NIST partners with an industry that’s become fresh prey for cyber hackers

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

Feds will eventually travel again on business. And when they do, their personal data will end up in property management systems. The systems hotels use to manage and book space. Turns out these systems are vulnerable to hackers seeing personal information. Now the National Institute of Standards and Technology has released results of focused work with the industry to help the situation. Joining Federal Drive with Tom Temin with more, National Cybersecurity Center of Excellence engineer Bill Newhouse.

Interview transcript:

Tom Temin: Mr. Newhouse good to have you on.

Bill Newhouse: Thanks for having me with you.

Tom Temin: First of all, tell us about these systems, these property management systems, what are they and what do they look like?

Bill Newhouse: Property management system is a database. So just think about if you’ve had any experience with databases in your life, they’re set up to hold information and make it accessible to the users who need it. And for a property management system, that is a bit of a database that’s been grown over the years to do things like know where the staff is in the building, if it’s a hotel, the cleaning folks can check in using the phone in a room to say I’m in this room, I’m cleaning it and then when they move to the next room, indicate that in the database with how’s that for this one, that the idea that there are systems that are collecting personal identifiable information, they have to know who you are as a guest. And also holding potentially, the credit card information that you provide when you make a reservation just makes this centralized database that is helping the hotel, run its business, keep track of its customers know who’s coming plan, do all this stuff, it makes it an attractive target for anybody who’s looking to find ways to exploit that kind of personal data if they could get their hands on it.

Tom Temin: And there have been some recent incidents showing that these are more than just attractive, they’ve actually been hacked a couple of major instances.

Bill Newhouse: The hacks are a blend of this system then feeds back into a bigger corporate system kind of model. So you know, we don’t have the exact place. That’s not something this is a non regulatory agency doesn’t have that data available to us. So we partner with folks in the industry space. So we reached out to hospital technologies next generation group, we went to a couple conferences where we walked the floor and checked out all the booths to figure out who was talking about cyber security and where and why the figure out where we could make an impact bringing NIST long term experience and risk mitigation in guidance that is followed federally by mandate, but could be non voluntarily adopted by industry. And so the idea that there have been breaches, yes, we definitely have all heard about those in the news, the exact tactics and things that happened. That’s not something I needed to learn to know the value of protecting the property management system.

Tom Temin: Sure. And our property management systems generally manufactured by a few industry dominant players, because I would think to serve the needs of, you know, Hilton, or Marriott or something, you’d have to be a pretty big player yourself.

Bill Newhouse: Yeah, that’s true. There are some big companies that are good at database work and have gravitated to creating property management systems. And then those big chains would be able to build a turnkey system that they could give out to their franchisees at a smaller level, at less large organizations, it may be really, that they’re buying a property management system, well, it’s going to be a database, no matter what I don’t, I don’t want to name names on all the different companies, it’s a big enough industry space, that there’s a lot of people in it.

Tom Temin: But you do bring up one other point, and that is operators of hotels, and owners of the brands and so forth are not all the same company so that an operator under a given brand could be a small localized company, that’s not as good as cybersecurity, as, say, some large national operator. So that must be a dynamic that affects cybersecurity also correct.

Bill Newhouse: Indeed. When we think about at the National Cybersecurity Center of Excellence, we were built at NIST within the last seven, eight years to really show people that NIST has strong guidance that if you follow it, and the world, and the industry space has growing an existing standards that can be applied, that exist in today’s technologies. So what that means is, we want to show people by building a reference design, that it can be done, and inspire you to do so. So if you’re a small medium property owner, whether you’re a hotel or a golf course, or you’re running some aspect of a property where people are coming in and out, and you have to manage everything that happens there. We’ve shown you in a reference design, the best things to aim for in risk mitigation. And by best it means we’ve gone across something that NIST has called the cybersecurity framework that lays out functions that you could perform to mitigate risk. And so that’s one of our standards that we built into this one. And then we started looking at what are the industry standards at play in this space, and it is the payment card industry, data security standards, and then those are worldwide and evolving as well as we’re building this and trying to figure out well, what can we say in that space? Those are pretty mature and there’s a good mature group of people who are developing those, but what can we do to help and part of that model is that if your property management system and your payment systems they do interact, they have to because you’re you’re collecting credit card data. For reservations, you’re collecting credit card data to pay for rooms. If you’re a hotel, the less number of systems that data has to traverse means it’s easier for a hotel to be compliant for payment card industry standards. And that’s good, because less means less attack surface. And so we found a technique in our reference design techniques that can help to make that easier. So there’s a potential if you’re a hospitality organization, and you look at this guidance, you can be inspired to follow it, you could copy it if you want to. But if it’s not exactly the system, you have, you can still go, wait I can see some things here that we haven’t thought of, by ways of doing this that would mitigate risks and make us happier and make us less likely to be victim of an attack.

Tom Temin: And the result of this collaboration then is a special publication.

Bill Newhouse: Yeah, and this special publication, 1800-27, 1800 series are the ones that come out of the National Cybersecurity Center of Excellence, where I was trying to say earlier, our mission there is to get more cybersecurity adopted. And essentially, that means to mitigate as much risk as possible. When you do adopt the technologies and standards that are best practices. 18 to 27 is called securing property management systems. Those systems then really do have situations, connections, relationships in them, that are unique to that industry, and therefore merit a special publication. So the center is has endeavored to touch on lots of different sectors of our critical infrastructure and our economy. And so, back in the Obama administration, there was an executive order that came out to say, let’s increase the consumer confidence in retail and hospitality type industries, anything that’s anything where people are going and spending their their money, and there were breaches and retail, and then we’ve had breaches in hospitality that could have inspired the need to increase consumer confidence. Well, we endeavored in one project to show something around e commerce we talked about in that one multi factor authentication when risk is high for doing online purchases. And this is stuff that five years on three years on, people are much more aware of the needs to do a thing called multi factor authentication. So we are pushing the bar and giving people a chance to say, Look, they did it, this is how you could copy it and do it again. So now for property management systems. Yes, there’s all the different intersections that are happening. When you go to a hotel now especially big change, you’re being offered so much more opportunities for technology, you walk in, and you’re being offered the chance to maybe go use the spa, go use other facilities that are adjacent to and connected to that property management system to make your stay easy, transparent. You just walk over and you say I’ve made a reservation here and you show up and it all comes out on one bill. If it’s all coming out in one bill, it probably means it’s gone through one property management at one point and all that data is there.

Tom Temin: And I always presume there’s a hidden camera in the smoke detector and behave accordingly. What’s the uptake been so far for special publication 1800?

Bill Newhouse: Well, we put it out towards the end of March. And the publicity that through our own Public Affairs has drawn people to talk about it. What I want to hear next is have you made a decision? Is it something where you’ve now decided as an organization, we’re going to tackle this a little more deeply than we have already. So I’ve seen on Twitter, lots of retweets, and I appreciate the attention. So when we get back together with the groups, we try to create a community of interest for every sector, a specific area that we focus on. So for hospitality, we went to the retail and hospitality ice act information sharing Analysis Center, and through them, and they’ve just recently merged with the American hotel association to focus on this stuff as well. And so you get these groups together, we’ll be listening to them. We listened to them as we built the project, we wanted to know what should we build that would help. And that got us to that property management system as a central core structure. And then they introduced us to some of the experts, and there are technical groups. And now we want to find out okay, architecture doesn’t match the architecture in your building. But we’ve told you about how to do zero trust architectures, we’ve told you how you can add some defenses that would only allow zero trust architecture has a large number of tenants that are all the things we’ve always wanted to do in cyber security. But it becoming realizable now, because vendors are offering this technology to help you really understand where your high value assets are, in this case, but stuff in the property managed system, who’s needing to connect to your systems, whether it’s guests connecting to your networks, and also your staff and your backroom, people who are running all these systems there’s better ways to protect that through the best practices of zero trust. So we’ve used zero trust to model this. We’re going to need to hear Tom from these groups again, and then figure out okay, what else can we do? Can we get together with a group and have a symposium and keep pushing because adoption really isn’t about the end answer. And it’s hard to measure that it’s hard to see. People don’t always just stand up and say, Look, we just fixed everything that was broken. That’s not that’s not the nature of it. Hopefully it’s iterative and they start to see what we’ve done and they copy it.

Tom Temin: Alright, this could be the best confidence building measure since the folded toilet paper. Bill Newhouse is an engineer with the National Cybersecurity Center of Excellence at NIST. Thanks so much.

Bill Newhouse: You’re welcome. Thanks for giving me the time to share with you guys.

Related Stories

    Amelia Brust/Federal News Network

    State Department cyber diplomacy bill seeks to fill ‘missing piece’ in interagency defense

    Read more
    Joe Castle is a recent PhD graduate from Virginia Tech, who studied federal technology policy and open source software, and is a federal employee.

    When it comes to open source, culture continues to eat strategy, policy for lunch

    Read more
    Amelia Brust/Federal News Network

    Knowing when to dig, when to draw the line in federal data investigations

    Read more

Comments

Sign up for breaking news alerts