In 2019, the hospitality industry suffered 13 percent of all data breaches, ranking third highest among targeted industries. It was two years later when NIST released SP 1800-27: Securing Property Management Systems to help hoteliers secure their Property Management Systems (PMS) and associated patron data. The National Cybersecurity Center of Excellence (NCCoE) at NIST collaborated with cybersecurity solutions providers and the hospitality business community to create a zero-trust example implementation framework under which a PMS and related systems could be secured using existing off-the-shelf and open-source solutions.
This guide is intended to provide a standards-based example, and the specifics may be applied directly or replaced by similar comparable solutions. For the purpose of this guide, a reference PMS was created. It includes the PMS, a payment platform and a physical access control system. The goal was to audit for anomalies, implement role-based access control, protect sensitive data as well as employ network segmentation and moving-target defense under a zero-trust architecture.
Hotels and their Vectors of Attack
Hotels, with their mines of personal identifiable information, third-party plugins and electronic payment methods, have long been tantalizing targets for cyber-attacks. With high-profile breaches affecting some of the largest chains worldwide, a uniform strategy is necessary for securing the multiple data systems required to service global clientele and provide the electronic convenience needed to maintain a competitive edge.
As the publication states, “Hotel operators rely on a property management system (PMS) for daily administrative tasks such as reservations, availability, pricing, occupancy management, check-in/out, guest profiles, guest preferences, report generation, planning and record keeping, which includes financials.”
Along with this, consider “external systems such as room-key systems, restaurant and banquet solutions, sales and catering applications, minibars, telephone and call centers, revenue management, on-site spas, online travel agents, guest Wi-Fi, loyalty solutions and payment providers.” Hotels live at the convergence of a myriad of access points. As such, the benefits grow exponentially for a cybercriminal who succeeds in breaching a hotel’s data defenses.
NIST 1800-27 Remediations and Benefits
To organize solutions, the guide focuses on the following security measures:
- Preventing privilege escalation attacks
- Preventing credit and transaction data theft through tokenization, “allowlisting” and access control enforcement
- Implementing role-based access
- Mandatory auditing, reporting and system activity logging
- Preventing unauthorized use of personal data
The strategies employed to obtain these objectives utilize a zero-trust environment, moving target defense and data tokenization.
As a result, the guide aims to ensure that hoteliers achieve the following benefits:
- Security against PMS breach and preservation of core operations should a breach occur
- Protection of patron personal identifiable information (PII)
- Restrict PMS access only to employees with a relevant business
- Limit PMS exposure to direct access integrations and increase PMS security awareness
- Avoid breaches leading to decreased consumer trust for chain, property or owner
- Improve consumer confidence that PII is secure within the hospitality industry
Read more at: Tripwire