Foreword:
With the arrival of the Industrial Internet era, technologies such as 5G, AI, and big data are continuously being applied to the industrial control field, and the automation industry is becoming increasingly software-driven. We previously shared some simple application examples: When WinCC OA meets Mindsphere, the digital journey of automation engineers; When Raspberry Pi + S7-1500 meets Alibaba Cloud, the digital journey of automation engineers; When Schneider PLC meets Amazon AWS IoT, the digital journey of automation engineers. Today, we'll talk about PLC virtualization—the present and the future.
01 PLC and Virtualization
I have been closely following the evolution of PLC virtualization, both now and in the future. The greatness of virtualization technology lies in the fact that, in the past sixty years of IT, no other advancement has offered more quantifiable advantages. Historically, PLCs and PCs share a common ancestor, both evolving from the relay era. Given the immense success of virtualization in IT, why can't PLCs, being from the same family, enjoy its significant advantages? It's worth reiterating that the PLC virtualization discussed in this article is not the same as a software version of a PLC or PLC software installed and running in a virtual machine. Software PLCs, or "SoftPLCs," are essentially failures. These are merely failed attempts by control system manufacturers to integrate control and information systems. They recognized the immense benefits and success of universal information system platforms, but unfortunately, their series of "SoftPLC" attempts failed to enter the market. The PLC virtualization discussed in this article can be defined as follows: PLC virtualization decouples the functions of traditional dedicated PLC hardware, using software methods and general-purpose, standard modular hardware to simulate or mimic a system that looks and behaves similarly to specific PLC hardware. Essentially, given the specialized hardware environment of PLCs, the best approach to PLC virtualization is for PLC vendors to proactively provide virtualized versions of their PLCs, embracing existing virtualization technologies. In practice, some PLC vendors also deploy virtualized versions of controllers for customers in large projects to reduce controller costs or maintain high performance requirements. These controllers can run on commercial IT hardware environments. This is a result of PLC vendors virtualizing their own controllers to adapt to IT virtualization technologies. Typically, these virtualized controllers are not available on the market, nor in vendor product catalogs, and may not even have product numbers. Returning to our first question, can PLCs truly enjoy the significant advantages of virtualization? The answer is definitely yes. The reason we don't see it is because the birth and development of anything requires preconditions and a suitable environment; PLC virtualization is no exception.
2 PLC Virtualization and Simulation
2.1. Development of PLC Virtualization Software and Hardware Technologies With the maturity of PLC virtualization software and hardware technologies, for example, at the technical and engineering levels, software can be used to simulate and model the processor, ISA bus, various dedicated hardware cards, network I/O, etc. of the PLC system. These basic capabilities constitute the technical prerequisites for the implementation and development of PLC virtualization.
2.1.1. PLC Hardware Reconfiguration and Software Definition So, how do we currently virtualize PLCs, and what technologies are the industry using for PLC virtualization? In our previous article, "Development Trends of Industrial Control Systems - PLC Virtualization and Software Definition," we described research projects being conducted by control system suppliers, including Siemens. They decouple the PLC execution environment from I/O modules and standardize, modularize, and virtualize the PLC execution environment. They abstract the PLC logic through software definition, using the implementation approach of software-defined networking, and develop and manage programs for the PLC execution logic through an application program, allowing the application program to define the functions of the hardware PLC. In other words, it separates the PLC's logic control, program storage, and I/O modules, using the application program to implement the logic control part. From a technical perspective, this is "hardware reconfiguration and software definition" for PLC systems. Hardware reconfiguration and software definition are higher-level, more abstract resource and data automation based on virtualization technology. Control system manufacturers are attempting to leapfrog the competition by directly refactoring the hardware and defining the software of PLC devices, launching new PLC devices adapted to the Industrial Internet or Industry 4.0 era to address the adaptability issues of traditional PLC devices in this new era. In my previous article, "ALC - Software-Defined Architecture PLC," I briefly introduced a series of transitional products currently available in the industry based on the aforementioned research.
2.1.2. Virtualization of Traditional PLC Equipment So why do control system manufacturers directly ignore the virtualization of existing PLC equipment and instead launch new architecture-based PLC equipment? Is virtualizing existing PLC equipment difficult? From a technical feasibility perspective, if we want to achieve PLC virtualization, we need to do the following:
1. Capable of running virtualized PLC CPUs on a general-purpose architecture;
2. It can solve the timeliness problem of Ethernet switching;
3. It can virtualize dedicated PLC hardware into standardized I/O cards that run on a general architecture;
4. It can support current commercial power supplies, such as 220V; 5. It can support redundant commercial I/O cards/controllers.
In other words, we need to simulate or emulate the proprietary parts of the PLC architecture to run on a standard architecture. First, we need to create a virtual PLC software container, similar to a virtual machine, and then load the PLC into it. This virtual PLC software container, like a virtual machine, has PLC-specific virtual hardware devices such as CPUs, ISA buses, and I/O cards from specific control system vendors. From the perspective of PLC processor architecture-level virtualization, the primary challenge of PLC virtualization is to simulate and emulate running the PLC CPU within the architecture. Since the Siemens S7-400 has been extensively studied and reverse-engineered by the community, this article uses the Siemens S7-400 PLC as an example. The Siemens S7-400 uses two Infineon TriCore processors to run the PLC's processing logic. The existing emulator QEMU supports the emulation and simulation of TriCore processors. Does this mean that Siemens S7-400 can be run and simulated using QEMU? If Siemens were to do this officially, I believe their R&D department would only need to recompile the Siemens S7-400 firmware or add specific Siemens S7-400 configuration file support to QEMU to run Siemens S7-400 within QEMU. I also believe that Siemens likely has similar emulators internally. From the perspective of external manufacturers, implementation would be extremely difficult due to the uncertainty of whether this architecture has undergone any special modifications by Siemens, but it is technically feasible. If Siemens has made special processing and modifications to the Infineon TriCore processor in the Siemens S7-400, then external manufacturers implementing the emulation and simulation of Siemens S7-400 in QEMU would need to build a new configuration file within QEMU that extends the existing QEMU TriCore configuration to accommodate the specific modifications to the Siemens S7-400. From the perspective of virtualization at the PLC ISA architecture level, the S7-400 runs a virtual machine on top of the TriCore architecture. This virtual machine implements the translation and conversion between Siemens machine code and processor machine code. In the TriCore ISA, unconditional jumps begin with machine code byte 0x1d, while similar unconditional jumps within the PLC virtual machine begin with machine code byte 0x70 0x0b. The machine code within the virtual machine is called MC7. Currently, no firmware version of MC7 has appeared on the public internet, and it has not been fully reverse engineered by external parties. Therefore, implementing ISA virtualization is extremely difficult. This can only be achieved by finding a good design that can solve the translation and conversion between them, and then virtualizing or reversing it through software translation and conversion. Alternatively, it can be solved by designing a hardware-level ISA. This is somewhat similar to binary translation technology, semi-virtualization technology, and hardware-assisted virtualization technology in IT virtualization. However, due to the different standard designs of ISAs from various PLC manufacturers, it is currently impossible for a standardized ISA virtualization technology to completely virtualize the equipment of most control system manufacturers. The success of these virtualization technologies in the IT environment stems from the standardization of IT hardware, which provides sufficient technical capabilities for translation and conversion into virtualization. From the perspective of PLC runtime architecture-level virtualization, we need to completely clone the S7-400 firmware into a QEMU image and create and run virtual PLC machines using a QEMU TriCore processor and dedicated S7-400 QEMU virtual machine configuration files. These virtual machine configuration files include S7-400 auxiliary hardware devices (such as Ethernet and I/O). However, due to a lack of relevant documentation, obtaining a clone containing complete firmware (including the bootloader and complete RTOS) is difficult. Therefore, in addition to the CPU and ISA, building Siemens S7-400 PLC virtualization also requires building configuration files for Siemens S7-400 auxiliary hardware devices (such as Ethernet and I/O). In summary, if we need to build PLC virtualization technology on top of the existing virtualization architecture, we need to solve many problems, and for each PLC model, we will build corresponding virtual PLC virtual machines and virtual hardware. The overall simulation or modeling process is shown in the following figure:
However, given the large number of PLC models available, attempting to adopt this approach seems to be a thankless and laborious solution.
2.1.3. Pure Software Simulation of OpenPLC So, are there no other PLC virtualization solutions? Besides the steep technical routes mentioned above, another approach in the industry is to achieve software-based simulation of PLCs through pure software. Open-source OpenPLC is a typical example. The concept of OpenPLC also arose from practical industrial applications. In 1995, the power dispatch center of Maanshan Iron and Steel Company in China faced a problem: the center needed to monitor various energy and power signals from the power plant, water plant, gas plant, and power plant (responsible for power transmission). However, the control systems of these four data sources, including the hundreds of substations, booster stations, and pumping stations involved in the transmission networks of these energy and power sources, were incompatible. Some were even dedicated systems, lacking protocols and making it impossible to find developers. Besides communication incompatibility, the control structures of these systems were also vastly different: the power plant had a DCS-like structure, the water and gas plants used PLC structures, and the power plant used a SCADA structure, posing significant difficulties for integration personnel in understanding the systems. While the project ultimately didn't use OpenPLC (it didn't exist at the time), its requirements led to its creation. From the OpenPLC paper, the authors proposed a novel open control system to address the common problem in process control and discrete manufacturing: the interconnection of systems with varying control requirements. Because the system's purpose was to be applicable to as many different applications as possible, it was named an Open Programmable Logic Controller, abbreviated as OpenPLC. The system was conceived in 1995, and its design philosophy was largely finalized by 1997. Several key design principles are as follows:
1. OpenPLC should be a PC-based system, especially in situations where PC features can be leveraged (such as networking, external connectivity, optimization, expert systems, user interfaces, data monitoring, document logging, and printing), with the work handled by a PC-based system;
2. At the lower level, when high reliability and real-time control are required, the distributed control system takes over. However, it differs from fieldbus; it is not an instrument-based system but a system-based system. The instruments are still ordinary instruments, but the I/O and control units are placed in the field. What is transmitted back to the central control room is a digital signal, not an analog 4-20mA signal, requiring that the original instruments still be usable.
3. In applications with a high concentration of I/O points, a cabinet or rack similar to a DCS or PLC can be used. Internal modules are connected via bus or network. The entire system should have high reliability, as well as good compatibility and openness.
4. The system should be truly distributed, with the front end centralized or extending over hundreds of meters, kilometers, or even thousands of kilometers (on the other side of the earth). Therefore, the system must have a TCP/IP-compatible protocol and a web server.
5. The scale can range from a few dozen points to several thousand or even hundreds of thousands of points.
An increase in system I/O scale should not lead to major changes to the system. OpenPLC is an open-source implementation that can emulate a PLC on Linux and can be used on common architectures. Implementing OpenPLC in existing virtualization technologies is very simple because it can be easily compiled and installed on Linux and x86 architectures. OpenPLC has matured significantly over the years and is gradually being applied in various fields. In conclusion, whether it's new PLC virtualization based on novel "hardware reconfiguration and software definition," virtualization based on traditional PLC devices, or pure software implementations like OpenPLC, all indicate that the development trend of PLCs requires transformation and rebirth under new architectures. As technology advances, the maturity of PLC virtualization hardware and software technologies approaches that of engineering applications of products or technical solutions. The conditions for building PLC virtualization are gradually being met, and PLC virtualization will inevitably arrive, although it may not necessarily be called PLC virtualization, or it may be a completely new concept at that time.
2.2. The Immense Social Value and Business Models Generated by PLC Virtualization Technology The advantages and benefits of PLC virtualization technology are self-evident and need no further elaboration. However, the immense social value and business models generated by PLC virtualization technology are the inexhaustible driving force for the industrial sector in the era of the Industrial Internet or Industry 4.0. This immense social value refers to the fact that, from the user's perspective, the adoption of PLC virtualization allows any organization or individual to operate on the shoulders of giants, avoiding reinventing the wheel, greatly improving the efficiency of all aspects of software and service construction, accelerating the architecture and deployment of various applications, and the on-demand activation and flexible expansion of cloud resources can also save enterprises significant costs. The so-called great business model refers to the fact that after the emergence of PLC virtualization technology, the product and service forms based on PLC virtualization are very suitable for the needs of the new era of industrial internet or industry 4.0. The core brain of the control system, which is standardized, modular, artificial intelligence and software defined, has greatly reduced the entry barrier for customers, while the stability, flexibility and convenience of the technical infrastructure architecture brings high customer stickiness. In addition, the scale effect brought by cloud computing and big data centers, these factors make the Internet of Things and industrial internet based on PLC virtualization a good business, corresponding to an excellent B-end business model.
03 Summary
PLC virtualization not only achieves success at the business level but also fundamentally changes the security architecture and governance model of existing industrial control systems. Just as virtualization of traditional information systems has yielded advantages, the PLC virtualization stack offers unparalleled advantages in network security. We can build PLC network I/O based on SDN networks, enabling fine-grained control of east-west network traffic, constructing sophisticated full-traffic detection, full-function forwarding, and secure network links in a "zero-trust network" environment. We can even build a blockchain-based industrial security block system. Furthermore, we can easily place and define industrial control software firewalls both inside and at the front end of the PLC to provide security protection for traffic entering and leaving the PLC. Therefore, from a network security perspective, the PLC virtualization architecture is more robust than current industrial control systems.
