A PwC expert said there are obvious advantages for using internet-of-things devices at hotels, but they also open properties to potential security risks.
WASHINGTON—Filling your hotel with connected devices has obvious advantages, improving both the guest experience and back-of-house operations.
But Robert Shein, manager of cybersecurity at PwC, said it’s important for hoteliers to weigh the possible cons of those devices and prepare for the potential security issues they help create.
Speaking at Hospitality Technology Next Generation’s North American Insight Summit, Shein noted there are multiple ways internet-of-things devices could be used by bad actors.
Here are some of the takeaways from Shein’s talk.
There are multiple goals and methods for attacks
Shein noted that because there are so many different roles IoT devices play on-property, there are different ways attackers can infiltrate them and abuse them.
That includes making sensors in things like the heating and cooling systems essentially “lie” to the hotel in order to cause havoc or using smart devices embedded in a hotel room as an entry point to get access to the hotel’s sensitive data, like the information housed on point-of-sale and reservation systems.
“Each (type of device) has its own value to an attacker,” he said.
Hoteliers need to segregate their systems
To avoid that latter type of attack where hackers use the IoT devices as a gateway to get to sensitive data, hoteliers need to understand how their networks are built and make sure there are barriers between different systems and networks, Shein said. That includes putting things like smart thermostat controls on a different network than the property-management system and other potential targets.
He said a lack of those types of measures and controls have hurt companies like Home Depot, which suffered a breach of sensitive data after a hacker broke into an access point for maintenance.
Shein said hoteliers also need to have a clear understanding of things like their network firewalls and be clear on who is in charge of them.
“You need to know who controls the firewall,” he said. “Does the property have a security engineer or is that outsourced? And the more and more protocols you have speaking back and forth, the more complicated the firewall becomes.”
Consumer devices can be deconstructed
Shein said some IoT devices are more vulnerable than others because of their easy access on the consumer market. Essentially that means attackers might be more prone to go after something they could buy themselves because they have the ability to essentially dissect the device at home, carefully prodding it for any security weak points.
“As a bad guy, you can get your hands on one of (those devices) and find their problems, get comfortable with it,” he said. “You can reverse-engineer it.”
Attacks come from both inside and outside
When dealing with internet-connected devices, it’s important to remember that attacks can come from both people at the property or people attacking remotely.
Shein said to counteract both types of attacks, hoteliers need to constantly monitor their systems, or else the first sign of attacks might be the discovery that sensitive data is being used or is available on the black market. He said continuous monitoring—coupled with properly setting up networks so attackers don’t have quick and easy access to the most sensitive data as soon as they get into the system—can help stop an attack midstream.
He noted it can be helpful to set things up in a way that misdirects hackers.
“You can buy time by confusing attackers because they can’t find what they’re looking for,” Shein said. “It’s like the old joke about a bear attack. You don’t have to outrun the bear; you have to outrun the guy next to you. “
He said the lack of monitoring is where many systems fail and don’t notice they’ve been harmed until they essentially “bleed out.”
“Most people don’t notice the first attack,” he said. “They notice the side effects of a breach like the use of credit card information or the loss of data. But it’s too late to detect it at that point.”
IoT requires new security approaches
Shein said the constant communications and connectivity of internet-of-things devices don’t fit well with the traditional understanding of network security. So hoteliers need to think critically about how their solutions are set up and have a better understanding of how their vendors and partners approach security, as well.
“You need to consider third-party risk,” he said. “There’s almost no IoT device that will be directly controlled by you.”
He said hoteliers also need to be careful that they’re not deploying technology that has been abandoned by its developer, because any security issues discovered after that abandonment will be known to attackers but not solved by the developer.