Securing Property Management Systems: Cybersecurity Practice Guide SP 1800-27

In recent years criminals and other attackers have compromised the networks of several major hospitality companies, exposing the information of hundreds of millions of guests. A hotel property management system (PMS) is a prime target for attackers – it serves as the information technology  operations and data management hub of a hotel and could give a criminal access to a trove of valuable data.

The NIST National Cybersecurity Center of Excellence collaborated with the hospitality business community and cybersecurity technology providers to build an example solution demonstrating how hospitality organizations can use a standards-based approach and commercially available technologies to meet their security needs for protecting a hotel's property management system. This example solution is documented in the new NIST Cybersecurity Practice Guide, Special Publication (SP) 1800-27, Securing Property Management Systems.

Practitioners will find value in the featured cybersecurity approaches, which include the tenets of zero trust security, moving target defense, tokenization of credit card data, and role-based authentication to help reduce the risk of a network intrusion compromising the PMS. This guide describes risk reduction through terms found in the NIST Cybersecurity Framework and offers a brief exploration of the NIST Privacy Framework.

We welcome feedback and ideas at hospitality-nccoe [at] nist.gov (subject: Feedback%20on%20NIST%20SP%201800-27) (hospitality-nccoe[at]nist[dot]gov).