Linux has rapidly come to be used in a wide range of applications in the industrial field, from domestic appliances to devices used in social infrastructure. However, the road leading here has not always been a smooth one. For many years, Toshiba has taken on difficult challenges related to power-saving, reducing startup times, real-time control, and more. We have contributed to the evolution of Linux by achieving these goals while creating new value. New challenges have arisen, such as long-term maintenance, improved reliability, and cyber-resilience, and our engineers are constantly pursuing further innovation. In this four-part running feature, we will look at the numerous difficulties Toshiba has faced and the measures we have used to overcome them.
In Part 1, we discussed the fundamental challenges of embedded Linux and the approaches used to address them. In Part 2, we explained the technical challenges of using Linux for real-time control. In this part, we will discuss the challenges of applying open source software (OSS) to social infrastructure systems. We will introduce the Civil Infrastructure Platform (CIP), which aims to address these challenges through open collaboration, and highlight Toshiba’s leadership in this initiative.

Embedded Linux initially evolved through its use in home appliances. More recently, its application has rapidly expanded to include industrial systems and social infrastructure. Social infrastructure serves as a vital foundation for our daily lives. It includes power plants, water and sewage systems, communication networks, and more. Interruptions to these services can have a significant impact on society as a whole. As a result, these operational technology (OT) control systems are subject to far more advanced and stringent requirements than those found in consumer-grade systems.

For example, the product lifecycle of power generation systems is exceptionally long, typically ranging from 25 to 60 years. Throughout these lifecycles, systems are required to maintain high, industry-grade quality in areas such as compatibility, standardization, consistent real-time performance, and security. In recent years, there has been a notable increase in cyber-attacks targeting OT systems, prompting the introduction of new regulations such as the European Cyber Resilience Act (CRA). As a result, ensuring the long-term security of software has become a critical concern.

To realize these advanced requirements, Toshiba, together with Siemens and other partners, launched the Civil Infrastructure Platform (CIP) project in 2016. CIP project is an initiative under the Linux Foundation, a technology consortium dedicated to promoting the sustainable development of open source software (OSS). The mission of the CIP project is to harness the power of the open source community to deliver industrial-grade OSS as an Open Source Base Layer (OSBL), ensuring it is provided in a sustainable and secure manner for reliable use in social infrastructure and industrial systems. Through this initiative, CIP aims to contribute to a more sustainable society.

OSBL is a shared platform that supports companies in developing proprietary middleware and applications. It is compatible with Linux distributions` and related OSS. As a key member of CIP, Toshiba leads the project's technical activities and is actively engaged in developing OSBL for reliable use in social infrastructure and industrial systems, leveraging the open source collaborative development model (Fig. 1).

*Linux distribution: An operating system packaged by combining the Linux kernel with various software components and tools.

Software used in social infrastructure systems is required to operate reliably over extended periods—often 10 to 20 years. However, standard Linux kernel support periods typically range from six months to five years, creating a significant gap. To address this gap, one of CIP’s key activities is the provision of Super-Long-Term Support (SLTS) kernels.

The SLTS kernels provided by CIP are designed to support ultra-long-term maintenance, with a target of at least 10 years. To achieve this, the CIP kernel team adheres strictly to the development principle of “Upstream First.” Guided by this principle, the CIP project generally adopts patches that are either already included in upstream sources—such as the Linux mainline, the Long-Term Support (LTS) project, or other major release branches—or have been contributed to upstream to incorporate essential fixes or enhancements, including functional or quality improvements (Fig. 2).

CIP also actively contributes its own fixes and functional enhancements to the upstream kernel, aiming for their integration into the mainline. This approach helps minimize source-level divergence from upstream and strengthens collaboration with the communities leading kernel development, thereby contributing to long-term system support and continuous quality improvement.

The CIP kernel team engages in a broad spectrum of activities. Specifically, these activities involve continuous monitoring of vulnerabilities (such as referencing the CVE database and assessing their potential impact), backporting security patches and functional updates from upstream sources to older kernel versions (applying them to legacy systems), evaluating compatibility and stability, and actively contributing improvements to the upstream kernel (including functional and quality enhancements).

Each month, the CIP team reviews approximately 1,000 patches applied to the upstream LTS kernel and contributes its findings. These contributions are then incorporated into the CIP kernel. In 2024, approximately 2,000 patches were integrated into the CIP kernel based on version 6.1 alone. CIP currently provides SLTS kernels based on versions v4.4, v4.19, v5.10, and v6.1, and in 2025, it released the v6.12 SLTS kernel. The latest v6.12 kernel is scheduled to be supported through 2035 (Fig. 3).

As a core maintainer within the CIP kernel team, Toshiba actively contributes to both within and beyond CIP. These efforts have been recognized and praised by the upstream community.

Another core activity of the CIP kernel team is its involvement in the Realtime Linux project. This project aims to standardize the PREEMPT_RT patch, an extension that enhances Linux’s real-time capabilities. As explained in Part 2 of this series, CIP has been actively involved in this initiative since 2017. In November 2024, the PREEMPT_RT patch was officially merged into Linux 6.12 as a standard feature, marking a major milestone for CIP.

To ensure long-term and stable system operation, it is essential to provide extended support not only for the kernel but also for the core packages that constitute the userland—the components of the operating system other than the kernel. The CIP Core Working Group (WG) plays a central role in the OSBL, which is designed to meet the high reliability and long-term maintainability requirements of social infrastructure systems. The WG provides a set of industrial-grade components known as the CIP Core packages. Furthermore, reference implementations using the CIP Core packages and the CIP SLTS kernel have been prepared and are being made available to system developers across various domains (Fig. 4).

The activities of the CIP Core Working Group (WG) include managing the CIP Core package list, providing reference implementations of OSBL aligned with various Debian* releases (Debian 8, 10, 11, 12, and 13), ensuring build reproducibility, and continuously monitoring vulnerabilities.

*Debian: One of the major Linux distributions

Among these activities, special attention should be given to CIP’s close collaboration with two key development projects: Debian LTS and Debian ELTS (Extended Long Term Support). Since 2018, CIP has actively participated in the Debian LTS/ELTS projects, contributing to the achievement of five-year LTS support for Debian 8 and Debian 10, as well as extending the support period to ten years for packages included in OSBL. Extending these support periods ensures that long-term security patches and bug fixes are available for essential userland packages. For developers of social infrastructure systems, this serves as a major reassurance when building systems intended for long-term operation. This collaboration reflects CIP’s core philosophy: “Collaboration with the open source community is key.” In this respect as well, the partnership holds significant value.

Let us now examine our approach to security measures. IoT technologies are being integrated into social infrastructure systems to advance the development of smart cities, where diverse systems are seamlessly interconnected. Amid this trend, cyber-security threats continue to grow, making countermeasures a top priority for both governments and businesses. As seen in the European CRA, there is a growing trend toward legally requiring cyber-security measures for products.

In response to these global developments, the CIP Security Working Group, led by Toshiba, is actively promoting compliance with the IEC 62443 series of international standards for industrial control system security. It provides IEC 62443-4-compliant guidelines and reference implementations to support industry-wide adoption of international standards (Fig. 5).

In 2024, CIP completed the IEC 62443-4-1 compliance assessment. This achievement marks the world’s first* for an open source project and serves as objective evidence that the design and development processes of CIP’s OSBL meet defined security requirements. Additionally, testing of the CIP security image package is currently underway to verify compliance with IEC 62443-4-2. To enhance test coverage, active contributions are being made to the upstream.

*https://www.linkedin.com/feed/update/urn:li:activity:7281814232457756675/

These efforts help reduce the burden on users and companies developing products with CIP OSBL when obtaining security certifications. In addition, CIP’s shared software update technologies contribute to secure firmware updates and vulnerability management, making them essential for maintaining security throughout the product lifecycle.

This article has provided a detailed overview of the CIP project's activities and achievements. By continuously refining a wide range of technologies—including long-term support kernels, real-time capabilities, the CIP Core, test automation, security, and software updates—CIP continues to deliver essential value in industrial-grade quality, sustainability, and security. Estimates show that applying CIP-developed technologies to systems can reduce the workload for security checks, software maintenance, license verification, application support, testing, and related tasks by up to 70%.

Toshiba plays a vital role in the CIP project. In addition to its technical contributions, it plays a key part in project management and community building, significantly enhancing the reliability and long-term maintainability of social infrastructure systems.

In the next and final article of this series, we will take an in-depth look at Skelios, Toshiba’s original Linux distribution developed using the outcomes of the CIP project. We will highlight the technical features and real-world applications of Toshiba’s Linux distribution to demonstrate how it responds to the demands of the cyber-resilience era and contributes to the stability of social infrastructure. Stay tuned.