A new practical cybersecurity guide from the National Institute of Standards and Technology (NIST) can help hotel owners reduce the risks to a highly vulnerable and attractive target for hackers: the hotel property management system (PMS), which stores guests' personal information and credit card data.
The three-part guide, formally titled Securing Property Management Systems (NIST Special Publication [SP] 1800-27 a, b and c), shows an approach to securing a PMS. It offers how-to guidance using commercially available products, allowing hotel owners to control and limit access to their PMS and protect guest privacy and payment card information.
"We have demonstrated that cybersecurity risk can be mitigated in and around a property management system using today's technology," said Bill Newhouse of NIST's National Cybersecurity Center of Excellence (NCCoE). "Our practice guide documents how we enabled cybersecurity concepts such as zero trust architecture, moving target defense, tokenization of credit card data, and role-based authentication in a reference design that addresses cybersecurity and privacy risk. We also offer specific use cases to show the functionality of the design."
In recent years attackers have compromised the networks of several major hotel chains, exposing the information of hundreds of millions of guests. According to a recent industry report, hospitality ranked third among industries compromised by cybersecurity breaches in 2019, and the industry suffered 13% of the total incidents. About two-thirds of these breaches were attacks on corporate servers, which often store guest information and communicate with on-site property management systems. Breaches like these can harm corporate reputations, disrupt operations and cause huge financial loss.
The NCCoE collaborated with the hospitality business community and cybersecurity technology providers to build an example system, or "PMS reference design," that simulates a hotel's PMS and connected IT infrastructure, including an electronic payment system and electronic door locks. The design protects data moving within this environment, and it prevents user access to the various systems and services.
While the design uses commercially available technologies to accomplish these goals, the guide does not endorse any particular products. All technologies used in the solution support security standards and guidelines of the NIST Cybersecurity Framework, and the design aligns with the privacy protection activities and desired outcomes of the NIST Privacy Framework.
The practice guide also introduces the tenets and components found in a recent NIST publication on zero trust architecture, a cybersecurity paradigm focused on resource protection. Its premise is that trust is never granted implicitly but must be continually evaluated.
"We offer a look into zero trust that I think can help those in the hospitality sector, who are new to the concept, to better understand what the vendors are offering," Newhouse said.
Zero trust principles mean access is not granted to devices or user accounts based solely on their physical or network location or who owns them. Instead, authentication and authorization of both subject and device are required before users can access a network's resources.
"This publication analyzes and addresses the challenges common to almost all hotels in creating secure data systems," said Robert Braun, a partner at the Los Angeles law firm Jeffer Mangels Butler & Mitchell LLP, who has counseled hotel clients on data breaches and privacy. "Hotels would be well-advised to incorporate its recommendations in their information protection protocols."
The guide's three parts include: NIST SP 1800-27a, the executive summary; NIST SP 1800-27b, Approach, Architecture, and Security Characteristics, aimed at helping program managers identify, understand, assess and mitigate risk; and NIST SP 1800-27c, How-To Guides, which provides specific instructions for building the example implementation, allowing IT professionals to replicate all or parts of this project.
