In recent years, criminals and other attackers have compromised the networks of several major hotel chains, exposing the information of hundreds of millions of guests. Breaches like these can result in huge financial loss, operational disruption, and reputational harm, along with lengthy regulatory investigations and litigation.
Hospitality organizations can reduce the likelihood of a hotel data breach by strengthening the cybersecurity of their property management system (PMS). The PMS is an attractive target for attackers because it serves as the information technology (IT) operations and data management hub of a hotel.
Hospitality organizations rely on a PMS for daily tasks, planning, and record keeping. As the operations hub, the PMS interfaces with several services and components within a hotel’s IT systems, such as point-of-sale (POS) systems, physical access control systems, Wi-Fi networks, and other guest service applications.
A PMS and its extended systems store, process, and transmit a variety of sensitive guest information, including payment card information and personally identifiable information. An unsecured or poorly secured PMS could expose a hotel–and the larger hospitality organization of which the hotel is a part–to a significant and costly data breach, which may result in financial penalties for violating state, federal, and international privacy and other regulatory regimes.
Securing Property Management Systems supports the following security and privacy characteristics:
- prevents unauthorized access via role-based authentication
- protects from unauthorized lateral movement and privilege escalation attacks
- prevents theft of credit card and transaction data via data tokenization, explicitly allows only identified entities access (allowlisting), and enables access control enforcement
- increases situational awareness by auditing, system activity logging, and reporting
- prevents unauthorized use of personal information
All organizations face external and internal threats. While not every threat can be eliminated, an architecture can be built to mitigate and/or reduce the potential realization of various threats. The PMS reference design mitigates threats related to unauthorized and elevated privileges, data exfiltration, configuration modification, data modification, and access to sensitive data. Any or all of these unmitigated threats could lead to fraud, which is one of the largest concerns in the hospitality industry.
One managed security service provider’s annual global security report shows that the hospitality industry has the second highest number of incidents being investigated by the provider. The same report notes that motivation or types of data targeted by malicious actors for hospitality organizations includes “credit card track data, financial/user credentials, proprietary information, and PII” [personally identifiable information].
Since 2014, a targeted technique labeled DarkHotel hacking by security services leverages a hotel’s Wi-Fi to selectively target and deliver malicious software to traveling executives. Further, identity theft and doxing—searching for and publishing private or identifying information about an individual on the internet, typically with malicious intent—are persistent threats within the hospitality industry.
Hotels also face internal threats, including misuse, inappropriate sharing or disclosure of personal information by employees with malicious intent, and accidental breaches. In fact, it is suggested that more than 50 percent of security incidents are initiated from current or former employees. Mitigating internal threats involves more than just physical concepts, such as locking doors; rather, the process needs to include cybersecurity concepts that help protect against insider threats and unauthorized lateral movement within the enterprise by hotel staff and hotel guests.
A vulnerability is a “weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source”. Among this project’s goals is mitigating the ability of an actor to exploit vulnerabilities. Often, vulnerabilities are self-inflicted.
For instance, organizations may:
- commit integration and configuration errors due to poor configuration management processes
- delay and/or not perform patching/updating regularly
- improperly deploy assets
Hotel Guest Internet Access via Hotel Guest Wi-Fi
Figure 4-5 shows the process flow for a guest accessing the internet via the hotel’s guest Wi-Fi, showing how the:
1. Hotel guest attempts to connect to the internet via the guest Wi-Fi
2. Hotel guest is challenged
3. Hotel guest responds with temporary credentials they have been provided, corresponding to their reservation
4. Wireless protection and visibility platform validates with the PMS, and the hotel guest is provided internet access
5. Hotel guest is provided only access to the internet (is forbidden to move laterally) and any external-facing enterprise hospitality systems; all activity, including surfing and web activity, is logged and sent to the privileged access management system
Secure Credit Card Transaction
Figure 4-3 shows the process flow for a credit card transaction. The reference design adheres to guidance from the Secure Payments Framework.
The Secure Payments Framework is based on the concept that raw payment card data is not stored, processed, or transmitted by any hotel system within the control of the hotel company. The PMS reference design replaces raw payment card data with tokens. These tokens are useless to malicious actors. This approach is also aligned with PCI-DSS best practices.
The transaction is protected by the payment solution application via tokenization. The token alone is ineffective as only the payment solution application can decrypt it and associate a credit card with charges. This transaction flow assumes that the payment card data was ingested via an on-property customer-facing card reader, on-property POS, a kiosk, the property website, or was collected from a third-party entity. That payment card data is tokenized at the edge of the PMS environment via the tokenization appliance before it hits the PMS.
The process of Figure 4-3 is described below.
1. The payment solution application collects the credit card information.
2. The payment solution application secures credit card information via a secure vault.
3. The payment solution application validates with a third-party payment processor.
Authorized Employee Access
Figure 4-2 shows the process flow for an authorized hotel staff user connecting to only the systems for which they are authorized. The hotel staff user will be challenged by the access control platform and will be required to present whatever credentials are required by policy; further, they will be granted only minimal access based upon their role. The process flow in Figure 4-2 is described below
1. From a device or terminal, an authorized hotel staff user attempts to log in via the access control platform. All login attempts are directed to the access control platform and logged.
2. The hotel staff user who presents valid authentication credentials is granted access to only the system(s) they are allowed based upon their role.
3. The network protection device monitors their activity and maintain logs via the privileged access management system.
4. Any suspicious behavior is noted, logged, and acted on according to policy.
5. Logs are collected by the privileged access management solution.