OT-Hardened File and Device Security
for Duke Energy's Substations and Beyond
1,300+ substations across NC, SC, FL, IN, OH, KY. AMI 2.0 grid edge. Purdue Model 3.0 modernization. NERC CIP-007, CIP-010, and NEI 08-09 alignment, in one platform.
NERC CIP-Aligned Platform
Substation File Scanning Aligned to CIP-007
CIP-010 Baseline Configuration Coverage
Control Room and AMI Device Coverage
Purdue Model 3.0 Hardening
Cross-Purdue File Flows From IT to OT
USB Sanitization for Substation Field Crews
Historian and IIoT Ingest in One Stack
Trained for Duke's Operators
Certified Curriculum for Substation Field Crews
SOC Analyst Pathways for OT Security
NERC CIP and NEI 08-09 Lab Coursework
1,300+
Substations Covered
100%
NERC CIP Alignment
0
Zero-Day Execution Events
Recommended Webinars
On-Demand Webinar
Scan What Matters: 99.9% Precision AI Engine Improves Your Security Stack
On-Demand Webinar
Security-First MFT: AI-Native & Emulation-Driven Defense Against File-Based Attacks
On-Demand Webinar
Scan What Matters: 99.9% Precision AI Engine Improves Your Security Stack
On-Demand Webinar
Security-First MFT: AI-Native & Emulation-Driven Defense Against File-Based Attacks
Protecting the Industries
the World Runs on
Critical infrastructure is any system the world depends on. Built to the standards of national defense and global
enterprise, OPSWAT is the firewall of data for the world's most critical networks.
Government & Defense
Protect classified and sensitive networks with cross-domain solutions, endpoint compliance, and threat prevention validated to government standards.
Manufacturing
Prevent production disruption from file-borne and device-borne threats targeting industrial control systems and operational networks.
Financial Services
Secure customer data, transaction systems, and regulatory compliance with multi-layered file and email threat prevention.
Energy & Utilities
Secure SCADA systems, OT networks, and data transfers that keep power grids and water systems operational.
Government & Defense
Protect classified and sensitive networks with cross-domain solutions, endpoint compliance, and threat prevention validated to government standards.
Manufacturing
Prevent production disruption from file-borne and device-borne threats targeting industrial control systems and operational networks.
Financial Services
Secure customer data, transaction systems, and regulatory compliance with multi-layered file and email threat prevention.
Energy & Utilities
Secure SCADA systems, OT networks, and data transfers that keep power grids and water systems operational.
Secured Perimeter and Data Workflows
for Any Organization
OPSWAT secures data flows to and from critical networks, protected by layered threat prevention, AI-powered prediction and content verification, and continuous vulnerability intelligence, all through the MetaDefender platform.
File Security
Prevent file-borne malware from reaching production systems. MetaDefender scans, sanitizes, and verifies every file before it's trusted.
Peripheral and Removable Media Protection
Control what enters your critical environment through USB drives, portable devices, and transient assets with kiosk-based scanning and compliance enforcement at the perimeter.
Managed File Transfer
Move files securely across network boundaries with built-in threat prevention, policy enforcement, and full audit trails, without exposing sensitive environments.
Data Diode and Security Gateway Solutions
Enable hardware-enforced unidirectional data transfer between network segments. OPSWAT data diodes and security gateways protect air-gapped and segmented networks with zero risk of reverse data flow.
Storage Security
Scan and sanitize files in cloud storage, on-premises repositories, and file-sharing platforms, preventing malware and data leakage without disrupting workflows.
Email Security
Neutralize weaponized attachments and embedded threats before they reach the inbox. Deep CDR™ Technology and Metascan™ multiscanning technologies applied to every inbound message.
Access and Endpoint Security
Assess and enforce device posture before granting network access. The OESIS Framework gives security vendors and IT teams the tools to verify endpoint compliance across managed and unmanaged devices.
File Security
Prevent file-borne malware from reaching production systems. MetaDefender scans, sanitizes, and verifies every file before it's trusted.
Peripheral and Removable Media Protection
Control what enters your critical environment through USB drives, portable devices, and transient assets with kiosk-based scanning and compliance enforcement at the perimeter.
Managed File Transfer
Move files securely across network boundaries with built-in threat prevention, policy enforcement, and full audit trails, without exposing sensitive environments.
Data Diode and Security Gateway Solutions
Enable hardware-enforced unidirectional data transfer between network segments. OPSWAT data diodes and security gateways protect air-gapped and segmented networks with zero risk of reverse data flow.
Storage Security
Scan and sanitize files in cloud storage, on-premises repositories, and file-sharing platforms, preventing malware and data leakage without disrupting workflows.
Email Security
Neutralize weaponized attachments and embedded threats before they reach the inbox. Deep CDR™ Technology and Metascan™ multiscanning technologies applied to every inbound message.
Access and Endpoint Security
Assess and enforce device posture before granting network access. The OESIS Framework gives security vendors and IT teams the tools to verify endpoint compliance across managed and unmanaged devices.
MetaDefender AI-Powered Platform
MetaDefender is OPSWAT's AI platform for critical infrastructure protection — where all data is scanned, sanitized, verified, and controlled before it moves deeper into an environment. OPSWAT delivers zero trust, prevention-first cybersecurity that secures data movement and workflows across Cloud, IT, OT, and Cross Domain environments. OPSWAT's AI is embedded natively across the platform, making threat prevention faster, more proactive, and capable of stopping AI-generated threats that legacy tools can't see.
Explore the Platform
Purdue Model
MetaDefender Technology Stack
Most cybersecurity vendors are building AI to triage alerts faster, orchestrate responses, or protect AI models themselves. OPSWAT builds AI to prevent threats at the data layer — stopping malicious content before it executes, not after it is detected.
OPSWAT layers Deep CDR™ Technology, Metascan™ Multiscanning, AI-driven threat prediction, Adaptive Sandbox, and AI-powered content verification technologies to prevent, detect, and neutralize threats before they execute.
Built for Prediction,
Engineered for Speed
- Deep file structure analysis
- ML-Model trained on zero-day threats
30+ AV Engines Reviewing Every Vendor File
- Every vendor file scanned before it touches a substation HMI
- Combined signatures, heuristics, and ML across 30+ leading engines
Sanitize PDFs, Firmware Archives, and PLC Project Files
- Disarm weaponized vendor firmware before it crosses the IT/OT boundary
- Recursively sanitize nested archives and HMI project bundles
- Regenerate safe, usable files for substation operators
TAA-Aligned Country-of-Origin and DLP Coverage
- TAA-aligned country-of-origin checks on every file Duke ingests from third-party vendors
- Auto-redact PII, PHI, and customer data across 125+ file types
- OCR for image-based document review across grid programs
Detonate Suspect Binaries Before They Reach Duke's OT Network
- Anti-evasion sandbox engine extracts IOCs from PLC firmware and HMI bundles
- Pre-execution detonation prevents zero-day events on Duke's operational network
- API and local integration for substation and control room workflows
Enhance Detection with Real-Time Threat Intelligence
- Correlate global IOCs, IPs, URLs, & file reputation across 50B+ artifacts
- Stop emerging threats faster
- Enrich downstream analysis
Detect Application Vulnerabilities Before They Are Installed
- Check software for known vulnerabilities before installation
- Scan systems for known vulnerabilities when devices are at rest
- Quickly examine running applications and their libraries for vulnerabilities
![OPSWAT Technologies Image]()
Threat IntelligenceEnhance Detection with Real-Time Threat Intelligence
- Correlate global IOCs, IPs, URLs, & file reputation across 50B+ artifacts
- Stop emerging threats faster
- Enrich downstream analysis
FasterSpeed up overall triage timeTransparentDefend critical environments with greater clarity![OPSWAT Technologies Image]()
Threat IntelligenceEnhance Detection with Real-Time Threat Intelligence
- Correlate global IOCs, IPs, URLs, & file reputation across 50B+ artifacts
- Stop emerging threats faster
- Enrich downstream analysis
FasterSpeed up overall triage timeTransparentDefend critical environments with greater clarity
Trust No File. Trust No Device.
Every Duke substation file and device, scanned and verified by one platform.
No bolt-ons. No separate SKUs. No acquisitions to integrate.
Built to the Standards That Govern Duke Energy's Substations and Beyond
The MetaDefender Platform is pre-validated against NERC CIP-005, CIP-007, and CIP-010, NEI 08-09 Rev 6 for Duke's nuclear fleet, NIST CSF 2.0 and NIST 800-53, plus CMMC 2.0, ISO 27001, Common Criteria, and SOC 2.
Deploy Across Duke's Fleet.
Protect Every Substation.
Reduce the Burden on Field Crews.
OPSWAT rolls out across all 1,300+ Duke substations from a central console. Automated workflows, unified policy management, and central CIP-007 / CIP-010 evidence collection mean a single CISO team supervises every site. AI engines operate inline and autonomously, requiring no additional integration in the field.
The Organizations That Trust OPSWAT to
Protect What Matters Most
- “We’re using MetaDefender there to scan everything as we build it, to make sure we’re not becoming that supply chain risk.”Jeremy MorganGlobal Cybersecurity Manager at Hitachi Energy
- “Partnering with an external organization to handle our core cybersecurity challenges allows us to stay focused on our mission instead of getting sidetracked.”Garrett LeeSoftware Engineering Manager, Indeed
- “We've gone from blocking removable media to a fully integrated solution that can deal with scanning and securing removable media.”Alan TaylorCSIA, Dounreay Site Nuclear Restoration Services
- “We could see their product had a proven track record for what we needed it to do. We felt confident in engaging OPSWAT for a solution.”Adam WhitmoreEngineering Manager for Systems Infrastructure, Genesis Energy
Awards and Recognition
Recognition
OPSWAT Sets New Standard in Cybersecurity with First-Ever 100% Rating in SE Labs Content Disarm & Reconstruction Test
Award
OPSWAT Wins at the 21st Annual 2025 Globee Cybersecurity Awards for the Third Consecutive Year
Award
OPSWAT Awarded Supply Chain Cybersecurity Solution of the Year in 8th Annual Cybersecurity Breakthrough Awards
Recognition
OPSWAT Sets New Standard in Cybersecurity with First-Ever 100% Rating in SE Labs Content Disarm & Reconstruction Test
Award
OPSWAT Wins at the 21st Annual 2025 Globee Cybersecurity Awards for the Third Consecutive Year
Award
OPSWAT Awarded Supply Chain Cybersecurity Solution of the Year in 8th Annual Cybersecurity Breakthrough Awards
Recognition
OPSWAT Sets New Standard in Cybersecurity with First-Ever 100% Rating in SE Labs Content Disarm & Reconstruction Test
Award
OPSWAT Wins at the 21st Annual 2025 Globee Cybersecurity Awards for the Third Consecutive Year
Award
OPSWAT Awarded Supply Chain Cybersecurity Solution of the Year in 8th Annual Cybersecurity Breakthrough Awards
Intelligence From the Front Lines of Substation and Grid Defense
The 2026 NERC CIP Field Guide for Multi-State Utilities
How utilities operating across NC, SC, FL, IN, OH, and KY are aligning CIP-007 and CIP-010 evidence to 1,300-substation fleets.
How Duke-Class Utilities Harden the AMI 2.0 Grid Edge
Smart-meter, DERMS, and distribution automation file flows, scanned and TAA-checked before they reach the grid edge.
Substation File Workflows: From Vendor USB to Historian
The end-to-end path of a vendor file at a multi-state utility, from USB at the gate to OSIsoft PI historian.
SANS Detection & Response Survey
Uncovering the widening gaps caused by endpoint-heavy security postures, rising complexity, and inconsistent intelligence sharing.
Common Questions About OPSWAT
Yes. MetaDefender for Secure Storage scans every file ingested into Duke's OT historian, including OSIsoft PI and GE Proficy archive files, before write. Deep CDR sanitizes vendor uploads and PLC project files in line, with no operator workflow change.
MetaDefender OT Security maintains baseline configurations on every Duke substation HMI, PLC, and engineering workstation, with file-level audit trails that map directly to CIP-010 R1 and R2 evidence. Every change is logged, hashed, and reportable for the regional reliability auditor.
Yes. MetaDefender NetWall data diodes provide hardware-enforced unidirectional transfer between Duke's IT corporate network and air-gapped substation OT networks. MetaDefender Kiosk scans every USB before it crosses the boundary, and MetaDefender Drive verifies field laptops and engineering workstations before re-entry.
OPSWAT deploys MetaDefender as a centrally managed platform across all 1,300+ Duke substations, with a phased rollout that starts at the regional control center, extends to the Catawba, McGuire, Oconee, and Brunswick nuclear sites, and rolls out to the AMI 2.0 grid edge. Central policy management means one CISO console, not 1,300 boxes to babysit.
MetaDefender Kiosk K2100 Mobile units sit at the substation entry point and scan every USB, vendor laptop, and removable drive before a Duke field crew brings it past the perimeter. Sanitized files are delivered to the substation HMI in seconds, with a NERC CIP-007 R3 audit trail logged centrally.
Yes. MetaDefender Proactive DLP and Country of Origin scanning checks every vendor firmware bundle and PLC project file Duke ingests against a TAA-aligned country-of-origin policy. Files flagged for non-TAA origin are quarantined and routed for review before they reach the OT network.
Yes. MetaDefender is the file and device security stack used at multiple US and international nuclear sites, validated against NEI 08-09 Rev 6, NRC CFR 73.54, and FERC requirements. Coverage extends across plant control room workstations, security perimeter media, and contractor laptop entry.
OPSWAT extends MetaDefender file and device scanning to Duke's AMI 2.0 grid-edge endpoints, including smart meters, distribution automation gateways, and DERMS controllers. Every firmware update and configuration push gets multi-engine scanned, sanitized, and TAA-checked before deployment to the field.
Ready to Protect Duke Energy's Substations?
30 minutes. AMI 2.0 grid edge to control room.
NERC CIP-007, CIP-010, and NEI 08-09 in one platform.
