NIST SPECIAL PUBLICATION 1800-27

---

Securing Property Management Systems

Securing Property Management Systems

---

Includes Executive Summary (A); Approach, Architecture, and Security Characteristics (B); and How-To Guides (C)

William Newhouse

Michael Ekstrom

Jeff Finke

Marisa Harriston

FINAL

This publication is available free of charge from:

https://doi.org/10.6028/NIST.SP.1800-27

The first draft of this publication is available free of charge from: https://www.nccoe.nist.gov/projects/use-cases/securing-property-management-systems

NIST SPECIAL PUBLICATION 1800-27

Securing Property Management Systems

Includes Executive Summary (A); Approach, Architecture, and Security Characteristics (B); and How-To Guides (C)

William Newhouse

Information Technology Laboratory

National Institute of Standards and Technology

Michael Ekstrom

Jeff Finke

Marisa Harriston

The MITRE Corporation

McLean, VA

FINAL

March 2021

U.S. Department of Commerce

Gina M. Raimondo, Secretary

National Institute of Standards and Technology

James K. Olthoff, Acting NIST Director and Acting Under Secretary of Commerce for Standards and Technology

Volume A

• Executive Summary
  • Challenge
  • Solution
  • How To Use This Guide
  • Share Your Feedback
  • Collaborators

Volume B

• 1 Summary
  • 1.1 Challenge
  • 1.2 Implementation
    • 1.2.1 PMS Reference Design
    • 1.2.2 Standards and Guidance
  • 1.3 Benefits
• 2 How to Use This Guide
  • 2.1 Typographic Conventions
• 3 Approach
  • 3.1 Audience
  • 3.2 Scope
  • 3.3 Assumptions
  • 3.4 Risk Assessment
    • 3.4.1 Threats
      • 3.4.1.1 External Threats
      • 3.4.1.2 Internal Threats
    • 3.4.2 Vulnerabilities
    • 3.4.3 Cybersecurity Control Map
    • 3.4.4 Privacy Control Map
• 4 Architecture
  • 4.1 Architecture Description
    • 4.1.1 High-Level Architecture
  • 4.2 Use Cases Supported by the Property Management System Reference Design
    • 4.2.1 Use Case 1: PMS Accepts Reservation
    • 4.2.2 Use Case 2: Authorized User Access
    • 4.2.3 Use Case 3: Secure Credit Card Transaction
    • 4.2.4 Use Case 4: Secure Interaction of Ancillary Hotel System with PMS
  • 4.3 Process Flows
    • 4.3.1 Authorized Employee Access
    • 4.3.2 Secure Credit Card Transaction
    • 4.3.3 Secure Interaction of Ancillary Hotel System (with PMS)
    • 4.3.4 Hotel Guest Internet Access via Hotel Guest Wi-Fi
• 5 Security Characteristic Analysis
  • 5.1 Analysis Assumptions and Limitations
  • 5.2 Analysis of the Reference Design’s Support for Cybersecurity Framework Subcategories
    • 5.2.1 ID.AM-1: Physical devices and systems within the organization are inventoried
    • 5.2.2 ID.AM-2: Software platforms and applications within the organization are inventoried
    • 5.2.3 PR.AC-1: Identities and credentials are issued, managed, verified, revoked, audited, proofed and bound to credentials, and asserted in interactions for authorized devices, users, and processes
    • 5.2.4 PR.AC-6: Identities are proofed and bound to credentials and asserted in interactions
    • 5.2.5 PR.AC-3: Remote access is managed
    • 5.2.6 PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties
    • 5.2.7 PR.AC-7: Users, devices, and other assets are authenticated (e.g., single-factor, multifactor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks)
    • 5.2.8 PR.DS-1: Data at rest is protected
    • 5.2.9 PR.DS-2: Data in transit is protected
    • 5.2.10 PR.IP-3: Configuration change control processes are in place
    • 5.2.11 PR.PT-4: Communications and control networks are protected
    • 5.2.12 DE.CM-1: The network is monitored to detect potential cybersecurity events
    • 5.2.13 DE.CM-3: Personnel activity is monitored to detect potential cybersecurity events
    • 5.2.14 DE.CM-7: Monitoring for unauthorized personnel, connections, devices, and software is performed
    • 5.2.15 DE.DP-4: Event detection information is communicated
  • 5.3 Zero Trust
    • 5.3.1 Zero Trust Tenets
    • 5.3.2 Components of Zero Trust
• 6 Privacy Characteristic Analysis
  • 6.1 Analysis Assumptions and Limitations
  • 6.2 Privacy Protections of the Reference Design
• 7 Functional Evaluation
  • 7.1 Test Cases
    • 7.1.1 PMS Use Case Requirements
    • 7.1.2 Test Case PMS-01 (Authorized Hotel Staff User Can Log In)
    • 7.1.3 Test Case PMS-02 (PMS Authentication)
    • 7.1.4 Test Case PMS-03 (Authorized Users Can Access Only Systems and Data They Are Authorized for Test Cases)
      • 7.1.4.1 Test Case PMS-03a (Hotel Staff Users Cannot Move Laterally from the PMS Unless Authorized to Do So)
      • 7.1.4.2 Test Case PMS-03b (Prevent Unauthorized Function)
      • 7.1.4.3 Test Case PMS-03c (Only Authorized Data)
    • 7.1.5 Test Case PMS-04 (Guest Reservation Editable)
    • 7.1.6 Test Case PMS-05 (Room-Key Provisioning)
    • 7.1.7 Test Case PMS-06 (Provisioning Guest Wi-Fi Access)
      • 7.1.7.1 Test Case PMS-06a (Guests’ Limited Wi-Fi Access)
      • 7.1.7.2 Test Case PMS-06b (Prevent Unauthorized Guest Lateral Movement via Wi-Fi)
    • 7.1.8 Test Case PMS-07 (Secure Credit Card Transaction)
      • 7.1.8.1 Test Case PMS-07a (Tokenized Credit Card Data)
      • 7.1.8.2 Test Case PMS-07b (Verify that Credit Card Data Is Hidden)
    • 7.1.9 Test Case PMS-08 (Authorized Device Provisioning)
    • 7.1.10 Test Case PMS-09 (Prevent Unauthorized Device from Connecting)
• 8 Future Build Considerations
• Appendix A Mapping to Cybersecurity Framework
• Appendix B Privacy Framework Mapping
• Appendix C Deployment Recommendations
• Appendix D List of Acronyms
• Appendix E Glossary
• Appendix F References

Volume C

• 1 Introduction
  • 1.1 Typographic Conventions
  • 1.2 Practice Guide Structure
  • 1.3 PMS Reference Design Overview
    • 1.3.1 Usage Scenarios
    • 1.3.2 Architectural Overview
    • 1.3.3 General Infrastructure Details and Requirements
      • 1.3.3.1 Network Segmentation and Domain Name System (DNS)
• 2 How to Install and Configure
  • 2.1 Network Protection Solution—CryptoniteNXT
    • 2.1.1 Overview of Network Protection Solution
    • 2.1.2 Network Protection Solution–CryptoniteNXT–Requirements
      • 2.1.2.1 Hardware Requirements for the Network Protection Solution
      • 2.1.2.2 Software Requirements for the Network Protection Solution
      • 2.1.2.3 Network Requirements for the Network Protection Solution
    • 2.1.3 Network Protection Solution—CryptoniteNXT–Installation
    • 2.1.4 Creating Source Groups
    • 2.1.5 Creating Destination Groups
    • 2.1.6 Applying Source Groups to End Points
    • 2.1.7 Applying Destination Group to End Points
    • 2.1.8 CryptoniteNXT Configuration for the PMS Reference Design
  • 2.2 Access Control Platform—TDi ConsoleWorks
    • 2.2.1 Access Control Platform–TDi ConsoleWorks—Overview
    • 2.2.2 Access Control Platform—TDi ConsoleWorks—Requirements
      • 2.2.2.1 Hardware Requirements for Access Control Platform
      • 2.2.2.2 Software Requirements for Access Control Platform
      • 2.2.2.3 Network Requirements of the Access Control Platform
    • 2.2.3 Access Control Platform—TDi ConsoleWorks—Installation
      • 2.2.3.1 Create SSL Invocation
      • 2.2.3.2 Create SSL Certificate
      • 2.2.3.3 Apply License
      • 2.2.3.4 Start-Up
      • 2.2.3.5 GUI Gateway Installation
    • 2.2.4 Add Gateway to GUI
    • 2.2.5 Add Graphical Connection to End Point
  • 2.3 Property Management System–Solidres
    • 2.3.1 Property Management System Overview
    • 2.3.2 Property Management System–Solidres–Requirements
      • 2.3.2.1 Hardware Requirements for the Property Management System
      • 2.3.2.2 Software Requirements for the Property Management System
      • 2.3.2.3 Network Requirements for the Property Management System
    • 2.3.3 Property Management System–Solidres–Installation
      • 2.3.3.1 Confirm the version of MariaDB
      • 2.3.3.2 Create the Joomla Database
      • 2.3.3.3 Download the Latest Release of Joomla
      • 2.3.3.4 Get the Joomla Website Ready
      • 2.3.3.5 Finish Installation
    • 2.3.4 Server Configuration
      • 2.3.4.1 Firewall Configuration
      • 2.3.4.2 Active Directory Configuration
  • 2.4 Data Tokenization Appliance–StrongKey Tellaro Appliance
    • 2.4.1 Data Tokenization Appliance–StrongKey–Overview
    • 2.4.2 Data Tokenization Appliance–StrongKey–Requirements
      • 2.4.2.1 Hardware Requirements for the Data Tokenization Appliance
      • 2.4.2.2 Software Requirements for the Data Tokenization Appliance
      • 2.4.2.3 Network Requirements for the Data Tokenization Appliance
    • 2.4.3 Data Tokenization Appliance–StrongKey—Installation
    • 2.4.4 Payment System Modifications
  • 2.5 Physical Access Control System—Häfele Dialock
    • 2.5.1 Physical Access Control System–Häfele Dialock–Overview
    • 2.5.2 Physical Access Control System–Häfele Dialock–Requirements
      • 2.5.2.1 Hardware Requirements for the Physical Access Control System
      • 2.5.2.2 Software Requirements for the Physical Access Control System
      • 2.5.2.3 Network Requirements for the Physical Access Control System
    • 2.5.3 Physical Access Control System–Häfele Dialock–Installation
    • 2.5.4 Server Installation
    • 2.5.5 Dialock 2.0 Encoding Station Configuration
    • 2.5.6 Dialock 2.0 Web Setup
      • 2.5.6.1 Adding the Encoder
      • 2.5.6.2 Adding the MDU
      • 2.5.6.3 Setting Up a Guest Room
      • 2.5.6.4 Create an Area
      • 2.5.6.5 Provisioning Access
      • 2.5.6.6 Group and Role Creation
  • 2.6 Privileged Access Management System—Remediant SecureONE
    • 2.6.1 Privileged Access Management System–Remediant SecureONE–Overview
    • 2.6.2 Privileged Access Management System–Remediant SecureONE–Requirements
      • 2.6.2.1 Hardware Requirements for the Privileged Access Management System
      • 2.6.2.2 Software Requirements for the Privileged Access Management System
      • 2.6.2.3 Network Requirements for the Privileged Access Management System
    • 2.6.3 Privileged Access Management System–Remediant SecureONE—Installation
    • 2.6.4 Initial Configuration
  • 2.7 Wireless Network Management—Forescout CounterACT
    • 2.7.1 Wireless Network Management–Forescout CounterACT–Overview
    • 2.7.2 Wireless Network Management–Forescout CounterACT–Requirements
      • 2.7.2.1 Hardware Requirements for Wireless Network Management
      • 2.7.2.2 Software Requirements for Wireless Network Management
      • 2.7.2.3 Network Requirements for Wireless Network Management
    • 2.7.3 Wireless Network Management–Forescout CounterACT—Installation
    • 2.7.4 DNS Enforcement
    • 2.7.5 Switch Plug-In
    • 2.7.6 Guest Policy
  • 2.8 Virtual Switch—VyOS Configuration
  • 2.9 Integration of Security Components
    • 2.9.1 CryptoniteNXT Integration with CLI End Points
• Appendix A List of Acronyms
• Appendix B Glossary