|SCADA| OpenPLC + Raspberry Pi + ScadaBR: Part 1 – Out of My Element

安宇雨 - 随手采集
2023-01-31 22:42:27
随手采集
0000-未整理-等待研究

Seeing as we’re all currently living through a pandemic and can’t really go anywhere or do anything in our free time, I figured I’d may as well look into something I’ve been interested in for a while: SCADA. More specifically, getting some hands-on experience with SCADA using some free, opensource software and hardware I mostly already have at home.

I figured I would write blog posts as I go along in hopes:

It’ll reinforce what I’m learning
Help someone who is trying to figure this stuff out because there’s not a lot online about this
If I forget a lot of this in a few months I have at least some documentation to look back on to get me going again

I’ve also posted the OpenPLC structured text program files and the ScadaBR files if you want to download them yourself.

Hey Matt, what’s SCADA? Sorry, couldn’t resist, that was a plug for this book, which I often read to my infant son and really enjoy. I won’t try and really explain what SCADA is here, as I will undoubtedly do a poor job. If you’re not totally sure, go ahead and do some reading up on SCADA otherwise this blog post might not make a ton of sense. Realistically it might not make a ton of sense, anyway, as it barely makes sense to me.

Anyways, for the foreseeable future with this project I’ll be using 3 different pieces of software to do SCADA things because their open source and they’re awesome:

OpenPLC – Turns your hardware into a PLC running a variety of protocols (Modbus for me)
OpenPLC Editor – Lets you write programs that you can run on your OpenPLC device
ScadaBR – Let’s you create a Human Machine Interface (HMI) for your PLC

OpenPLC is the runtime that can run on a huge list of hardware, including Linux, Windows, Raspberry Pi, Arduino, and the very cheap ESP8266. Seeing as I already have a Raspberry Pi 3B+ at the house running Octoprint for my 3d printer and enough horsepower on my Ryzen machine to make some Linux VMs, I think I’m all set. I’ll just have to use a different MicroSD card an install Raspbian on that Pi, for now.

The only other thing I need is some way to interact with physical hardware connected to the Raspberry Pi. For example, turn a light on/off or make a servo move. To fix that problem, I ordered this kit on Amazon that includes a ton of electronics bits and bobs that I can make endless projects with, as well as a breakout board for the pi and a breadboard to make everything easier. $30 well spent!

Software Installation

The software install process is pretty straightforward, so I won’t rehash the websites. I just followed the instructions on the respective websites, with the runtime going on the Raspberry Pi, and both the Editor and ScadaBR going on a Ubuntu VM. I chose to do the native Linux install for ScadaBR.

First Simple Program

As the name would imply, this is the first program I was able to get working and it is rather simple. Here’s the basic idea:

We have two buttons, PB1 and PB2. Think of them like a traditional light switch. Flip the switch up and a light comes on, flip it down and it goes off. In this case, instead of a light switch we have two momentary switches, PB1 and PB2. When you press PB1, it turns on the LED. It will stay on until you press PB2, which will kill the flow of magic pixies.

To add these items you can a) click the green plus sign or b) right click in the work space and click add, then select the kind of item you want. Ensure PB2 is a negated contact. Make sure all the locations are correct with the wiring diagram. Finish up by adding a power rail to each side of the ladder, with the left having two rails and the right only having one. Drag the ends of all the items together and you should be good to go.

Here’s what it should look like.

To test this before uploading to the OpenPLC Pi, save the project then click on the little running blue man roughly in the center of the top menu bar.

Then, click on the top set of glasses on left side of the screen, next to the drop down menu.

Now right click on PB1 and select Force True. You should see the entire circuit glow green, indicating the flow of electricity. This means it works!

At this point the program is working correctly and you should save it. Save the project using the icon and make sure to give the file a .st file extension, otherwise you won’t be able to upload it to the OpenPLC device.

Now to load it onto our OpenPLC device. Go to the IP address for the device on port 8080, in my case the Raspberry Pi and 192.168.1.178:8080. If you haven’t yet set one up, the default username and password with be “openplc” and “openplc”. If that’s the case you should create a new username and password immediately!

Now navigate to Programs, then browse to your program file with the .st file extension. Click Upload Program and fill in a brief title and description. Click save.

At this point your OpenPLC device is ready to run your program, but there are not yet any hardware connections to act as inputs and outputs.

Remember the wiring diagram from earlier? Let’s turn that into an actual circuit on our breadboard! This is how I chose to make it and I used the positive and negative bars along each side to clean up wire clutter.

It works! It essentially works as a light switch. Now to make a display that will mirror the physical status of the LED.

Building an HMI with ScadaBR

ScadaBR is open source software that allows you to make Human Machine Interfaces (HMIs) for PLCs. For what we’re trying to do, that just means displays and maybe controls at some point. In this case, it will be for our embedded OpenPLC device (Raspberry Pi). The first example will be creating an HMI for First_Simple_Program. The goal is to have a simple LED that mirrors the real LED on the breadboard.

Open a web browser on the device you installed ScadaBR on, in my case a Ubuntu VM, and and navigate to http://localhost:9090/ScadaBR. If you haven’t changed the login credentials yet, the default username and password “admin” “admin.”

The first thing we’ll configure is a data source. Click on the 6th icon from the left on the main menu bar labeled Data Sources.

Select Modbus IP from the drop down menu, then click Add.

Give your data source a name and enter the IP Address of the OpenPLC device under _Host_.

If you want to test this configuration before going any further, save the settings and click the Read Data button under Modbus read data. This will show the values of a specific number of registers. If you push PB1 and activate the LED, then click Read Data again, it should change the value of register 0 to true.

Next scroll down until you see the Points sub-section. Click the Add button and give the point a name, in this case LED was used to keep things simple.

The Export ID (XID) should be auto-generated. Make sure the value for Register Range is set to Coil Status and Modbus data type is set to _Binary_.

Once those settings are changed, make sure to click save on the Point Details window as well as the main Data Sources window.

Now that a data source has been setup we can configure a display to use that data. Navigate to Graphical Views, which is the second icon from the left on the main menu bar. Click on New View.

Give the view a name (OpenPLC in the example) and view the Components drop down list. These are all the different kinds of interactive graphics you can add to a view. For now select Binary Graphic. A small image should appear in your work area.

Mouse over the image until you see the puzzle piece with a pencil. Select it. You should see a small menu.

For the Points field, select the point you created earlier. It will display as data source – point. This is all you need in this menu for now, so hit save.

Go back to your workspace and mouse over the image again. Mouse over the small picture and click on it. It should read Edit Graphical Renderer.

Click on the drop down menu next to Image Set and familiarize yourself with some of the options that might be useful for this situation. We’re keeping it simple right now and selected Light bulb (2 images). For the Zero image, select the light bulb that is off and do the opposite for the One image. It should match the image below.

At this point save that window and scroll to the bottom of the page to save the entire view.

Now, if you click back on Graphical Views from the main menu bar you should see your new view listed under Graphic views and displayed by default below. Now, if you push PB1 on the breadboard the lightbulb on the display should change accordingly.

The LED is off
The LED is on

Intercepting Modbus Traffic

It is well known that many SCADA protocols are not secure. They’ve been in use so long that when they were designed decades ago security was not a serious consideration. The protocol we’ve setup with the OpenPLC device is Modbus and that is the protocol we’ll be intercepting.

We’ll be using a free tool called mbtget. This tool allows you to make modbus transactions from a terminal window.

To install mbtget, run the following commands from a Linux terminal window:

git clone https://github.com/sourceperl/mbtget.git
cd mbtget
perl Makefile.PL
make
sudo make install

To verify it’s been successfully installed, run mbtget with the help switch. You should be a list of commands.

Let’s start by simply monitoring Modbus traffic over the network from our OpenPLC device. You can do this quickly and simply using Wireshark and sort by protocol or the IP of the OpenPLC device. However, since mbtget is not a commonly used tool I’ll only include those instructions.

To read the coil(s), use the following command structure:

mbget -r1 -u (unit_id) -n (number of values to read)

Here is the command for this situation:

mbtget -r1 -u 1 -n 1 192.168.1.178

This is the output received when the LED is energized:

When we turn the led off with PB2 the output changes.

Using mbtget, you’re not ony able to read coil values but also write coil values. This is possible since there is absolutely no security built into Modbus.

We’ll start with the LED off on the breadboard and try to turn it on without ever touching the HMI we built earlier or PB1.

To verify the LED is off, let’s pull the current value of the coil from the OpenPLC device:

mbtget -r1 -u 1 -n 1 192.168.1.178

From the output we can see that the LED is currently off.

Now let’s write to the first coil with the following command. This should turn the LED on and change the graphical view on our HMI.

mbtget -w5 1 -a 0 192.168.1.178

It should give you confirmation that the data was written to the coil.

If we run the coil read command again, we should see that the value has changed to 1.

We can check to see if the HMI changed, as well.

It turned on!

Creating a Second Program

I wanted to keep the first program’s functionality intact but add some sort of complexity to it. I decided on using an on-delay timer that will turn on a second LED after PB1 has been pushed and held down for 1000ms.

To keep the first program’s functionality intact, we’ll leave that ladder alone and simply add a new one below it.

In the top variables chart, select LED1 then click the green plus on the top right of the window. This will create a new item using the selected LED1 as a template and automatically iterate the Name, Location, and copy the Class and Type fields.

Move down to the work space add a power rail to each side, a PB1 contact, a TON block (will automatically name itself and add itself to the top variables chart), an LED2 contact, and a variable with an expression of T#1000ms. Connect the variable to TON0 at PT to make it act as a time delay.

Connect all the items together and it should look like the figure below.

Before we generate this as structured text for OpenPLC, let’s test it in a simulation like we did with the first program. If we force the value of PB1 to true, LED1 will immediately turn on while LED2 will have a 1 second delay.

If you force the value of PB1 to false, LED2 will immediately turn off while LED1 will stay illuminated.

Now that we know it works, let’s upload it to our OpenPLC Pi and run the program. Now to setup the hardware. Here’s the circuit I made. It’s a little claustrophobic but I intend on expanding the program further and didn’t want to have to keep rebuilding it all.

Also, I put a 220 Ohm resister before LED2 to keep the power draw and brightness down. It will totally work without it, that’s just what I decided to do.

Look at it go, it totally works! And since it’s still running on the OpenPLC Pi, I can still intercept the traffic with mbtget.

That data was pulled while I was holding down PB1, as you might have guessed.

Creating an HMI for the Second Program

Since this second program is very similar to the as far as outputs go, with just 2 LEDs instead of 1, the HMI will be very similar to setup.

Go ahead and login to your ScadaBR instance and go to Data Sources. Select the data source from your OpenPLC device, in this case named OpenPLC, and click the edit button.

Scroll down to the Points sub menu and add a new point. Give it a name (I chose LED2) and increment the Offset value by one. This will increase as the number of coils increases, so since this is the second coil the value will be 1. Click save.

Now click on Graphical Views (second icon from the left). Click on New View. Give the view a name then create 2 binary graphics and assign one to each of our coils. Like before, set the image to Light Bulb (2 images) and set the zero and one images to an off and on light bulb, respectively.

Be sure to click save at the bottom of the page.

You should be left with two dark lights on the screen. When you press PB1 a single time, the first LED and first display bulb should illuminate. Hold PB1 and the second LED and second display bulb should illuminate.

Conclusion and Next Steps

Considering that not too long ago I had no idea what any of these programs were, I’m pretty happy with what I’ve been able to get done. Hopefully I can keep expanding into that hardware kit I got off of Amazon and start getting my PLC to configure RGB LEDs, an LED matrix, and start moving a motor and servo.

It should be more fun to make HMIs for those electronics, too, as there is the possibility of movement (think water pump at power plant, draw bridge, etc).

I’m thinking about maybe trying to make a little city of some kind and make it all controlled by SCADA, but that might be a ways off. I would also like to look into maybe integrating another PLC, whether it’s another Raspberry Pi or something a lot less powerful (but a lot cheaper) like an ESP8266.

Anyway, hopefully someone finds this helpful in the future!