Date Published: April 28, 2017
Comments Due:
Email Questions to:
Author(s)
William Newhouse (NIST), Sarah Weeks (MITRE)
Announcement
The National Cybersecurity Center of Excellence (NCCoE) has posted a draft Project Description on the topic of Securing Property Management Systems.
Hospitality organizations rely on Property Management Systems (PMS) for daily tasks, planning, and record keeping. As the operations hub, the PMS interfaces with several services and components within a hotel's IT system, such as Point-of-Sale (POS) systems, door locks, Wi-Fi networks, and other guest service applications. Adding to the complexity of the network, external business partners' components and services are also typically connected to the PMS, such as on-premise spas or restaurants, online travel agents, and customer relationship management partners or applications (on-premise or cloud-based). The numerous connections to and users of the PMS could provide a broader surface for attack by malicious actors. Improve the security of the PMS can help protect the business from network intrusions that might lead to data breaches and fraud.
Based on industry research and in collaboration with hospitality industry stakeholders, the NCCoE is proposing a solution to better secure the PMS and its connections within a hotel's IT system that implements layers of security: point-to-point encryption, data tokenization, multifactor authentication for remote and partner access, network and user behavior analytics, and business-only usage restrictions.
Building on this collaboration with the hospitality business community and vendors of cybersecurity solutions, the NCCoE will explore methods to strengthen the security of the PMS and its connections and will develop an example implementation composed of open-source and commercially available components. This project will produce a NIST Cybersecurity Practice Guide--a publically available description of the solution and practical steps needed to effectively secure the PMS and its many connections within the hotel IT system.
Hospitality organizations rely on Property Management Systems (PMS) for daily tasks, planning, and record keeping. As the operations hub, the PMS interfaces with several services and components within a hotel’s IT system, such as Point-of-Sale (POS) systems, door locks, Wi-Fi networks, and other guest service applications. Adding to the complexity of connections, external business partners’ components and services are also typically connected to the PMS, such as on-premise spas or restaurants, online travel agents, and customer relationship management partners or applications (on-premise or cloud-based). [1] The numerous connections to and users of the PMS could provide a broader surface for attack by malicious actors. [2] Demonstrating methods to improve the security of the PMS can help protect the business from network intrusions that might lead to data breaches and fraud. [3]
Based on industry research and in collaboration with hospitality industry stakeholders, the NCCoE is starting a project that aims to help hospitality organizations implement stronger security measures within and around the PMS, with a focus on the POS system through network segmentation, point-to-point encryption, data tokenization, multifactor authentication for remote and partner access, network and user behavior analytics, and business-only usage restrictions.
In collaboration with the hospitality business community and technology vendors who implement standards that improve cybersecurity, the NCCoE will explore methods to strengthen the security of the PMS and its connections and will develop an example implementation composed of open-source and commercially available components. This project will produce a NIST Cybersecurity Practice Guide—a freely available description of the solution and practical steps needed to effectively secure the PMS and its many connections within the hotel IT system.
Hospitality organizations rely on Property Management Systems (PMS) for daily tasks, planning, and record keeping. As the operations hub, the PMS interfaces with several services and components within a hotel’s IT system, such as Point-of-Sale (POS) systems, door locks, Wi-Fi networks, and other...
See full abstract
Hospitality organizations rely on Property Management Systems (PMS) for daily tasks, planning, and record keeping. As the operations hub, the PMS interfaces with several services and components within a hotel’s IT system, such as Point-of-Sale (POS) systems, door locks, Wi-Fi networks, and other guest service applications. Adding to the complexity of connections, external business partners’ components and services are also typically connected to the PMS, such as on-premise spas or restaurants, online travel agents, and customer relationship management partners or applications (on-premise or cloud-based). [1] The numerous connections to and users of the PMS could provide a broader surface for attack by malicious actors. [2] Demonstrating methods to improve the security of the PMS can help protect the business from network intrusions that might lead to data breaches and fraud. [3]
Based on industry research and in collaboration with hospitality industry stakeholders, the NCCoE is starting a project that aims to help hospitality organizations implement stronger security measures within and around the PMS, with a focus on the POS system through network segmentation, point-to-point encryption, data tokenization, multifactor authentication for remote and partner access, network and user behavior analytics, and business-only usage restrictions.
In collaboration with the hospitality business community and technology vendors who implement standards that improve cybersecurity, the NCCoE will explore methods to strengthen the security of the PMS and its connections and will develop an example implementation composed of open-source and commercially available components. This project will produce a NIST Cybersecurity Practice Guide—a freely available description of the solution and practical steps needed to effectively secure the PMS and its many connections within the hotel IT system.
Hide full abstract
Keywords
behavior analytics; hospitality cybersecurity; multifactor authentication; network analytics; point of sale; point-to-point encryption; property management system; tokenization
Control Families
Access Control; Identification and Authentication
