This article originally appeared on NIST's Cybersecurity Insights blog.
In recent years criminals and other attackers have compromised the networks of several major hospitality companies, exposing the information of hundreds of millions of guests. A hotel property management system (PMS) is a prime target for attackers – it serves as the information technology operations and data management hub of a hotel and could give a criminal access to a trove of valuable data. To address these challenges, NIST’s National Cybersecurity Center of Excellence (NCCoE) collaborated with the hospitality business community and cybersecurity technology providers to demonstrate how to strengthen the cybersecurity of these systems and protect the data they process.
The NCCoE collaborated with leading hospitality organizations and technology vendors to develop an example solution demonstrating how hotels can secure its PMS and its connections to internal and external third-party systems such as electronic room-key systems, onsite vendor technologies like restaurant and banquet cash registers, guest Wi-Fi, and smart rooms.
This project’s goal is to share best practices for protecting a PMS ecosystem by applying the modular example solutions presented in Securing Property Management Systems, using commercially available technology that hospitality property owners and managers can implement.
Practitioners will find value in the featured cybersecurity approaches, which include the tenets of zero trust security, moving target defense, tokenization of credit card data, and role-based authentication to help reduce the risk of a network intrusion compromising the PMS. This guide describes risk reduction in terms found in the NIST Cybersecurity Framework and offers a brief exploration of the NIST Privacy Framework.
The draft practice guide covers how to:
- ensure only personnel with a business need are able to access the PMS
- increase overall PMS security situational awareness, and
- limit PMS exposure during incidents in systems that interface with it
According to Morphisec’s Hospitality Guest Threat Index, approximately 70 percent of consumers don’t feel confident about hotels’ current investments in cybersecurity. Proactively addressing this challenge is an investment that will assist in earning the trust of the most valued part of your business – your customers.
The team that created the guide is interested in receiving feedback on whether the topics and solutions proposed are useful to you and your hotel's security team. Share your thoughts during the project’s public comment period; and join our Community of Interest where hospitality industry professionals share business insights, technical expertise, challenges, and perspectives to help guide NCCoE projects.