OpenPLC is Ready for Hacking

It’s been nearly four years since we covered [Thiago]’s OpenPLC project. He never stopped working on it, and now it’s in a highly polished state.

If you read our initial coverage of this project, it would be easy to assume that he just wanted to control some halloween decorations. He is actually a PhD student at the University of Alabama in Huntsville. His research topic is SCADA (aka Industrial Control Systems) cyber security. His goal was to find vulnerabilities in PLCs and, hopefully, fix them. However, no PLC manufacturer releases their source code, and he was having trouble getting a deep understanding of something so closed.

So, since no one was going to open their code and hardware for him he simply made his own. OpenPLC can be programmed in all 5 IEC 61131-3 languages: ST, IL, LADDER, FBD and SFC. On top of that, it lowers the barrier of entry to developing this kind of industrial hardware by being compatible with all the favorites Arduino, Raspberry Pi, Windows, Linux, etc.

“The OpenPLC is the first fully functional standardized open source PLC. We believe that opening the black-box of a PLC will create opportunities for people to study its concepts, create new technologies and share resources.”

47 thoughts on “OpenPLC is Ready for Hacking

  1. i would be very interested in buying one of these, if this guy decides to start manufacturing them. im sure it will be better than the PLC’s that horrible Green coloured company sells.

  2. Nice project. I don’t think it will see much “real” use though, it looks a bit impractical to install. The terminal blocks are inaccessible when the cards are installed, for example.

    I also question the use of the DB25 plugs on the backplane – doesn’t seem to be an easy way to screw the cards in (with ~20 wires hanging off the other end, you’ll be wanting to screw them in)

    I really hope the concept of open source PLC takes off though, the proprietary offerings often leave a great deal to be desired in terms of software usability.

    1. I would never use it for a real application either. I know for a fact that if I use a name brand PLC the thing is just not going to fail for probably the next 20 years, hardware or software wise. And with cheap PLCs like the ones from Automation Direct, the cost of entry had fallen even more. Now to hope the GE, Mitsubishi, AB, and the others got over their software and lower or eliminate the cost of the software.

      1. AB has a great PLC line that is low cost and has free software. The Micro 800 series are great little processors and program with AB’s Connected Components Workbench software which is completely free and programs in all 5 IEC languages as well. Just my 2cents, but I have used these on many projects and they really shine for a small PLC controller.

      2. Getting someone to support that PLC installation for 20 years is another story. “You want to add some IO and modify some logic? You’re going to need a whole new control panel”

        1. The SLC500 came out in 1991 and you can still buy them new. They are scheduled to be discontinued next year. ControlLogix came out in 97 and there are no plans to discontinue that, in fact is is the recommended upgrade path for upgrading older systems. And even after they are discontinued parts will still be available used or NOS.

    2. You can always redesign the cards. It’s not like it’s locked in to that specific hardware design, especially when it says “Concept hardware” on the web page.

      I could see myself using this professionally. I hate the limitations of small, name brand PLCs. They are just looking for more money, if you actually need to do anything with one. Like ihayes42 said, support for industrial busses need to be added, and hopefully in the future they will.

      I did not know the beremiz editor is now used for the programming. That’s nice.

      Sure, still needs some work, but i’m interested and i need to test drive it atleast.

          1. True, we only care about customers with money….
            The systems are not “expenssive” as you think, but people like you usually prefer cloned AB or Siemens hardware out of china.

            Engineers with PLC ladder logic are as dangerous as software people ordering concrete for a bridge. You have failed to understand why cheaper PLCs or stronger concrete is not going to help in the wrong hands. Accordingly, both people are ill equipped to deal with the specific problem area, stubborn enough to convince themselves their knowledge will generalize, and the illusion of control prevents anyone from identifying the real problem.

            Who knew these kids were so indignant about being poor… LOL

          2. @LOL If you are talking about control room people I am right there with you. So many can’t get their scale factors or their point indices right.

          3. LOL: You’ve still failed to tell us what product you’re claiming is so much better. You’re acting as a troll, though I don’t think you intended to.

  3. Cool! As an Industrial Automation Engineer I have always hated how closed PLCs are. Glad to see someone making an open source one. My suggestion to improve it would be to focus on remote I/O instead of chasis I/O. Most of our projects use solely remote I/O at this point and the communications protocols to off-the-shelf remote I/O are usually open protocols such as CIP (Common Industrial Protocol), Ethernet I/P, or Modbus. ODVA.org would be a good place to look for those. If you did that then you could use the OpenPLC with high end IO.

  4. I’m puzzled by something on the bus board schematic.

    The 24V input has the reverse polarity protection diode on the negative input, rather that the positive one. I’ve only ever seen that done on positive earth systems (e.g. telecoms -48V battery supply) before. I’m not that familiar with PLC equipment though. Is this a common design, or is it something unique to OpenPLC?

    I guess it wouldn’t matter if all the interfaces were galvanically isolated, but they’re not: the “gnd” net appears on most connectors, and this will be one diode voltage drop away from the “gnd” on other equipment if they share the 24V input. This would lead to power supply currents flowing through signal connections.

    Am I missing something?

    https://drive.google.com/file/d/0BwyThwktWLAlWV9mRzBiNXphYjQ/edit?usp=sharing

    1. In either case I’d want to see a support cage, as industrially these cards are going to be yanked around during installs. However, the DB25 interface does make it simple to get extension cables for basic remote mounted IO or new modules that just don’t fit in the original spacing, like a servo drive that needs additional cooling and high voltage separation from the rest of the system.

  5. We can’t ignore reputed brand PLCs for their Redundant, Versatile and Reliability of service. They can easily withstand with mechanical harsh environment and electrical disturbance.
    Even their OS or scan time everything is well tested for critical applications. Just programming as per IEC611131-3 isn’t enough.

    1. It’s enough for some cases. Nobody here is making this larger than life, except that moron LOL who sees it as some kind of threat to his ultimate system. OpenPLC works where it works and it may become better in the future and that’s just that.

  6. I’ve recently finished a university project in which I was tasked with performing a ‘black box’ pentest on a remote industrial control network using Siemen’s S7319 PLC. My job was to find a way to disrupt the Industrial Process. I was astounded at how easy it was to read and write the PLCs memory blocks with a simple python script to cause a PID controller to malfunction.

    I even replicated the attack on a local (Lab) S7-1200 PLCs, one controlling the pressure of a pipeline (it will never reach its setpoint) and one controlling a conveyor belt that sorts items according to their color (I can flip the sorting mechanism and cause the conveyor to start without input from the HMI). These PLCs are running the latest firmware.

    I’m not an automation engineer, so I was wondering if anyone could give me a good reason why the memory in PLC connected to an Ethernet network isn’t protected by default?

    1. I am not an automation engineer either just a lowly coop student. But from what I gather long term support is in the range of 20 ish years. You need to be able to bring programs from the 80s to new hardware with minimal change and you’ve got programs designed in the 80s that need to talk with programs from this decade. Unfortunately you need to use the lowest common denominator.

    2. Sorry for necroposting, but how is that even possible? I literally can’t sleep as i’m working with those s7 boxes in a projects. Are they really that fragile?
      Please respond.

  7. @Moe: It is really impressive how ICS systems are vulnerable. Actually, PLCs were made to be sturdy, not secure. But if you look into an “sturdy” hardware that can be broken by simple software, I don’t think you can call it sturdy anymore… I’ve seen PLCs stop working with a simple nmap scan against them.

    My goal with the OpenPLC is to initially build an environment that is close to what a PLC can offer today, to then build an environment that is secure. And all of that will be open source!
    I’m really happy that hackaday spotted my project again. I’m a big hackaday fan, and this makes me feel important. :)

    However, the main focus here was on the hardware boards I created (and actually most of the comments were about that too). The hardware is, as states on the website, just a concept. It is for people to look at and base their own design on. The biggest improvement over the last years happened in the software. The OpenPLC was conceived to be a multiplatform software solution. Currently it can run on arduino boards, raspberry pi and unipi, not to mention Windows and Linux (running as a softPLC). Therefore, you can use OpenPLC to, at least, learn how to program a PLC and put that into practice using a super cheap arduino board. Probably in the future I will convert the concept design into shields for these popular boards in order to transform a cheap arduino into an electrically safe “PLC” with the lowest cost possible.

    1. I recently downloaded the PLCOpen Editor. The GUI is just a little clunky, but not bad, and the implementation of the IEC 61131-3 standard looks to be spot on, so far. Add in the fact that it is cross platform is excellent.

      If there were a web-based editor, sort of like node-red, it would be perfect.

      Would love to see a controller out there that allows industrial strength “re-program while running”, like the old Moore APACS system (some of those controllers are old enough to vote, and are being replaced only because parts, software etc. are becoming increasingly difficult to source).

      At any rate, hats off to you and the Beremiz folks!

  8. Im excited about this project because Im frustrated at the archeic development process the big players in industrial automation have traditionally delivered. Id love to extend this project to do things that are not capable in traditional plcs. For example, making RESTful calls to an API or developing an API on top of an openPLC. Doing this with a traditional PLC is a pain at worst and expensive at best. As for security, it would be great to explore new communication methodologies like parsing JSON inside a PLC environment while maintaining security.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s