NIST SP 1800-27: Securing Property Management Systems (PMS)
In 2019, the hospitality industry suffered 13 percent of all data breaches, ranking third highest among targeted industries. It was two years later when NIST released SP 1800-27: Securing Property Management Systems to help hoteliers secure their Property Management Systems (PMS) and associated patron data. The National Cybersecurity Center of Excellence (NCCoE) at NIST collaborated with cybersecurity solutions providers and the hospitality business community to create a zero-trust example implementation framework under which a PMS and related systems could be secured using existing off-the-shelf and open-source solutions.
This guide is intended to provide a standards-based example, and the specifics may be applied directly or replaced by similar comparable solutions. For the purpose of this guide, a reference PMS was created. It includes the PMS, a payment platform and a physical access control system. The goal was to audit for anomalies, implement role-based access control, protect sensitive data as well as employ network segmentation and moving-target defense under a zero-trust architecture.
Hotels and their Vectors of Attack
Hotels, with their mines of personal identifiable information, third-party plugins and electronic payment methods, have long been tantalizing targets for cyber-attacks. With high-profile breaches affecting some of the largest chains worldwide, a uniform strategy is necessary for securing the multiple data systems required to service global clientele and provide the electronic convenience needed to maintain a competitive edge.
As the publication states, “Hotel operators rely on a property management system (PMS) for daily administrative tasks such as reservations, availability, pricing, occupancy management, check-in/out, guest profiles, guest preferences, report generation, planning and record keeping, which includes financials.”
Along with this, consider “external systems such as room-key systems, restaurant and banquet solutions, sales and catering applications, minibars, telephone and call centers, revenue management, on-site spas, online travel agents, guest Wi-Fi, loyalty solutions and payment providers.” Hotels live at the convergence of a myriad of access points. As such, the benefits grow exponentially for a cybercriminal who succeeds in breaching a hotel’s data defenses.
To organize solutions, the guide focuses on the following security measures:
- Preventing privilege escalation attacks
- Preventing credit and transaction data theft through tokenization, “allowlisting” and access control enforcement
- Implementing role-based access
- Mandatory auditing, reporting and system activity logging
- Preventing unauthorized use of personal data
The strategies employed to obtain these objectives utilize a zero-trust environment, moving target defense and data tokenization.
As a result, the guide aims to ensure that hoteliers achieve the following benefits:
- Security against PMS breach and preservation of core operations should a breach occur
- Protection of patron personal identifiable information (PII)
- Restrict PMS access only to employees with a relevant business
- Limit PMS exposure to direct access integrations and increase PMS security awareness
- Avoid breaches leading to decreased consumer trust for chain, property or owner
- Improve consumer confidence that PII is secure within the hospitality industry
The NCCoE and collaborators created a standards-based framework made entirely of commercially available components that achieves the following:
- Data encryption – PCI/PII is protected by various means, including encryption, tokenization, a secure data vault and limiting data transmission
- System authentication – Employs MFA and dynamic authentication to secure PMS, POS and reservation systems. Makes access control enforcement “as granular as possible” and utilizes network fragmentation to decrease the window of opportunity for hackers.
- System activity logging – Monitors real-time user activity, revealing anomalies and maintaining visibility of events across the network and component interactions.
Who Needs NIST 1800-27? What Does It Mean for Travel?
The publication states that “any hospitality stakeholder concerned about and/or responsible for securely implementing and mitigating risk in and around a PMS” is the intended audience for this guide. Assuming the security of a PMS influences all areas of the business, this means any hotelier or similar stakeholder along with (not just) C-level cyber brass.
In an environment where one expired certificate can lead to “a breach heard ‘round the world,” it is no longer solely the purview of the IT team or CISO to push vital cybersecurity improvements affecting what will once again be a global market of travelers. NIST 1800-27 ensures ease of use by pulling from ready-made, out-of-the box components, and it comes at a time when travel can still be considered to be at a lull.
In addition to the practices set forth in NIST 1800-27, and perhaps to make the suggested improvements truly effective, the NCCoE expresses openness to continue drafting standards within the hospitality industry for the use of personal mobile devices that are leveraged to access rooms or control hotel-owned smart devices.
In the meantime, however, employing this zero trust cocktail of available solutions can help hotels remedy the multi-layered maladies affecting their data defenses, and hoteliers can maintain their reputations, consumers’ trust and licenses at a time when travel may again be around the corner and consumer data breaches not far behind.
Tripwire’ portfolio includes a variety of solutions to help hoteliers enhance their cybersecurity posture and ensure compliance with regulations such as CCPA, SOX, GDPR and PCI DSS.
About the Author: An ardent believer in personal data privacy and the technology behind it, Katrina Dobieski is a freelance writer leaning into encryption, data privacy legislation and the intersection of information technology and human rights.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.