Prioritizing Hotel Cybersecurity in a Connected Age
By Herve Tardy VP & GM, Distributed Power Infrastructure Division (Americas), Eaton | January 03, 2021
The COVID-19 pandemic has changed the way we live, work and travel. Because of this, almost no industry has been hit harder than the hotel space. The American Hotel and Lodging Association says that more than 2.2 million hotel employees have been laid off or furloughed as hotels have reached historically low occupancy rates.
Now consider that there are individuals ready to kick an already beleaguered industry while it's down. As IT infrastructure becomes more critical in keeping businesses running amid the pandemic, hackers are taking advantage. The FBI recently indicated they have received as many as 4,000 complaints about cyberattacks per day, an increase of roughly 400% from pre-coronavirus levels.
Hotel executives know full and well what a cyberattack can do to both revenue and brand reputation. Marriott International has been the victim of multiple breaches -the latest occurring as recently as February of 2020-that resulted in more than $100 million in fines and the data of 500 million guests compromised. Cyber-threats such as these, when compounded by challenges posed by COVID-19, could cripple an already struggling industry.
With the continuing rise of interconnected IT infrastructure and internet of things capabilities in critical equipment, hotels must consider an end-to-end approach to cybersecurity that can help protect critical assets and prevent breaches before they devastate the industry.
Exploiting the Connections
Among the changes catalyzed by the COVID-19 pandemic, none has accelerated faster than the digital transformation of business. From retailers and restaurants embracing ecommerce platforms to enterprises transitioning their entire workforces to remote setups, the impact has been transformational and is expected to linger long after the crisis is in the rearview mirror.
For the hotel industry, digital transformation began long before the pandemic hit as chains recognized the opportunity to leverage data and distributed IT operations to better serve customers. More and more, hotel operators determined to distribute workloads across on-premise, cloud and "edge" environments, allowing them to streamline critical infrastructure and improve efficiencies while continuing to drive real-time data services to customers.
The implications for IT infrastructure in this environment were sizeable and gave rise to more interconnectivity of devices such as servers and networking equipment, allowing hotel chains to manage key processes, such as software upgrades, without the need for 24/7 on-site IT staff. And while this has brought considerable benefits, including lower operational costs, those benefits come with the need to balance risk in the form of cybersecurity.
As equipment continues to become more interconnected, cyber-attackers have more opportunities to gain access to the whole network. All it takes is one vulnerability in a device to launch an attack that impacts all the devices within a network. In a 2018 Fortinet survey, 85 percent of responding chief information security officers reported that security concerns during digital transformation had a "somewhat" to "extremely large" business impact.
And cyber-attackers have used the acceleration of digital transformation amid COVID-19 to capitalize. Recent reporting from the International Criminal Police Organization (Interpol) revealed that an alarming rate of cyberattacks have occurred during the pandemic. Perhaps this should not be particularly surprising, as more enterprises leveraging cloud-based architectures to conduct business give attackers more opportunities to steal essential data. But it is concerning nonetheless, and hotel executives should take note of the trend toward escalating attacks.
Emerging Opportunities, Emerging Threats: Connected Power Management
One often overlooked area that has seen considerable advancement in interconnectivity and, therefore, a need for greater cybersecurity measures, is backup power equipment: specifically, uninterruptible power systems (UPSs).
These systems, which serve as a bridge to generator power in the event of an outage, have become a critical aspect of IT systems for hotels as it relates to disaster planning. In 2020, meteorologists have tracked a record number of named storms in the Atlantic Ocean, while wildfires have ravaged parts of California, Washington, Oregon and Colorado. Any of those scenarios could cause power failures at any time, but hotel chains leveraging UPSs as part of their distributed networks have an essential asset for keeping data safe.
Like many other foundational IT components, UPSs have seen advances in interconnectivity happen in response to end user demand for more remote management capabilities. Network cards are now included with UPS technology to provide a way to connect to essential information systems; sensors that enable remote monitoring and maintenance of critical UPS components (e.g., batteries); and power management software that enables rapid, remote response to unplanned power events in IT infrastructure such as servers. All of these have been seismic changes in how backup power is managed, especially for hotel chains seeking to streamline IT operations across broad, distributed networks.
However, the advanced interconnectivity of power management devices makes the need for cybersecurity safeguards an essential concern. More connected devices mean more chances for hackers to tunnel in and steal valuable guest and hotel operational data, which, as evidenced by the recent Marriott International data breaches, can be devastating to brand reputation. With the trend toward interconnected devices showing no sign of stopping – especially as hotels seek additional ways to lower costs to offset the losses created by the pandemic – security must remain a top priority.
Next, we'll look at strategies that hotels can employ to help protect against an attack, especially as emerging technologies present a chance for emerging cyber threats.
Mounting a Defense Against Cyberattacks
Thankfully, as cybersecurity threats have emerged amid increasing connectivity of power management and other devices, vendors and industry organizations have put time and effort into creating cybersecurity safeguards to defend against these threats.
One safeguard is through certification and testing. The global safety science organization UL has developed and published the UL 2900-1 standard for software cybersecurity for network-connectable devices. The standard provides criteria and methods for evaluating and testing for vulnerabilities, software weaknesses and malware, as well as requirements regarding the presence of security risk controls in the architecture and design of a product. Additionally, the International Electrotechnical Commission (IEC) has also released cybersecurity certifications such as ISA/IEC 62443 to give companies a resource to address security vulnerabilities in industrial automation and control systems.
While there are no guarantees, products purchased with the UL 2900-1 and ISA/IEC 62443 certifications have been thoroughly tested against the latest threats, providing greater assurance for the end users that cybersecurity has been given the utmost concern. Hotels should look to purchase power management equipment that has been certified to these standards, as there are now UPSs available with network management cards carrying both UL 2900-1 and IEC 62443-4-2 certification. With built-in cybersecurity features, these solutions boast stronger encryption, configurable password policy and usage of CA and PKI signed certificates. These cards provide warnings of pending issues to administrators and help them perform orderly shutdown of servers and storage to protect critical data.
Many other products carry cybersecurity safeguards as well, and physical security measures should be considered for IT equipment alongside digital ones. Rack enclosures, for example, can be protected with security locks to ensure only authorized personnel have access to the systems. Smart locks allow administrators to remotely manage and control physical access to an unlimited number of server racks and enclosures.
Ultimately, it is imperative that hotels take a holistic approach to cybersecurity, one that balances inherently secure products with a robust strategy that incorporates cybersecurity policies, procedures and risk assessments, updated routinely to address the latest threats. Staff should be versed in the latest threats and trained in understanding how to respond to attacks such as ransomware, which has been on the rise amid the COVID-19 pandemic.
The National Institute of Science and Technology has created a Cybersecurity Framework that provides valuable tools and resources that can contribute to a robust cybersecurity strategy. Hotel IT administrators can work with their technology service providers to perform security risk assessments much the same way hotels perform routine safety risk assessments, assessing vulnerabilities that may exist in their infrastructure and taking the necessary steps to address these vulnerabilities.
The Road Ahead
Cyberattacks are the responsibility of the attackers alone but protecting against these attacks is the responsibility of everyone in the hotel organization, from executives on down. As hotels seek to adopt the latest interconnected technologies to lower their operational costs and extend more benefits to customers-especially as they recover from the financial devastation of the COVID-19 pandemic-it is imperative that these hotels prioritize cybersecurity every step of the way, as any compromise of critical data could lead to a devastating financial hardship which few hotels can afford to weather.
Hotels who take a holistic approach to cybersecurity should include a robust protection strategy coupled with cybersecure technology investments that can provide peace of mind that their infrastructure will continue providing benefits while being protected against anything attackers can dish out.
HotelExecutive retains the copyright to the articles published in the Hotel Business Review. Articles cannot be republished without prior written consent by HotelExecutive.