Civil Infrastructure Platform Takes Open Source to an Industrial Scale


One of the less discussed uses for open source software is actually in the role that it plays for industrial-scale hardware. Whereas power plants, factories, and other large infrastructure projects were once ruled over nearly entirely by operational technology (OT) control systems, in recent years, information technology — built on open source software — has been making its way onto the scene in an increasingly significant way.

Additionally, another surprising fact is that the this push to use open source in complex hardware operations has been embraced by industry leaders. One company helping to lead the charge is Siemens, one of the world’s largest producers of hardware devices, Siemens. Siemens plays an active role in advancing open source in the industrial space, with a focus on making open source security a priority for development, in part through their involvement in the Civil Infrastructure Platform (CIP) initiative.

Wolfgang Mauerer, a professor of theoretical computer science at the Technical University Regensburg, and a senior key expert at Siemens’ Corporate Research Competence Centre Embedded Linux, says that his company has “been actively supporting open source for quite a while now and actually there’s a fair amount of products that run Linux, based from Siemens.”

Siemens Depends on Open Source for Meeting Long-Term Requirements

One of the major product lines that Siemens produces is MRI scanners, which are used in hospitals to help give doctors a better picture of what is going on inside their patients. These machines, which Mauerer terms as not being traditional industrial devices but engineered in the same way, run on Linux.

“We chose Linux for these devices because we can satisfy quite different requirements that way,” explains Mauerer. “We have real-time requirements in these machines, and Linux is the only operating system that can satisfy these needs.”

Mauerer says that their decision to turn to open source was made in part because they needed an operating system that would be flexible enough to work with a wide range of needs over time.

As opposed to most consumer products which normally have a shorter lifespan of only a few years before being replaced, industrial systems are expected to last for a decade or more. As such, they need to be supported longer and have a system which can adapt with new updates as they are needed. He adds that there were concerns that commercial operating systems could become outdated over the lifetime of the devices, and that only something like Linux could give them the dependability and longevity that is required.

Mauerer points out that if they were dependent on a closed system, “then we couldn’t retrofit it with the real-time capabilities that we need.”

Siemens is currently running a number of open source projects that receive external contributions from universities and others, including their partitioning tool called the Jailhouse Hypervisor.

Securing the Future of Development for Infrastructure

Along with companies like Toshiba and Hitachi, Siemens is a founding member of CIP, which was created with the aim of “establishing an open source ‘base layer’ of industrial grade software to enable the use and implementation of software building blocks in civil infrastructure projects.”

As a member of CIP’s technological steering committee, Mauerer says that they hope to encourage a more secure environment for collaborative security. “One reason for founding CIP is that we would like to share important patches to the kernel exports,” he says, noting the lack of a central authority for ensuring that best security practices are upheld throughout their user and contributor base.   

Over the long term, Mauerer says that the goal of the CIP is to, “Really offer a set of base components from the kernel to the most important user’s base packages that we maintain over these timeframes and that all the partners, all the members, even the CI initiatives use, thus saving them effort.”

In part of their effort to establish a working base for projects that will provide users with real value, the CIP initiative has developed their own kernel for performing quality integration tests that they are calling Board at Desk, which is maintained by Ben Hutchings, who is best known for his role as the package maintainer in the Linux Debian project.

Their hope is that over time, they will establish a baseline for infrastructure related projects, ranging from rail to power plants, that developers will look to for holding to best practices.

“In the long run, we will come up with a standardized set of test and quality measures that if they’re satisfied by the kernel, will then earn them the CIP quality certification.”

Shifting the Industry Towards Open Source

One misperception Mauerer and his colleagues at CIP have to battle is the idea that companies are putting themselves at risk by working with an open source model.  

“Astonishingly, I hear these arguments that if we open source our code — if you put out anything in the public — then it becomes less secure because people can search the vulnerabilities and so on. I hear these quite frequently from medium-sized corporations and small businesses,” he says, chalking up the perception here to a “lack of expertise of dealing with the openness, so they confuse open source with a system that’s open for everyone.”

Thankfully, he is seeing far more acceptance of working with open source from the bigger players in the industry. “Most larger companies by now have realized that security by obscurity of course doesn’t work,” says Mauerer, noting that, “Giving out all the mechanisms for review by independent experts and third party experts actually improves security, making security stronger because security holes can be found proactively before they are detected out in the wild.”

For now, many companies are keeping their newfound appreciation for the power of open source as an internal secret policy, choosing not to publicize it for fear of negative pushback from the skeptics. However, Mauerer says that if you know where to look, you can see that there is real interest in pursuing greater open source usage.

“So sometimes companies are still reluctant to say in public that they are using open source. But if you go to any Linux Foundation events, you will find everyone from all industries looking outward to what has happened, placing that, of course not just because of interest but because people are using these products and these components very, very openly, very, very, very much in their products.”

The Long Road Ahead

In building their solutions, Mauerer makes a point that the base of software they create should in part be judged on whether it is sustainable over a significant amount of time. Whereas many software products, say a mobile phone’s operating system, can hold up for five years, industrial systems have life spans that can be expected to reach upwards of 25 years in some cases and face far more stress and requirements.

While he is hopeful that the benefits of more modern technologies from the IT world will filter into the industrial/infrastructure space, Mauerer also notes that industrial technology is still in its own category and that the pace of change will differ.

“We’re only very slowly picking up seconds from IT, so people who get into OT from IT will need a lot of patience at first,” he says. “But once they think the issues through, they will realize that this pace is something that’s vital to the industry because just imagine a power station that’s programmed in the same way as a mobile phone and has as many software problems as mobile phones. Obviously you want to avoid having a power outage twice or three times a day.”

Keeping their environment secure takes a considerable effort, one that is not always recognized for the commitment that it takes to keep things running smoothly. Mauerer quips that, “it’s work that we need to do, that must be done but we don’t get any points for doing it. We just lost points for not doing it.”

For more information about Civil Infrastructure Platform, visit