NIST SPECIAL PUBLICATION 1800-27
Securing Property Management Systems
Securing Property Management Systems¶
Includes Executive Summary (A); Approach, Architecture, and Security Characteristics (B); and How-To Guides (C)
William Newhouse
Michael Ekstrom
Jeff Finke
Marisa Harriston
FINAL
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.1800-27
The first draft of this publication is available free of charge from: https://www.nccoe.nist.gov/projects/use-cases/securing-property-management-systems
NIST SPECIAL PUBLICATION 1800-27
Securing Property Management Systems
Includes Executive Summary (A); Approach, Architecture, and Security Characteristics (B); and How-To Guides (C)
William Newhouse
Information Technology Laboratory
National Institute of Standards and Technology
Michael Ekstrom
Jeff Finke
Marisa Harriston
The MITRE Corporation
McLean, VA
FINAL
March 2021
U.S. Department of Commerce
Gina M. Raimondo, Secretary
National Institute of Standards and Technology
James K. Olthoff, Acting NIST Director and Acting Under Secretary of Commerce for Standards and Technology
- 1 Summary
- 2 How to Use This Guide
- 3 Approach
- 4 Architecture
- 5 Security Characteristic Analysis
- 5.1 Analysis Assumptions and Limitations
- 5.2 Analysis of the Reference Design’s Support for Cybersecurity Framework Subcategories
- 5.2.1 ID.AM-1: Physical devices and systems within the organization are inventoried
- 5.2.2 ID.AM-2: Software platforms and applications within the organization are inventoried
- 5.2.3 PR.AC-1: Identities and credentials are issued, managed, verified, revoked, audited, proofed and bound to credentials, and asserted in interactions for authorized devices, users, and processes
- 5.2.4 PR.AC-6: Identities are proofed and bound to credentials and asserted in interactions
- 5.2.5 PR.AC-3: Remote access is managed
- 5.2.6 PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties
- 5.2.7 PR.AC-7: Users, devices, and other assets are authenticated (e.g., single-factor, multifactor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks)
- 5.2.8 PR.DS-1: Data at rest is protected
- 5.2.9 PR.DS-2: Data in transit is protected
- 5.2.10 PR.IP-3: Configuration change control processes are in place
- 5.2.11 PR.PT-4: Communications and control networks are protected
- 5.2.12 DE.CM-1: The network is monitored to detect potential cybersecurity events
- 5.2.13 DE.CM-3: Personnel activity is monitored to detect potential cybersecurity events
- 5.2.14 DE.CM-7: Monitoring for unauthorized personnel, connections, devices, and software is performed
- 5.2.15 DE.DP-4: Event detection information is communicated
- 5.3 Zero Trust
- 6 Privacy Characteristic Analysis
- 7 Functional Evaluation
- 7.1 Test Cases
- 7.1.1 PMS Use Case Requirements
- 7.1.2 Test Case PMS-01 (Authorized Hotel Staff User Can Log In)
- 7.1.3 Test Case PMS-02 (PMS Authentication)
- 7.1.4 Test Case PMS-03 (Authorized Users Can Access Only Systems and Data They Are Authorized for Test Cases)
- 7.1.5 Test Case PMS-04 (Guest Reservation Editable)
- 7.1.6 Test Case PMS-05 (Room-Key Provisioning)
- 7.1.7 Test Case PMS-06 (Provisioning Guest Wi-Fi Access)
- 7.1.8 Test Case PMS-07 (Secure Credit Card Transaction)
- 7.1.9 Test Case PMS-08 (Authorized Device Provisioning)
- 7.1.10 Test Case PMS-09 (Prevent Unauthorized Device from Connecting)
- 7.1 Test Cases
- 8 Future Build Considerations
- Appendix A Mapping to Cybersecurity Framework
- Appendix B Privacy Framework Mapping
- Appendix C Deployment Recommendations
- Appendix D List of Acronyms
- Appendix E Glossary
- Appendix F References
- 1 Introduction
- 2 How to Install and Configure
- 2.1 Network Protection Solution—CryptoniteNXT
- 2.1.1 Overview of Network Protection Solution
- 2.1.2 Network Protection Solution–CryptoniteNXT–Requirements
- 2.1.3 Network Protection Solution—CryptoniteNXT–Installation
- 2.1.4 Creating Source Groups
- 2.1.5 Creating Destination Groups
- 2.1.6 Applying Source Groups to End Points
- 2.1.7 Applying Destination Group to End Points
- 2.1.8 CryptoniteNXT Configuration for the PMS Reference Design
- 2.2 Access Control Platform—TDi ConsoleWorks
- 2.3 Property Management System–Solidres
- 2.4 Data Tokenization Appliance–StrongKey Tellaro Appliance
- 2.5 Physical Access Control System—Häfele Dialock
- 2.6 Privileged Access Management System—Remediant SecureONE
- 2.7 Wireless Network Management—Forescout CounterACT
- 2.8 Virtual Switch—VyOS Configuration
- 2.9 Integration of Security Components
- 2.1 Network Protection Solution—CryptoniteNXT
- Appendix A List of Acronyms
- Appendix B Glossary