The National Institute of Standards and Technology (NIST) has published a new cybersecurity guide that addresses the specific needs of the hospitality industry. Securing Property Management Systems (aka NIST Special Publication 1800-27) is divided into three parts, and details best data protection practices for the property management systems (PMS) that hotels use to store the personal and credit card information of their guests.
In that regard, the report serves as a primer for some of the commercially available data protection technologies, and explains how operators can integrate those technologies into their existing infrastructure. The NIST refrained from endorsing any particular product, but instead offered examples and strategy recommendations that are based on the NIST’s own Cybersecurity and Privacy Frameworks. The report emphasized the importance of zero trust protocols, which require an organization to verify both the device and the individual before giving that person access to sensitive materials.
The NIST noted that the hospitality industry has historically been one of the most attractive targets for cybercriminals. Thirteen percent of all data breaches in 2019 involved the hospitality sector, making it the third-most common victim of fraud as a collective industry. Roughly two-thirds of those attacks went after corporate servers that communicate with PMS systems.
“Our practice guide documents how we enabled cybersecurity concepts such as zero trust architecture, moving target defense, tokenization of credit card data, and role-based authentication in a reference design that addresses cybersecurity and privacy risk,” said Bill Newhouse, a representative for the NIST’s National Cybersecurity Center of Excellence (NCCoE). “We also offer specific use cases to show the functionality of the design.”
The NIST released the new guide in the hopes that hotels will be able to ensure that only those with the proper credentials will be able to gain access to the organization’s electronic payment system and other essential services. It arrives several months after the NIST released a Quick Start manual to make it easier for businesses to comply with its separate Risk Management Framework.