In this document, you will find details about the security functions supported by Ultimaker products & services in both default mode and with active firewall/settings protection per the structure provided by ISA/IEC 62443-4-2
This document should allow you to define to what extent these functions meet your security requirements. In case of any question, please raise a support ticket.
Please note that by default – and by design – Ultimaker 3D printers are open. Anyone with physical or network access has full control over the printer. To increase the level of security, you should activate the firewall on the Ultimaker 3D printer and protect your 3D printer settings by using the Ultimaker Digital Factory.
Note: Exception is for the Ultimaker 2+ Connect, which only supports printing via Ultimaker Digital Factory (or USB) and has an active firewall by default.
Identification & Authentication
- Printers in default mode do not support identification, authentication, and use control via the printer UI or when accessing the printer via a local network. Anyone with physical or network access has full control over the printer. When printers are connected to the Ultimaker Digital Factory, this still applies as long as the printers firewall is not enabled. Anyone with access to the same network segment (wired or wireless) can access the printer.
- One exception is for a printer in “developer mode”, which can be activated via printer settings. Developer mode enables an SSH server that requires a username and password. By default, these are standard usernames and passwords and customers are recommended to update these passwords when activating developer mode (no password restrictions, minimal feedback for failed attempts, no restrictions on failed attempts, no system use notification).
- An exception also applies for printer API’s. In order for a user to use any of the PUT/POST/ DELETE API's, authentication is required. Authentication is done with HTTP digest (RFC 2617).
- To enable identification, authentication, and use control for printing, the firewall between printer and local network can be activated by an admin user via the Ultimaker Digital Factory. Once the firewall is enabled, the printer can no longer be accessed via a local network. To access the printer, you would then need a user account with access to the Ultimaker Digital Factory environment for your organization (created by an admin user) and the printer must be shared with you by the printer owner or an admin user.
- Printer settings via local UI can be protected with a generic PIN code (6 digits, no further restrictions, minimal feedback for failed attempts, no restrictions on failed attempts, no system use notification)to be shared offline only with authorized users (hence no user identification). This protection can be activated via the Ultimaker Digital Factory by an admin user.
- By default, printers do not support identification, authentication, and use control. Printers should only be connected to a trusted network (and not to public internet). This also applies when the firewall is enabled.
- Cura users are uniquely identified and authenticated. But only when printing via the Ultimaker Digital Factory and when material profiles are downloaded and software plugins are installed via the Ultimaker Marketplace. When printing via a local network or USB, users are not identified and authenticated.
Ultimaker Digital Factory
- Users (people or automated systems) when communicating with our cloud based services like Ultimaker Digital Factory, authenticate themselves via an account known to our account service, using OAuth2. Once a valid OAuth2 token is acquired, it is passed to our cloud services to authenticate each call.
- User authentication is done via a password (at least 8 characters, no further restrictions, minimal feedback for failed attempts, no system use notification) and optional Multi Factor Authentication (via Google Authenticator or similar). To protect against brute force attacks (numerous of login attempts), the rate at which attempts can be made is limited.
- When a printer is connected to the Ultimaker Digital Factory, it is provided with a shared secret which is used during later reconnections to verify that the same printer is reconnecting. A symmetric key-based authentication is used for initially connecting printers to the Ultimaker Digital Factory (random 6-digit key, valid for only 10 minutes), where the printer UI shows the key which must be entered using the Ultimaker Digital Factory.
- User accounts are managed by authorized users (admin role) that can invite/remove users and provide/withdraw the admin role. Federated Single Sign-On is supported (Azure Active Directory, others pending technical review), but access depends on your software subscription level (paid service).
- By default, no authorization is in place and anyone with physical or network access has full control over the printer.
- After connecting the printer to the Ultimaker Digital Factory(via wired or wireless connection) and activating the firewall on the printer, only users who are identified, authenticated, and authorized via the Ultimaker Digital Factory can access the printer. With the exception of the local printer UI (accessible for anyone with physical access).
- Settings via local printer UI can be protected with a generic PIN code. Only authorized users (admin role) can activate the PIN code and the firewall via the Ultimaker Digital Factory. A session on the local printer UI is terminated after 30-minutes or after leaving settings.
- Users can upload print files and material profiles to the printer to control printer behavior (when printing an object).
- a) Code is executed without initial review – thresholds still apply (temperature, physical movement) during execution.
- b) Only authorized users can upload files to the printer via the Ultimaker Digital Factory – anyone with physical access to the printer can upload files though via USB
- c) The integrity of these files is not verified.
- The printer does not generate audit records relevant to security as required. Even though many events are logged (which can be manipulated).
- Authorization mechanisms only apply to Ultimaker Cura users printing via the Ultimaker Digital Factory and when downloading material profiles and software plugins via the Ultimaker Marketplace.
- a) Material profile and plugin code has been reviewed by Ultimaker. Selected profiles are also assessed by third party from a security perspective.
- b) Ultimaker Cura Enterprise only allows users to install selected plugins that have been assessed by a third party from a security perspective.
- c) Material profiles and plugins include an integrity check
- Ultimaker Cura Enterprise is installed in such a way that a non-administrator user is not able to access the installation of Ultimaker Cura itself (its basic files or directories). As a result, “side loading” of plugins is blocked.
- It can be assumed that users do not have access to their own configuration folder, which may include plugins, materials (and other definitions) and/or scripts.
- Given this, users should not be able to successfully act maliciously or destabilize the system in a significant manner. Either through the use of Ultimaker Cura, and/or by manipulation of files or folders read by Ultimaker Cura, and/or with the help of components that are installed through an Ultimaker Cura installation.
- Ultimaker Cura relies on desktop settings for session lock. No session lock for Ultimaker Cura itself applies.
- Ultimaker Cura does not generate audit records relevant to security as required. Even though many events are logged (which can be manipulated).
Ultimaker Digital Factory
- Authorization mechanisms apply to Ultimaker Digital Factory users. With separation between admin, member, and guest users - for those users who are part of an organization.
- Ultimaker Digital Factory relies primarily on desktop settings for session lock. In addition, a session is terminated after 14 days
- Only admin users can:
- Invite other users to join an organization and provide other users with admin role.
- Activate a printer’s PIN code (to protect printer settings via local UI) and a printer’s firewall.
- Only admin and member users can
- Add printers to Ultimaker Digital Factory and share these with other users.
- Create teams and invite other users.
- Create/edit projects and share these with other users.
- Guest users can’t make any changes to the organization (teams/printers), nor share/edit projects they do not own.
- Ultimaker Digital Factory has normal application logging which is kept for 30 days (which cannot be manipulated). Beyond that, there is no audit quality log available.
- By default, Information transmitted to, and received from, Ultimaker Cura (or other local application) via a local network is not encrypted. For this reason, integrity cannot be ensured. The same applies for information transmitted to and received from local USB. When printers are connected to the Ultimaker Digital Factory (and a firewall is activated) information transmitted to and received from the Ultimaker Digital Factory is encrypted to ensure integrity.
- Printer firmware is updated on regular basis (every 2 months on average) via latest and stable channels. Users are notified via the printer, Ultimaker Cura, and the Ultimaker Digital Factory.
- Any printer firmware release is signed with a private GPG key. The firmware update procedure uses the public GPG key embedded in the firmware to verify the integrity of the new firmware package2.
- By default printer allows user to download audit details to USB for anyone with physical access to the printer and provides access via printer webserver for anyone with access to printer network segment. After connecting to the Ultimaker Digital Factory, and activating the firewall, access is provided via the Ultimaker Digital Factory for authorized users only.
- Printer output is deterministic:
- When the printers network connection goes down, the printer continues to print as long as G-code (or another supported file format) has been received.
- When the power drops and is available again, the print will stop and the user must remove the partially printed object and confirm on the printer that the object was removed.
- When mechanics are blocked, the printer will provide an error message and stop printing (similar to power outage).
- Errors are identified and handled in such a way that no information is provided that can be exploited by adversaries. Anonymous error data can also be shared with Ultimaker. If an error occurs, this gets reported along with the relevant stack trace information leading up to the error. The user has to explicitly turn off sharing anonymous data in the settings on the printer if sharing is not preferred.
- Ultimaker printers are not resistant to physical tampering and no detection is in place as the assumption is that a printer is in a trusted environment and easy to maintain. The printers warranty is voided when a printer is opened by unauthorized persons. For physical tamper resistance and detection, the printer relies on additional measures taken by the user.
- Ultimaker printers do not offer a "root of trust" as the public key might be manipulated and malicious firmware can be installed (for users with full access). Also, the Integrity and authenticity of the printer boot process is not ensured.
- By default, information transmitted to and received from a printer via a local network is not encrypted. For this reason, integrity cannot be ensured.
- When printing via the Ultimaker Digital Factory, information transmitted to and received from the Ultimaker Digital Factory is encrypted to ensure integrity.
- Ultimaker intends to update Ultimaker Cura on a regular basis (every 2 months on average) via latest and stable channels. Users are notified via Ultimaker Cura. Ultimaker Cura Enterprise is updated only every 6 months.
- The Ultimaker Cura installer is signed with a private key using a signed binary, so we can rely on the OS of the host machine. This includes all the bundled packages. Unbundled packages (plugins, materials, etc.) are signed as well and are checked for integrity on start-up against the public key in the installation.
- The assumption is that slicing in Ultimaker Cura – to prepare tool path for the printer –is always under human supervision to ensure input is validated. If the user provides a print job that prints at a higher temperature than allowable for the print core, the printer will default the printing temperature to the standby temperature.
- Errors are identified and handled in such way that no information is provided that can be exploited by adversaries. This was reviewed explicitly during third party security assessments (no issues found).
- Ultimaker Cura stores log details to a user-accessible folder. Users can manipulate log files.
Ultimaker Digital factory
- Information transmitted to and received from a printer or Ultimaker Cura is encrypted to ensure integrity via HTTPS (TLS 1.2) with industry standard 2048-bit RSA encryption.
- Ultimaker Digital Factory is updated on a continuous basis without user involvement or impact.
- Ultimaker Digital Factory's application code is securely stored when at rest and doesn't leave GCP.
- Ultimaker Digital Factory performs input validation for requests via its web API, and during communication with printers. Ultimaker Digital Factory does not perform any validation of G-code files which it passes through to the printer.
- Errors are identified and handled as much as possible in such a way that no information is provided that can be exploited by adversaries. This was reviewed explicitly during third party security assessments (one issue found and rejected because information is required for working application).
- Ultimaker Digital Factory distinguishes two types of communications sessions:
- 1 - Between browser and cloud services.
- 2 - Between printer and cloud services.
For both types, the integrity is protected. This was reviewed explicitly during third party security assessment (one issue found and rejected as 14 days session duration is preferred)
- Ultimaker Digital Factory saves audit details to folders only available for admin users.
- Data at rest is not encrypted on the printer. Authorized users can access this data (in developer mode).Data in transit over a local network (between a printer and Ultimaker Cura) is also not encrypted, unless the printer is connected to the Ultimaker Digital Factory (TLS 1.2 with 2048-bit RSA encryption, being an internationally recognized and proven security practice) and the firewall is activated.
- Data can be removed from the printer via the factory reset feature on the printer.
Note: Connections between workstations running Ultimaker Cura and Ultimaker Connect within a local area network are not encrypted.
- Data at rest is not encrypted on the desktop. Authorized users can access. Data in transit over local network (between a printer and Ultimaker Cura) is also not encrypted, unless the printer is connected to the Ultimaker Digital Factory (TLS 1.2 with 2048-bit RSA encryption, being an internationally recognized and proven security practice) and the firewall is activated.
- Ultimaker Cura relies on the desktop user to erase information.
Ultimaker Digital factory
- Data at rest is encrypted. Data in transit (between the Ultimaker Digital Factory and a printer or desktop using Ultimaker Cura) is encrypted (TLS 1.2 with 2048-bit RSA encryption, being an internationally recognized and proven security practice).
- Ultimaker Digital Factory stores its data on the Google Cloud Platform (GCP). With GCP the data is stored redundantly across multiple devices, across multiple environmentally controlled facilities. These facilities use multiple levels of biometric security for physical access, as well as full encryption and sharing of all data at rest. All data centers are in the European Union (EU).
Note: Ultimaker does not use any consumer services from Google and has contracts in place to ensure all Ultimaker data are kept private. Ultimaker uses the Virtual Private Cloud (VPC) functionality of GCP to segregate all network traffic. More details about security and privacy at Google Cloud can be found here.
- Digital Factory hosts separate types of information. Public, private, and private until consent is given:
- Public information refers to information like your username, which is publicly visible to other users when using services like the Ultimaker Marketplace and Ultimaker Community.
- Private information refers to information such as your email address, password, or usage patterns. This information is not shared with other parties
- Private until consent is given applies to data being shared with third parties that integrate with the Ultimaker Cloud by means of OAuth 2.0. Prior to giving consent, users will be presented with a screen that explains which data they are sharing and who they are sharing it with
- Ultimaker differentiates between product and process data. Product data is related to the printed object and process data is related to the process of printing this object. Ultimaker services are designed in such a way that the two data types are processed separately and independently from each other. This means that customers can choose to only upload process data to Ultimaker cloud services and keep their product data on-premise.
- Ultimaker grants access to data stored in the cloud by using the “principle of least privilege” through appropriate access control roles on a “need to know” basis. Sensitive information is redacted in application logging to ensure Ultimaker engineers cannot get access to this information.
Restricted data flow
- Printers in default mode rely on a local network connection between printer and desktop with Ultimaker Cura – a segmented network might hinder this.
- Printers with an active firewall rely on an internet connection to the Ultimaker Digital Factory – a segmented network might hinder this.
- Printers do not support connecting to the Internet via a proxy (as it is not possible to configure a proxy via the printer user interface (UI) or the Ultimaker Digital Factory).
- Please note, the assumption is that a printer should be on a trusted network and not connected to public internet, even with an active firewall.
No other specifics apply for Ultimaker Cura and the Ultimaker Digital Factory.
Timely response to events
- Printers rely on local separate capabilities to continuously monitor network traffic and printer behavior. No specific monitoring interface is available.
- Ultimaker Cura relies on local separate capabilities to continuously monitor network traffic and desktop behavior.
Ultimaker Digital factory
- Ultimaker Digital Factory relies on the Google Cloud Platform’s continuous monitoring capabilities. Information for customers is available via https://ultimaker.statuspage.io/.
- Printers must be in a trusted environment to minimize the probability and impact of a "denial of service" attack. During an attack, a printer may not work properly. But after the attack, the printer will be able to continue working again.
- No back-up capabilities are supported for the printer; any object can be reprinted again from Ultimaker Cura or the Ultimaker Digital Factory.
- Printers provide the capability to be configured according to recommended network and security configurations as described in guidelines available via the local UI.
- By default, access to network and security configuration settings via the local UI cannot be restricted. Only when a printer is connected to the Ultimaker Digital Factory can access to network and security configuration settings via the local UI be restricted via PIN code. Access to USB port cannot be restricted.
- Cura relies on local protection against "denial of service" attacks.
- Cura relies on desktop backup capabilities.
Ultimaker Digital factory
- Ultimaker Digital Factory relies on Cloudflare to protect access from the internet (being an untrusted network).
- Ultimaker Digital Factory inherits the reliability of Google Cloud. More details can be found here. In addition, data is backed up every three hours, encrypted and stored offline. In the unlikely event of data loss, Ultimaker will be able to recover the data accordingly. Restore is tested on a regular basis when changes with major impact are deployed that cannot be reverted (and a restore is required).
Note: Backup is not available for any data intentionally deleted. Once you have deleted your data this cannot be recovered.