A new practical cybersecurity guide from the National Institute of Standards and Technology (NIST) can help hotel owners reduce the risks to a highly vulnerable and attractive target for hackers: the hotel property management system (PMS), which stores guests’ personal information and credit card data.
The three-part guide, formally titled Securing Property Management Systems (NIST Special Publication [SP] 1800-27 a, b and c), shows an approach to securing a PMS. It offers how-to guidance using commercially available products, allowing hotel owners to control and limit access to their PMS and protect guest privacy and payment card information.
“We have demonstrated that cybersecurity risk can be mitigated in and around a property management system using today’s technology,” said Bill Newhouse of NIST’s National Cybersecurity Center of Excellence (NCCoE). “Our practice guide documents how we enabled cybersecurity concepts such as zero trust architecture, moving target defense, tokenization of credit card data, and role-based authentication in a reference design that addresses cybersecurity and privacy risk. We also offer specific use cases to show the functionality of the design.”
In recent years attackers have compromised the networks of several major hotel chains, exposing the information of hundreds of millions of guests. According to a recent industry report, hospitality ranked third among industries compromised by cybersecurity breaches in 2019, and the industry suffered 13% of the total incidents. About two-thirds of these breaches were attacks on corporate servers, which often store guest information and communicate with on-site property management systems. Breaches like these can harm corporate reputations, disrupt operations and cause huge financial loss.
The NCCoE collaborated with the hospitality business community and cybersecurity technology providers to build an example system, or “PMS reference design,” that simulates a hotel’s PMS and connected IT infrastructure, including an electronic payment system and electronic door locks. The design protects data moving within this environment, and it prevents user access to the various systems and services.
While the design uses commercially available technologies to accomplish these goals, the guide does not endorse any particular products. All technologies used in the solution support security standards and guidelines of the NIST Cybersecurity Framework, and the design aligns with the privacy protection activities and desired outcomes of the NIST Privacy Framework.
The practice guide also introduces the tenets and components found in a recent NIST publication on zero trust architecture, a cybersecurity paradigm focused on resource protection. Its premise is that trust is never granted implicitly but must be continually evaluated.
Read more at: Homeland Security Today