Skip to main contentSkip to page footer

 |  Blog

Why Custom Linux is necessary in the OT world

The connection between IT systems (e.g. ERP or MES systems) and OT systems (such as sensors, PLC and SCADA) is increasing. More data is required from the lower automation levels, i.e. the OT world.

The devices must be able to communicate with each other in order to make data accessible. To do this, they use interfaces such as TCP/IP, OPC UA, MQTT or Profibus. In this way, data is transferred between the different levels. Linux systems make the development of embedded systems much easier. They already integrate the drivers for the required hardware and offer useful tools such as gdb and ssh, which can speed up development. Devices from the control or management level often require support for container environments in order to run other applications in a secure environment. This can be easily realised via a Linux distribution.

The available hardware resources such as CPU, RAM or ROM are often limited on these devices. Therefore, standard Linux distributions such as Debian or Ubuntu are usually not sufficient. Furthermore, OT devices have additional security requirements that are not directly met by standard distributions. These requirements can include, for example, limited functionality, read-only file systems or splitting into active and passive partitions for firmware updates.

Embedded build systems offer a way to fulfil these requirements. They can be used to create customised Linux distributions including kernels, shells and other applications. Only the required packages are installed by using a specific configuration of the build system. In addition, kernel customisations and own applications can be easily integrated. Ready-made configurations and open source code are often used to integrate standard tools such as Busybox, Docker or QT directly into the final image.

The build process is shown as an example in the following diagram:


In most common build systems, an application SDK is also generated directly as a by-product. This provides application developers with a toolchain that they can use to compile directly for the target hardware.

With the upcoming obligation under IEC standard 62443, the traceability and prompt closure of security vulnerabilities is becoming increasingly important. The integrated tools in the build systems can automate many of these tasks. In addition to the Linux image, this also creates a list of open CVEs and a finished SBOM with the existing licence information. Such automation is also possible via a continuous integration pipeline on a build server.

Distributions created via embedded build systems offer many of the advantages of ready-made Linux distributions and can also be customised. The most common embedded build systems are Yocto, Elbe, BuildRoot and PtxDist, which will be analysed and compared in terms of effort in another Techshorty.

About the author


Fabian Rosenfelder is a passionate technical computer scientist. As a senior developer, he has focussed on software development for embedded Linux, OPC UA and C++. He currently supports our customers in the development of OPC UA servers, for example for high-performance real-time control systems. 

Created by