VirtuaPlant
Introduction
VirtuaPlant is a Industrial Control Systems simulator which adds a “similar to real-world control logic” to the basic “read/write tags” feature of most PLC simulators. Paired with a game library and 2d physics engine, VirtuaPlant is able to present a GUI simulating the “world view” behind the control system allowing the user to have a vision of the would-be actions behind the control systems.
Motivation
I regularly receive emails asking for PLC simulators suggestions and I really didn’t find many options rather than simple soft-PLCs with no embedded control logic (mostly because this is implemented according to client’s needs) thus leaving to the user the job of implementing their own control logic behind.
Also, many demos are made with custom-built or off-the-shelf kits involving hardware which raises the cost of the simulators for newcomers and low budget users and the idea of having everything (Control System + Plant parts) on software came to my mind.
Finally, the “Gamification” paradigm is hype, cool and makes the learning process even more phun!
Inspiration
The inspiration for starting with a bottle filling factory came from an article found on electrical-engineering-portal.com named “PLC implementation of the bottle-filling application”.
Even the project being inspired on the process described in the article, the process implemented in the Bottle-filling factory isn’t 100% faithful, but hey, it works!
Overview
All the software is written in (guess what?) Python. The idea is for VirtuaPlant to be a collection of different plant types using different protocols in order to be a learning platform and testbed.
The first release introduces a as-simple-as-it-can-get one-process “bottle-filling factory” running Modbus as its protocol.
World View
World View consits on the game and 2d physics engine, simulating the effects of the control systems’ action on virtual (cyberz!) assets.
It uses python’s pygame and pymunk (Chipmunk engine for python — intended to be replaced by pybox2d due the lack of swept collision handling which currently limits us a little).
PLC controller
The soft-plc is implemented over the pymodbus library which runs on a separate thread in the World View component and shares its context (i.e. Registers/Inputs/Tags) with the World View functions in order to simulate assets being “plugged in” to the controller.
HMI
The HMI is written using GTK3 and is quite dead simple. Also runs pymodbus client on a separate thread and connects over TCP/IP to the server (so it could be technically on a separate machine), constantly polling (i.e. reading) the server’s (soft PLC in World View) tags. Control is also possible by writing in the soft-PLC tags.
Attack scripts
You didn’t thought I was leaving this behind, did you? The phun on having a World View is to see the results when you start messing around with the soft-PLCs tags! Some pre-built scripts for determined actions are available so you can unleash the script-kiddie on yourself and make the plant go nuts! YAY!
Demo
Check out this YouTube video demonstrating the attacks on the VirtuaPlant Bottle-Filling Factory:
Download
All the code can be found under the VirtuaPlant GitHub repository.
Installation requirements
The following packages are required:
- PyGame
- PyMunk
- PyModbus (requires pycrypto, pyasn1)
- PyGObject / GTK
On Debian-based systems (like Ubuntu) you can apt-get the packages which are not provided over pip:
1
|
apt-get install python-pygame python-gobject python-pip
|
Then install the pip ones:
1
2
3
4
|
pip install pymunk
pip install pymodbus
pip install pyasn1
pip install pycrypto
|
or install all of the pip packages by using our provided requirement.txt file:
1
|
pip install < requirements.txt
|
Running
Enter the /plants
directory, select the plant you want (currently only one available) and start both the world simulator and the HMI with the start.sh
script. Parts can be ran individually by running world.py
and hmi.py
(self-explanatory). All the attack scripts are under the /attacks
subdirectory.
Future
The following plant scenarios are being considered:
- Oil Refinery Boiler
- Nuclear Power Plant Reactor
- Steel Plant Furnace
The following protocols are being considered:
- DNP3 (based on OpenDNP3)
- S7
Suggestions? Found bugs? Wanna help? Hit me an email or send me a message on Twitter! Contact information on my about page.