in documents, images, and videos. It supports Windows, macOS, and Linux targets and can be managed at scale by OPSWAT Central Management.

MetaDefender Vault

MetaDefender Vault is the file-storage and transfer counterpart to the Kiosk: a secure repository for files moving between network zones. Its feature set, per the product page, includes outbreak prevention via time-specific quarantine and continuous rescanning, role-based access control with multi-stage approval for sensitive files, Active-Directory user management, audit trails of every user action, multi-storage backends (local, network, S3, or any S3-compatible store). For the full architecture, approval-workflow patterns, IT/OT chain integration, and regulatory mapping, see MetaDefender Vault (MFT): Secure IT-to-OT File Transfer for Singapore, Malaysia & Vietnam, and integrations with MetaDefender Kiosk, MetaDefender Email Gateway Security, and other Vaults for cross-zone transfers.

MetaDefender USB Firewall

MetaDefender USB Firewall closes the loop: it is a hardware device that physically blocks unprocessed or compromised USB media at the workstation. The product page notes that it requires no software install, which makes it suitable for locked-down HMI and SCADA workstations where software deployment is restricted. It provides boot-sector protection and works with the MetaDefender Kiosk manifest to audit file provenance. The compliance scope listed includes NERC CIP, ISA 62443, NIST 800-53, NIST 800-82, and ISO 27001.

A common Southeast Asian deployment combines all four products: Kiosk at the plant entry point, Vault as the controlled file repository, USB Firewall at every HMI workstation, and Drive in the hands of OT maintenance staff and vendor engineers for spot scanning of any device they bring on-site.

Layer 4: Data-in-transit encryption

Network segregation and removable-media control handle data at rest and at boundaries. The remaining gap is data in motion — the SCADA polls, historian replication streams, and inter-site VPN tunnels that connect a multi-plant operation. ST Engineering’s Cybersecurity Encryption series provides hardware encryption for three distinct transport modes:

• NetCrypt Series — layer 2 or layer 3 encryption gateway for office corporate LANs, site-to-site VPNs, mobile-vehicle deployments, and wireless inter-office links. Includes a built-in firewall and supports the customer’s own Key Management System with customisable algorithms.
• EtherCrypt Series — 1 Gbps and 10 Gbps Ethernet / Metro-Ethernet encryption with full-duplex operation, suitable for point-to-point, point-to-multipoint, and fully-meshed Ethernet networks, including unicast, broadcast, and multicast communications.
• DiskCrypt Series — encrypted portable drives with the encryption key stored separately on a smartcard, platform-and-OS-independent (no driver install required), suitable for portable backups and data in transit.

The series uses AES with military-grade implementation and supports two-factor authentication via smartcard. For SEA operators that move data between Singapore, Malaysia, and Vietnam sites — or between any plant and a corporate analytics hub — the EtherCrypt and NetCrypt series are the supply-chain-trusted option for hardening the inter-site links.

Mapping the four layers to IEC 62443 zones

If you are formalising your OT security architecture against IEC 62443, the products above map cleanly to the zone-and-conduit model:

• Conduit between the enterprise zone and the DMZ: NetWall USG or ST Engineering Data Diode (depending on whether bidirectional protocol-aware traffic is needed, or strict one-way is required).
• Conduit between the DMZ and the control zone: Data Diode for telemetry egress; MetaAccess OT for explicitly-controlled remote access ingress.
• Inside the control zone: OTfuse at the PLC cabinet, MetaDefender Kiosk at every personnel access point, MetaDefender USB Firewall at every HMI.
• Conduits between sites: NetCrypt or EtherCrypt to encrypt inter-site links.
• Inside the safety zone: Data Diode for any reporting outbound; no inbound network path.

A target Security Level of SL 2 is achievable with consistent deployment of the OPSWAT family alone. Reaching SL 3 or SL 4 in higher-risk zones typically requires the hardware-enforced one-way property of the ST Engineering Data Diode in addition.

Common Southeast Asian deployment patterns

From the projects we work on across Singapore, Malaysia, and Vietnam, three patterns recur:

The CII operator under CCoP 2.0

A Singapore CII owner in energy, water, or transport typically deploys NetWall USG at the IT/OT boundary, OTfuse on the highest-criticality controllers, MetaDefender Kiosk at every physical entry to the plant, USB Firewall at every operator HMI, and Vault as the controlled transfer point for vendor software updates. MetaAccess OT replaces the legacy VPN used for OEM remote support. This package directly addresses the network-segregation, removable-media, remote-access, and incident-monitoring requirements of CCoP 2.0.

The Vietnamese manufacturer under Decree 53

A manufacturer in Ho Chi Minh City (which now includes the former Binh Duong industrial zones following the 2026 provincial merger) or the wider southern industrial belt typically starts with MetaDefender Kiosk and USB Firewall (the lowest-friction wins for the removable-media problem), then adds OTfuse on critical PLCs and NetWall USG at the IT/OT boundary as the programme matures. Because MetaAccess OT can be deployed fully on-premise inside Vietnam, it satisfies Decree 53’s data-locality concerns for foreign-vendor remote access. ST Engineering Data Diode is added where the operator is exporting telemetry to a corporate analytics platform abroad and a one-way guarantee is required.

The Malaysian process plant

Process industries in Malaysia — oil and gas, petrochemical, palm-oil refining — tend to start from the safety case. OTfuse goes on the PLCs governing the process; Data Diode goes outbound from the safety zone to the historian; MetaDefender Kiosk goes at the gate; NetCrypt encrypts the inter-site link between the plant and the HQ in Kuala Lumpur or Singapore.

How OT cybersecurity products connect to the rest of the plant stack

OT cybersecurity tools rarely operate in isolation. They depend on, and feed into, the rest of the industrial software stack. A few of the most common integrations:

• Kepware / KEPServerEX — our Kepware product page — aggregates OPC data behind the security perimeter. NetWall USG’s native OPC DA / OPC UA support means Kepware data can be safely exported across the OT/IT boundary.
• Proficy HMI/SCADA and Proficy Historian — the SCADA and historian platforms behind a typical OTfuse-protected segment. OTfuse’s native iFIX and Cimplicity (GE) protocol awareness is designed for exactly this pairing.
• WIN-911 alarm management — the alarming layer that reports OT events to operators by SMS, voice, or mobile push. Its delivery chain (typically through the IT network) is one of the conduits that NetWall USG or NetCrypt commonly protects.
• Splunk — also distributed by Allied Solutions Global — the SIEM that ingests events from OTfuse, MetaDefender, and the rest of the security stack.

How to procure OT cybersecurity products in Southeast Asia

Allied Solutions Global is an authorised distributor for OPSWAT, ST Engineering, GE Vernova, and Kepware (PTC) across Singapore, Malaysia, and Vietnam. The fastest way to scope an OT cybersecurity deployment is to start from your current architecture and your applicable regulation:

1. List the network zones you currently maintain — corporate, DMZ, control, safety — and the data flows between them.
2. Identify the regulation that applies: CCoP 2.0 if you are a Singapore CII owner; Decree 53/2022 if you operate a critical information system in Vietnam; or IEC 62443 SL targets if you are working to an internal corporate standard.
3. Map each zone-to-zone conduit to one of the products in this guide.
4. Contact us with the architecture and target regulation. We will return a sized recommendation and a quotation.

For Singapore and the rest of Southeast Asia, our Singapore headquarters is the primary point of contact. For Vietnamese projects, contact our Ho Chi Minh office.

Allied Solutions Global is an authorised distributor for OPSWAT and ST Engineering across Southeast Asia. OPSWAT, MetaDefender, OTfuse, NetWall, and MetaAccess are trademarks of OPSWAT, Inc. ST Engineering Data Diode, NetCrypt, EtherCrypt, and DiskCrypt are products of ST Engineering. References to Singapore CCoP 2.0, Vietnam’s Law on Cybersecurity, Decree 53/2022/ND-CP, IEC 62443, and MITRE ATT&CK for ICS are made for informational purposes; readers should consult the source documents for authoritative requirements.