Ultimaker places high value on privacy. The starting point for Ultimaker's approach on privacy and security are the risks that our customers are facing. When designing, developing and maintaining our products & services, Ultimaker takes all justifiable measures to prevent:
- Loss of confidential information, like print files or personal data stored in Ultimaker systems
- Business process interruption, using Ultimaker devices or applications as a stepping stone into customer systems and infrastructure
- Reduction of print quality, affecting customer processes that rely on parts printed via Ultimaker systems
- Unauthorized usage of customer data, products and services
In this article:
- Security assets
- Ultimaker Digital Factory security
- Ultimaker Cura security
- Ultimaker Printer security
- FAQ: Network and security protocols utilized by Ultimaker printers and Digital Factory
Ultimaker distinguishes three major assets in security:
- Ultimaker Digital Factory
- Ultimaker Cura
- Ultimaker Printers
For each of these assets you will find a separate section with specific security details in this document.
ISO/IEC 27001 is starting point for managing security risks. Work is in progress to deploy an Information Risk Management System (ISMS) and have this externally certified late 2021.
ISA/IEC 62443-4-2 is guideline for securing our printers and related software services. This industrial security standard defines specific requirements to mitigate customers risks.
For those cases where we might not meet all ISA/IEC 62443-4-2 requirements or customer specific security requirements and where reasonably possible we will support our customers to take additional measures to meet their security requirements.
Third party security assessments
Products & services are assessed by a third party to validate if the result of our design, development and maintenance efforts adequately mitigate privacy and security risks. Security assessments are conducted on a recurring basis, at least every six months.
The goal of this assessment is to identify potential vulnerabilities in Ultimaker software and services, and to provide advice for addressing any potential weaknesses.
Any suggested resolutions – as a result of an assessment- are implemented, at least for those marked as 'medium' and higher, and also those marked as 'low' that are easy to implement.
There are known vulnerabilities for the connection between Ultimaker Cura and printers directly over the local network:
- The local connection is not encrypted, customers are recommended to use Ultimaker Digital Factory to secure the connection between Ultimaker Cura and printers and activate the firewall
- There is no authorization in place. Anyone with access to the same network segment can access the printer web server and APIs. Customers are recommended to use Ultimaker Digital Factory and activate the firewall if only authorized users should access the printer. As an alternative customers might also apply local mitigation to limit printer access
Similar recommendation applies for https://www.cve.org/CVERecord?id=CVE-2021-34086 and https://www.cve.org/CVERecord?id=CVE-2021-34087. Customers using Ultimaker Digital Factory and with active firewall on the printer are not exposed to these vulnerabilities. Customers might also apply local mitigation to limit printer access. At any time customers should not expose Ultimaker printers to the public internet.
At Ultimaker, we consider security of our Cloud platform a top priority. No matter how much effort we put into system security, there can still be vulnerabilities present.
If you discover a vulnerability, please let us know as soon as possible via email@example.com. Please do not take advantage of the vulnerability and do not reveal the problem to others. To allow us to resolve the issue, please do provide us with sufficient information to reproduce the problem.
Ultimaker Digital Factory security
Ultimaker Digital Factory contains user-submitted information across several services. These services support functionality in Ultimaker Cura, Ultimaker Digital Factory and other cloud products.
Information submitted to Ultimaker Cloud is kept private and will be shared with Ultimaker or trusted third parties only after the user gives explicit consent. More information can be found in the chapters about data sharing and classification.
Information submitted to Ultimaker Cloud is encrypted in transit and at rest. More information can be found in the chapters about network and data center security.
Ultimaker Cloud hosts separate types of information: public, private, and private until consent is given.
- Public information refers to information like your username, which is publicly visible to other users when using services like the Ultimaker Marketplace and Ultimaker Community
- Private information refers to information such as your email address, password, or usage patterns. This information is not shared with other parties
- Private until consent is given applies to data being shared with third parties that integrate with the Ultimaker Cloud by means of OAuth 2.0. Prior to giving consent users will be presented with a screen that explains which data they are sharing and who they are sharing it with
Ultimaker differentiates between product and process data. Product data is related to the printed object and process data is related to the process of printing this object. Ultimaker services are designed in such a way that the two data types are processed separately and independently from each other. This means that customers can choose to only upload process data to Ultimaker Cloud and keep their product data on-premise.
All cloud-based data, including, but not limited to 3D files, G-code, Ultimaker Connect group statuses, and Ultimaker Marketplace source files, use HTTPS (TLS 1.2) connections with industry standard 2048-bit RSA encryption. You can find a full report here.
Note: Connections between workstations running Ultimaker Cura and Ultimaker Connect within a local area network are not encrypted.
Data center security
Ultimaker Cloud stores its data on the Google Cloud Platform (GCP). With GCP the data is stored redundantly across multiple devices, across multiple environmentally controlled facilities. These facilities use multiple levels of biometric security for physical access, as well as full encryption and sharding of all data at rest. All Ultimaker Cloud data centers are in the European Union.
Note: Ultimaker does not use any consumer services from Google and has contracts in place to ensure all Ultimaker data are kept private. Ultimaker uses the Virtual Private Cloud (VPC) functionality of GCP to segregate all network traffic. More details about security and privacy at Google Cloud can be found here.
Ultimaker Cloud inherits the reliability of Google Cloud. More details can be found here. In addition data is backed up every three hours, encrypted and stored offline. In the unlikely event of data loss Ultimaker will be able to recover the data accordingly. Restore is tested on a regular basis when changes with major impact are deployed that can not be reverted (and restore is required)
Note: Backup is not available for any data intentionally deleted. Once you have deleted your data this cannot be recovered.
Ultimaker cloud applications and services are subject to continuous maintenance and automated security testing. These procedures ensure data center software is up-to-date, application dependencies are up-to-date and scanned for known vulnerabilities and exploits.
Ultimaker grants access to data stored in the cloud by using the “principle of least privilege” through appropriate access control roles on a “need to know” basis. Sensitive information is redacted in application logging to ensure engineers cannot get access to this information.
Application code has been reviewed by at least one other engineer than the original author to ensure quality and lack of vulnerabilities. Furthermore, automated deployments prevent engineers from running application software manually in production without going via the proper processes.
Cancelling your account
If an Ultimaker account is canceled, the account’s data will be deleted as part of the cancelation process. If you wish to migrate or download your data, you can arrange for this service prior to cancelation. Deleted data is unrecoverable by design.
For more detailed information about security in the Ultimaker Cloud, or to cancel your account contact us at any time by submitting a request.
Ultimaker Cura security
Ultimaker Cura is our slicing software. It is available in two variants:
- Regular (or Open) Ultimaker Cura, publicly available via ultimaker.com
- Ultimaker Cura Enterprise, available for businesses with a paid software subscription - either Ultimaker Essentials, Professional or Excellence.
Ultimaker Cura and Enterprise security
Ultimaker Cura Enterprise offers slicing features and security similar to the open Cura, but provides also business-specific needs:
- Cura Enterprise can be deployed, configured and managed across multiple work stations. Currently it is provided in .msi format, for Microsoft Windows only.
- Ultimaker Cura Enterprise receives two updates a year. These are thoroughly tested by our community and ensure the most stable desktop application. We support updates for 12 months after release, including security patches and critical bug fixes.
- Each release of Cura Enterprise is independently scanned, tested, and analyzed for vulnerabilities.
- In Cura Enterprise, the marketplace is only available after authentication and authorisation via your Ultimaker account.
- The marketplace of Ultimaker Cura Enterprise contains only validates, security assessed plugins
- Cura Enterprise fully integrates with the Ultimaker Digital Factory, only after authentication and authorization via the Ultimaker Account.
For this reasons, Ultimaker Cura Enterprise is the preferred version from a security perspective. Each release is security assessed, and actions taken according to risk profile.
Both Cura variants can be used completely offline if this is your preference - with the exception for downloading plugins that you may need to meet your specific requirements.
Ultimaker Printer security
We distinguish two levels of security with corresponding measures: Cloud Connected and Local (please also refer to picture below). Per firmware version 6.0 (for S line printers only) the security level can by managed by enabling or disabling the firewall via the local GUI or via Digital Factory and behind additional authorisation (for customers with a software subscription only).
Cloud Connected (firewall enabled)
- Encrypted connection (outgoing only) via web socket between Ultimaker printer / Cura Desktop software and Ultimaker Digital Factory
- Ultimaker Digital Factory and printer access only for authorized users (via Teams in Digital Factory)
Local (firewall disabled)
- No internet connection required for printing
- Unencrypted connection between Cura Desktop software and Ultimaker printer
- Any user in same network segment can access Ultimaker printer