Date Published: September 2020
Comments Due:
Email Questions to:
Author(s)
William Newhouse (NIST), Michael Ekstrom (MITRE), Jeff Finke (MITRE), Marisa Harriston (MITRE)
Announcement
Hotels have become targets for malicious actors wishing to exfiltrate sensitive data, deliver malware, or profit from undetected fraud. Property management systems, which are central to hotel operations, present attractive attack surfaces.
NIST's National Cybersecurity Center of Excellence (NCCoE) collaborated with the hospitality business community and cybersecurity technology providers to build an example solution demonstrating how hospitality organizations can use a standards-based approach and commercially available technologies to meet their security needs for protecting a hotel's property management system.
The principal capabilities found in the guide include protecting sensitive data, enforcing role-based access control, and monitoring for anomalies. Principal recommendations include implementing cybersecurity concepts such as zero trust, moving target defense, tokenization of credit card data, and role-based authentication.
Hotels have become targets for malicious actors wishing to exfiltrate sensitive data, deliver malware, or profit from undetected fraud. Property management systems (PMSes), which are central to hotel operations, present attractive attack surfaces. This example implementation strives to increase the cybersecurity of the PMS and offer privacy protections for the data in the PMS. The objective of this guide was to build a standards-based example implementation that utilizes readily available commercial off-the-shelf components that enhance the security of a PMS ecosystem.
The NCCoE at NIST built a PMS ecosystem in a laboratory environment to explore methods to improve the cybersecurity of a PMS. The PMS ecosystem included the PMS, a credit card payment platform, and an analogous ancillary hotel system. In this example implementation, a physical access control system was used as the ancillary system.
The principal capabilities include protecting sensitive data, enforcing role-based access control, and monitoring for anomalies. The principal recommendations include implementing cybersecurity concepts such as zero trust, moving target defense, tokenization of credit card data, and role-based authentication.
The PMS environment outlined in this guide encourages hoteliers and similar stakeholders to adopt effective cybersecurity and privacy concepts by using standard components that are composed of open source and commercially available components.
Hotels have become targets for malicious actors wishing to exfiltrate sensitive data, deliver malware, or profit from undetected fraud. Property management systems (PMSes), which are central to hotel operations, present attractive attack surfaces. This example implementation strives to increase the...
See full abstract
Hotels have become targets for malicious actors wishing to exfiltrate sensitive data, deliver malware, or profit from undetected fraud. Property management systems (PMSes), which are central to hotel operations, present attractive attack surfaces. This example implementation strives to increase the cybersecurity of the PMS and offer privacy protections for the data in the PMS. The objective of this guide was to build a standards-based example implementation that utilizes readily available commercial off-the-shelf components that enhance the security of a PMS ecosystem.
The NCCoE at NIST built a PMS ecosystem in a laboratory environment to explore methods to improve the cybersecurity of a PMS. The PMS ecosystem included the PMS, a credit card payment platform, and an analogous ancillary hotel system. In this example implementation, a physical access control system was used as the ancillary system.
The principal capabilities include protecting sensitive data, enforcing role-based access control, and monitoring for anomalies. The principal recommendations include implementing cybersecurity concepts such as zero trust, moving target defense, tokenization of credit card data, and role-based authentication.
The PMS environment outlined in this guide encourages hoteliers and similar stakeholders to adopt effective cybersecurity and privacy concepts by using standard components that are composed of open source and commercially available components.
Hide full abstract
Keywords
access control; hospitality cybersecurity; moving target defense; PCI DSS; PMS; privacy; property management system; role-based authentication; tokenization; zero trust architecture
Control Families
Access Control; Assessment, Authorization and Monitoring; Configuration Management; Identification and Authentication; Incident Response; Physical and Environmental Protection; Program Management; Risk Assessment; System and Communications Protection; System and Information Integrity
