Hospitality cybersecurity transformation

Hospitality cybersecurity transformation

Hospitality cybersecurit y transformat Path forward from todays risks and ion vulnerabilities Introduction We live in an information-based economy. A world driven by data and the analytics and ingenuity applied to this data is what allows companies to move with speed. This new age is known as the Fourth Industrial Revolution. It has led to unprecedented transparency and customer engagement, which is particularly important in the hospitality industry. As companies expand into this new era, they face an increasing landscape of cybersecurity risk.1 As one of the top five industry sectors breached each year,2 hospitality is no stranger to both these attacks and the headlines. Unlike most business, hospitality comprises IT for business applications, operational technology (OT) for building system controls and smart building for the Internet of Things (IoT). All represent distinct network environments as well as associated risks. Hospitality companies not only have to address their own corporate offices, but have their hundreds of properties to consider in order to mitigate the risks to their customers and business. With the addition of IoT devices, the hospitality industry is facing an everexpanding cybersecurity threat landscape. Hospitality cybersecurity transformation Path forward from todays risks and vulnerabilities Targets The hospitality landscape comprises not only typical corporate IT applications such as email, web servers and employee computers, but also enlists a growing number of IT, OT and IoT systems and devices focused on enhancing guest services and experiences. The targets of cyber criminals are vulnerabilities they can exploit in any given system. Can the hospitality sector just say no to new services because there are too many associated risks? The number of new and complex systems will continue to grow as the sector looks for new ways to attract and retain guests with improved guest services.2 PII (personally identifiable information) 73% of guests want automated check-in Guest information is contained within reservation and payment systems PII is collected at various services applications: kiosks, ticket purchases and office services (i.e., making copies) Building systems Security of building control systems: heating, ventilation and air conditioning (HVAC), lighting, elevators, safety, energy Third-party management and remote access Offices Staff computers Office systems and applications Websites OTA (online travel agencies)

PoS (point of sale) Credit card payment systems are ubiquitous: gift shops, restaurants, bars, guest services, etc. Access Wi-Fi accessible networks: guest, lobby, events 80% of guests want to easily see offered amenities and hours 78% of guests want to engage maps of the areas they visit 73% of guests want to request late checkout 68% of guests want direct mobile access concierge-type services These types of services do not represent a single point of access but an integration of interactions of services such as mobile access to book and access a room. Although this may sound trivial, how many threat vectors are possible for just a single transaction? In this example, there are several to think about. The mobile phone: is it compromised? Is it running the latest vendor patched software? The website: is it secured? Is it robust enough for the mobile environment? The Wi-Fi: how is the mobile phone accessing the property network and keyless system? The keyless entry: is the keyless system comingled with any other networks it should not be? The guest: what data is being collected and transmitted? PII? Guest What makesof these systems targets are not just the data they contain like the number networks, PII PoS guest credit card information. PII is data can be found in almost every variety and mix of systems industry. It is not just the number of properties that a Buildin at every hotel, multiplied by Securit g y hospitality company owns. It is the number of properties. It is easy to understand why the hospitality industry places in the top five cyberbreached industry sectors every year. Understanding what makes these systems a target and the fact that there is no single cyber

threat vector is critical. system s Access Office s PoS Wi-Fi-enabled services for offices and building systems Lobby computers for guests Security Keyless entry systems Closed-circuit television Path forward from todays risks and vulnerabilities | 1 Cybersecurity data breaches do not always take place where the data is stolen or compromised. Cybersecurity breaches can happen almost anywhere. A credit card PoS device can be compromised through the BMS. Or guest PII can be stolen because of a lack of security of third- party reservation systems, not the web booking portal. These risks include: 74% of hospitality cyber theft involves PoS point of sale5 PoS attacks pose the biggest threats to the hospitality industry. Cyber criminals can directly attack the properties network systems or attack that hospitality companys third-party payment processing company. Risks According to the FBI,3 the number of cyber threat occurrences quadrupled to 4,000 per day last year from 1,000 per day in 2015. However, hospitality systems will continue to become more complex. The associated risks lie not only in the types of systems but in their numbers, use and deployment. Many of the OT building management systems (BMS) that control not only property environment (HVAC, lights, energy, elevators) also run many of the new smart applications, such as keyless entry. OT systems are typically not seen as the domain of corporate IT, which mainly focuses on corporate computing networks. The responsibility for OT maintenance, support, purchasing of new systems, updates and security typically fall on a third- party management company or system integrator. This separation of responsibility between IT and OT creates a large blind spot in property security. Blind spots are what cyber criminals like to exploit. Blind spots start at the beginning with lack of basic cyber hygiene such as: Training: does corporate push out cybersecurity awareness training to the property? Do front-desk clerks know how to address a panicked guest who hands them a USB memory stick containing the big proposal he or she needs a quick copy of? Policies and procedures: does the same level of documentation that is maintained by corporate IT exist for the property OT? Do property employees know what to do or whom to call when there is an expected cyber event? Roles and responsibilities: who is responsible for security at the property level? Is there coordination with corporate IT on new system purchases and installation? Who manages third-party security and associated remote access to the properties? Security: is security viewed as security guards? Who oversees property 2 cybersecurity? | Hospitality cybersecurity Who ensures that policies and procedures are being carried transformation out? Does patching just address Microsoft operating systems? When was the last time you patched your vendor application firmware? 20% involves DDoS distributed denial of service attacks6

Hotels are particularly vulnerable to distributed denial of service, or DDoS, attacks, where an entire hotel chains website is shut down by being overwhelmed with traffic sources. This is because hotels have a wide array of devices from closed-circuit TVs to BMS managed by computers, all of which can be used to send pulses to other systems on the infrastructure and disable them. Every 40 seconds a company gets hit with ransomware up from every 2 minutes7 Although PoS and DDoS have been the traditional cyber-attack vectors, hospitality companies are finding themselves especially vulnerable to this type of attack where a type of malware is introduced to one of the propertys numerous systems such as Wi-Fi, PoS modems or BMS. Gaining unauthorized access to a system (i.e., HVAC) and locking out the property owner until a ransom is paid. DarkHotel hacking A new term for a new threat vector. DarkHotel hacking is where the cyber criminal uses the hotels own Wi-Fi to Risks IoT Many in the hospitality industry sector are focusing on IoT or smart buildings for the next generation of guest services. IoT devices enable the connecting of other smart devices to drive increased value in applications. A simple example is a room sensor that detects lack of motion and turns out the light. What if the room sensor data was tied to the door lock data to provide additional inputs e.g., distinguish whether the guest is away from the room as opposed to just being asleep and not moving? This information can be linked to the weather outside or a guest-selected comfort range. Now if the room sensor does not detect motion, it can be determined that the guest is not in the room and the lights and TV can be turned off and the temperature can be adjusted to save energy. These are types of value-added applications that not only provide enhance guest experience but also provide cost savings to the hospitality property owner. One of the more popular smart applications is keyless entry. It: Saves time and money over plastic key cards, which require programming, tracking and replacement. Facilitates mobile check-in, saving time for guests and staff. Is embedded in a hotel booking app, which guests download easily via over the air (OTA), confirmation email or the hotel website, making rebooking easier directly through the app. Interacts with cloud-based hotel management, which itself streamlines guest journey and business interactions, including room selection, check-in and

checkout, upgrades and payments. As with any new technology, IoT faces its own challenges as well. IoT technology is rapidly emerging, with early adopters in virtually every industry, all hoping to capitalize on the promises of what it can deliver. Many adopters are hoping that with a new technology comes new and improved cybersecurity. However, IoT technology has gotten off to a bumpy start due largely in part to a lack of basic cybersecurity. In fact, DDoS attacks increased 91% in 2017 because of IoT.8 Attacks such as WannaCry, Mirai, WireX and Reaper are just a few such DDoS incidents that caused widespread disruption and losses on the companies impacted. Why the massive rise? Researchers believe that the reason is twofold: the growing availability in DDoS- for-hire services and the implementation of many unsecured DDoS-for-hire services IoT devices.9 have lowered the barriers of entry for criminals to carry out these attacks, in terms of both technical ability and cost. Now, almost anyone can systematically attack and attempt to take down a company for less than $100. Ashley Stephenson, CEO of Corero10 Path forward from todays risks and vulnerabilities | 3 Keyless entry systems Keyless entry systems have also fallen prey as a new technology that lacks basic cybersecurity leading practices. Keyless entry systems comprise three main elements, all of which possess inherent risk if not developed correctly by the vendor and installed correctly by the buyer: 1. Cards and readers keyless entry cards are a replacement for the magnetic stripe (magstripe) cards, which could be erased or destroyed in heavy industrial or outdoor environments. Magstripe cards also required precise swiping. Keyless entry cards work with various nearfield communications (NFC) such as Bluetooth or RFID. 2. Hardware interface typical readers employ a simple interface. As the wires in plastic

cards pass by a magnet, they energize, then release an inductive voltage spike. The spike lasts about 100 microseconds and originally was sent out raw, traveling about 500 feet. 3. Binary formatted data on cards finally, the way the data bits are organized on the card is referred to as the format. All card formats have ones and zeros. In old cards, there were two main fields of data and usually 2 parity bits for error detection. With 26 bits, you could get 16 bits of sequential card numbers (1 to 65,535) and 8 bits of site (facility) codes (1 to 255). A parity bit at either end could be used for both error detection and sensing which direction the badge was swiped. 4 | Hospitality cybersecurity transformation The focus of the earlier keyless entry systems was to help facilitate a costeffective transition from legacy magstripe cards to a more efficient access system, with little to no consideration to cybersecurity. As a result, there are countless news stories of hospitality properties reporting keyless entry system breaches. One such report came from Austria, where a group of hackers targeted a local hotel in an attempt to lock out all the guests, charging the hotel owner US$1,605 worth of bitcoin to release the keyless entry system.11 So how can such a vulnerability exist? Look at how these systems are integrated in the overall property network(s): Keyless entry systems rely on a centralized door controller for all the keyless doors to communicate with. Typically, these communications are unencrypted and in the clear, meaning anyone able to listen into the network can see the actual data. In addition, many systems are configured using old serial communications (RS-485) from central door controller to each keyless door. Keyless reader hardware in many systems is old and outdated and lacks an easy way to provide patch upgrades to remediate any cybersecurity issues. Keyless cards often use either weak encryption (48-bit) or default keys for the UID unique identifier. This has resulted in hackers taking advantage of these shortcomings to clone room cards. Firstly, the keyless systems tend to communicate in the clear, enabling a man in the middle attack that can pick up on the data fields being used. Secondly, the keyless card readers are typically outdated with poor encryption, which

can leave them vulnerable to brute forces and easy reverse-engineering for read and write access. Lastly, compromises of the cards can result in changeable UIDs on writable blank cards or magic cards. According to recent articles,12 for $50, you can buy a device online that can make this happen; you can also buy the $1 magic cards. Keyless entry system manufacturers have now come out with more robust systems, incorporating OSDP (open supervised device protocol). OSDP is more secure than the most common access control communications protocol. OSDP Secure Channel supports high-end AES-128 encryption (required in federal Government applications). OSDP constantly monitors wiring to protect against attack threats. This involves replacing older systems, which is not great news if you purchased and rolled out a system five years ago across 100 properties with 500 locks each. Who owns the risk Over the past several years, there have been a number of high-profile hospitality cyber breaches. One of the largest hospitality operators responsible for several of the biggest marquee hotel names was hit with a PoS malware cyber attack. This attack affected PoS terminals that were used at retail and food and beverage outlets located in the hotels.13 When such cyber and security breaches take place, the question often asked is Who is liable for the cyber breach? However, the real question that needs to be addressed is Who is responsible for cybersecurity? a question for any industry. In recent years, the hospitality industry has been moving toward the franchise model as a means of consistently growing revenue. In this model, the hotel is owned and operated by a third party, and the brand is paid a licensing fee. This model presents a unique set of challenges for organizations in the space. This complex relationship among franchisors, owners and operators sometimes requires sharing information or a common computer system. Hotels often permit interfacing between their computer network systems and those of third-party vendors or credit card processors. These very hotel systems to a large extent are themselves a cyber target, depending on the security measures and practices of entities beyond their control. Who is responsible for cybersecurity? Is it the franchisor? The owner? Or the operator? With any cyber breach comes a litany of business and legal issues: who is in breach of contract, guest lawsuits, system damages and recovery costs to the business. However, the least tangible but arguably the greatest impact is to brand reputation. Guests only know the name on the hotel. The answer to Who is responsible for cybersecurity? is All the above. A comprehensive cybersecurity policy

that addresses hospitality risk and vulnerabilities and roles and responsibilities for the entities is a critical first step. Path forward from todays risks and vulnerabilities | 5 Transformation Cyber criminals targeting hospitality traditionally have two methods to capitalize on a successful breach: theft of payment data and ransom of business data. To help mitigate the successfulness and likelihood of such attacks, hospitality property owners need to consider if they are addressing these issues today and integrate such solutions as part of a comprehensive cybersecurity program that will transform their cybersecurity posture. Areas to improve in OT environments Policy and procedures. These should address not only cybersecurity awareness but training that is relevant at the property level. Roles and responsibilities. These should address the who and what of the OT cybersecurity plan in terms of responsibility and accountability. Network segregation. One of the most common cyber vulnerabilities is the unintentional comingling of OT networks (BMS, keyless entry, PoS) and IT networks with no adequate security such as firewalls to help ensure that intended systems can only talk to other intended systems for which there is an approved purpose. Asset inventory of systems. These critical records should include names, functions, locations, makes/ models/ manufacturers, OS levels, firmware levels, maintenance logs, incident logs and other information. It is very difficult address a problem when you do not know where the problem is. Patching of applications and operating systems. Patches are routinely issued by vendors to address known cybersecurity issues. Not undertaking timely patching can leave one or all systems vulnerable to a cyber attack. In an OT environment, it is critical to ensure that not just Microsoft OS patches are being deployed but that OT systems firmware patches 6 each | Hospitality cybersecurity transformation are being addressed as well a blind spot. Access management users. Many OT systems are deployed with default passwords. This can enable unauthorized access to systems. In most cases, the default setting enables administrator access. Unauthorized users can then make

themselves the network administrator, damaging systems, locking out users and committing theft. Access management electronic. A commonly overlooked aspect of access management is third-party access or remote access. Virtually all third parties have remote access to provide operation and maintenance support. The questions are who set up the remote access, is it secure, who uses it and how is it managed. This tends to be a large area of trust in OT. Verification is encouraged Backup and recovery. Too often, property personnel assume that if there is an IT corporate backup, it must be comprehensive. In fact, it rarely is: it does not include all the OT control set points, settings and policies. A comprehensive OT backup policy can assist in the recovery of a ransomware attack, providing the data needed to restore and fix OT systems quickly to normal operations while the security team investigates the cause. IoT technology IoT cybersecurity can benefit from all the aforementioned points. It is worth noting several additional areas that require managements attention when addressing new or older IoT smart solutions. Most IoT deployments today overlay preexisting networks, making it more critical than ever to first address the current systems to ensure a solid cybersecurity foundation to build from. Legacy OT control systems were typically developed to be closed-loop and not communicate openly over networks such as the internet. In contrast, virtually all IoT networks will communicate freely with not just the internet but other IoT networks and smart buildings. Cybersecurity will become increasingly important during the investigation, design and deployment phases to ensure all new communication paths are not only secure but do not compromise legacy OT control systems. It is important to ensure that the vendor supports IoT and smart applications. Change usernames and passwords. Many of todays IoT devices have default passwords, making them vulnerable to DDoS attacks such as Mirai. Systems must be updated and patched easily. OTA (over the air) updates are starting to be more common. Third-party vendor management is very key. Too many smart systems comprise multiple vendors, each relying on others software and/or hardware to be secure or provide overall security. Understand not only

what the application does, but all the elements that make up the Path forward from todays risks and vulnerabilities | 7 Conclusion The hospitality industry faces many cybersecurity challenges in its pursuit of technology that provides an enhanced guest experience. Even in this new age of industrial automation, foundational cybersecurity tenets still hold firm. In many cases, the question is not how to do it, but what to do, and how to start, given the age and numbers of buildings all with disparate network systems across properties. Three-phase methodology The following methodology can help hospitality companies initiate their cybersecurity transformations. Phase 1: take a diagnostic of all or selected properties for risk maturity to understand the current state of risk and vulnerabilities. Remember that each property can be unique regarding network configurations, vendor systems and management of the property. Phase 2: perform assessments to better understand vulnerabilities and threats, looking at potential properties with existing or potential trouble spots. Outline the nature of the vulnerabilities as well as suggestions for mitigations of these risks. Phase 3: remediation is putting in place the identified solutions to help mitigate the associated risks and vulnerabilities. Unlike other industries in which companies employing OT environments that may delay introduction of new technologies based on cyber risks, hospitality companies focus on serving guests and cannot easily say no to new ways to enhance the guest experience. After all, hospitality is not just the name it isbusiness what they do. A cybersecurity Cybersecurity drivers transformation does not only protect the companys reputation, but also protects the guest experience and ensures their security,Strateg which they depend on from the hotel at y which they chose to stay. Cybersecurity business drivers Site classifications Defining the number and types of properties Phase 1: Maturity diagnostic Site work effort Defining the level of work associated with the classification Risk profile Heat maps outlining risk trends and patterns of each property Future state transformation Analysis Aggregate, correlate and consolidate individual site risk profiles into a single actionable plan Compliance

Phase 2: Assessments Policies Critical assets Controls Building off Phase 1: dive deeper into OT network; define required technical controls to address identified risks Framework Strategic road map Phase 3: Remediation Technical compliance Situational awareness Controls Building off phases 1 and 2: develop strategic road map based on client priorities and vulnerabilities to reduce risk Transformation and strategy road map 8 | Hospitality cybersecurity transformation References Klaus Schwab, The Fourth Industrial Revolution: what it means, how to respond, World Economic Forum, 14 January 2016, agenda/2016/01/the-fourth-industrial-revolution-whatitmeans-and-how-to-respond/. 1 2 Hacking Hospitality: State of the Industry & How to Brace for Breaches, Armor, 16 November 2017, https://www. racebreaches/. Improving Digital Customer Experience is Key to Increasing Traveler Loyalty in Hotels, Study Says, Hotel-Online, 6 March 2014, http://www.hotel-online. com/press_releases/release/improving-digital-custom erexperience-is-key-to-increasing-traveler-loyalty. 3 6 9 4 The Top Five Cyber Threats Hotel Brands and Franchisees Need to Know About, Netsurion, 19 June 2017, articles/2017/june-2017/the-top-five-cyberthreatsforhotels. 5 2016 Data Breach Investigations Report: Hospitality, Verizon, April 2016, http://www.verizonenterprise. com/resources/reports/rp_Data-Breaches-by-Indu stryHospitality_en_xg.pdf. Ibid. 7

Anton Ivanov, David Emm, Fedor Sinitsyn and Santiago Pontiroli, Kaspersky Security Bulletin 2016. The ransomware revolution: Story of the year, Securelist, 8 December 2016, 8 Alison DeNisco Rayome, DDoS attacks increased 91% in 2017 thanks to IoT, TechRepublic, 20 November 2017, Ibid. Number of DDoS Attacks Have Doubled in Six Months As Criminals Leverage Unsecured IoT Devices, Corero website, 20 November 2017, company/newsroom/press-releases/number-of-ddo sattacks-have-doubled-in-six-months-as-criminals-lever ageunsecured-iot-devices/. 10 11 Abhimanyu Ghoshal, Hackers use ransomware to target hotel guests door locks, The Next Web, 30 January 2017, hackers-use-ransomware-to-lock-hotel-guests-in-th eir- Path forward from todays risks and vulnerabilities | 9 EY OT Cyber Security contact Tom Jackson, CISSP Senior Manager, Advisory OT Cyber Security Ernst & Young LLP +1 972 740 7367 [email protected] EY | Assurance | Tax | Transactions | Advisory About EY EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities. EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit Ernst & Young LLP is a client-serving member firm of Ernst & Young Global Limited operating in the US. 2018 Ernst & Young LLP. All Rights Reserved. SCORE No. 02461181US CSG No. 18052682611 ED None This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, tax or other professional advice. Please refer to your advisors for specific advice.

Recently Viewed Presentations

  • Electronic structure and Quantum Theory Ach The Electron

    Electronic structure and Quantum Theory Ach The Electron

    Subshell - electrons with the same values of . n. and. l. Orbital - electrons with the same values of . n, l, and. m. l. If . n, l, and . m. l. are fixed, then . m. s...
  • The Academic Alert System: Fall 2007 Report Office

    The Academic Alert System: Fall 2007 Report Office

    In 2006-07, the majority of alerts were issued by the following departments: Mathematics & Statistics Physics Chemistry Computer Science English Root Causes UMR Students on Academic Alert Instructor & Advisor Engagement In 2006-07: 226 individual UMR instructors utilized the academic...
  • Expository Essay - Humble Independent School District

    Expository Essay - Humble Independent School District

    Non Example: Working by yourself is better than working in a group because my team member Johnny never contributes to work in the lab. Non Example: Some people prefer to work on their own because they don't like working in...
  • Economic Diversification for Sustainable and Inclusive Growth Vandana

    Economic Diversification for Sustainable and Inclusive Growth Vandana

    Initially, negative, i.e., as diversification increases, per capita income increases. After reaching $10,000 (2000 constant USD), sectoral diversification decreases and the relationship becomes positive (based on employment and production data for developed and developing countries).
  • CFI Workshop Module 5 for CFI Work Group Review not approved

    CFI Workshop Module 5 for CFI Work Group Review not approved

    Like other aviation handbooks, it's available for free download (PDF) from and FAA website. Risk management is "a formalized way of dealing with hazards, [a] logical process of weighing the potential costs of risks against the possible benefits of...
  • YG Corporate Deck DISPLAY at Front Desk (.ppt) (NEW BRAND)

    YG Corporate Deck DISPLAY at Front Desk (.ppt) (NEW BRAND)

    Nokia's CDMA volume is nominal relative to both Nokia GSM and all CDMA volume CDMA unit ASPs still higher than total market by ~ 2x month-on-month 13 handset manufacturers currently active in the CDMA sub-$50 category Haier Huawei Jinpeng Kinpo...


    THE ONE VISION/ONE VOICE OF GOVERNANCE Lloyd Cowin, Executive Director; Julie Tubman, Board Chair Roger's House, 399 Smyth Rd, Ottawa, ON K1H 8L2 BACKGROUND GOVERNANCE MODEL ROLES OF THE BOARD Governance is the strategic leadership, stewardship and oversight of an...
  • Animal Nutritionists - PC\|MAC

    Animal Nutritionists - PC\|MAC

    Training depends on what kinds of animals you intend to work with; internships at zoos or veterinarian offices help. For education, you must receive a degree in agriculture, biology, veterinarian science, or zoology. You must also pursue a master's degree/doctorate...