NCCoE and Industry Collaborate to Secure Property Management Systems for the Hospitality Sector

CryptoniteNXT, ForeScout, Häfele America, Remediant, StrongKey, and TDi Technologies have joined the National Cybersecurity Center of Excellence (NCCoE) as technology collaborators in the Securing Property Management Systems project.* In response to a call in the Federal Register, these companies submitted capabilities that aligned with desired solution characteristics listed in the project description. The technology collaborators were extended a Cooperative Research and Development Agreement (CRADA; see example) enabling them to participate in a consortium where they will contribute expertise and hardware or software to help refine a reference design and build an example standards-based implementation. This collaboration will result in a publicly available Cybersecurity Practice Guide (NIST Special Publication 1800 series) that will document a reference design for hospitality organizations to improve the cybersecurity within and around a property management system (PMS).

Increasing Reliance on Technology in the Hospitality Sector

The role of technology in the hospitality industry is growing rapidly, and the PMS is increasingly integrated with systems and services that extend well beyond front desk operations. As the operations hub, the PMS interfaces with services and components within a property’s IT systems, such as Point-of-Sale systems, door locks, Wi-Fi networks, and other guest service applications. Adding to the complexity of connections, external business partners’ components and services are also typically connected to the PMS, such as on-site spas or restaurants, online travel agents, and customer relationship management partners or applications. This expanding PMS ecosystem provides a wider attack surface for vulnerabilities to be exploited by malicious actors. Improper configuration of the diverse applications that connect to or run through a PMS can create cybersecurity vulnerabilities.

Advancing the State of Cybersecurity for Hospitality Organizations

The NCCoE is working closely with the hospitality business community, managed security service providers, and cybersecurity technology vendors to develop a standards-based reference design that aims to advance the cybersecurity of property management systems and to demonstrate:

  • system protection and authentication with enforcement that will help prevent damage to PMS functionality and security
  • data protection and encryption to reduce the risk of a data breach of guest payment card information or personally identifiable information, and to protect the confidentiality and integrity of system data
  • auditing and analytics such as complete, real-time auditing and reporting of user activity

In partnership with technology collaborators, the NCCoE will build the reference design in a lab environment. The following diagram depicts the reference design’s high-level architecture.

The reference design will use commercially available products from the project’s technology collaborators—CryptoniteNXT, ForeScout, Häfele America, Remediant, StrongKey, and TDi Technologies—along with open source products.

How to Participate

Interested parties are encouraged to engage with us through our project web page.

If you have additional comments, questions, or would like to join the Community of Interest helping to guide this project and provide feedback, please email us at hospitality-nccoe@nist.gov.

*Certain commercial entities, equipment, products, or materials may be identified to describe an experimental procedure or concept adequately. Such identification is not intended to imply recommendation or endorsement by NIST or NCCoE, nor is it intended to imply that the entities, equipment, products, or materials are necessarily the best available for the purpose.