Today’s hospitality organizations are driven by innovative cyber-physical technology. From digital keyless entry and smart building controls to self-service POS systems, these advancements have transformed the industry beyond just providing exemplary services. The digital shift to integrating technology into the entire customer experience has allowed organizations to streamline their operations more efficiently and drive sustainability.
As hospitality organizations accelerate their digital transformation, they face growing complexity in protecting the cyber-physical systems (CPS) that underpin these objectives. Hospitality organizations now rely on an array of assets including internet of things (IoT), operational technology (OT), and building automation systems (BAS) that govern their essential processes. However, these interconnected devices often lack basic cybersecurity controls, creating more entry points into the network and increasing security risks.
Additionally, the hospitality industry relies heavily on third-party partnerships to ensure that their operational, safety, and sustainability objectives are achieved successfully. These complex risks create a unique array of CPS challenges that can compromise the organization's efficiency and safety. The unique CPS challenges of third-party risk and asset visibility for many interconnected hospitality environments result in most traditional solutions falling short.
Asset Visibility Challenges & The Importance of Business Context Across Global Properties
Building a comprehensive CPS cybersecurity program starts with creating a foundation of in-depth asset visibility. Traditionally, passive network monitoring has long been the default approach to CPS asset discovery. However, this method doesn’t scale well in hospitality CPS environments. It requires expensive, dedicated hardware, long deployment timelines, and learning cycles that delay insight.
For hospitality organizations with a global footprint of properties, this leads to high costs and slow time to value. A more practical alternative is hardware-free active discovery techniques. This approach provides rapid, scalable visibility across commercial CPS environments—without the need for traffic learning or resource-intensive installations. It allows security teams to gain deep asset visibility and business context within minutes.
Going beyond traditional asset discovery challenges, hospitality organizations also typically lack business context into the critical processes that underpin their operations. Security teams need the understanding of which operational processes (and the CPS assets underpinning these operations) have the greatest potential business impact on business continuity. This contextual understanding of the business impact of their critical processes will later inform risk management workflows. However, most solutions are unable to provide business impact insights into their CPS asset inventory, which can lead to operational downtime, reputational harm, regulatory non-compliance, and safety risks.
How Third-Party Risks Challenge CPS Security
In the most recent Global State of CPS Security 2024 for Commercial, 33% of retail and hospitality respondents reported that identity and access management was the largest security gap that needed to be addressed. For the hospitality industry, many organizations operate under a business model that is driven by a parent company and functions on a decentralized global network of franchised locations and third-party-owned properties. While this model delivers the ability for organizations to scale and achieve greater flexibility, it can also create remote access challenges that can compromise safety and security.
The use of decentralized network structures within hospitality can also make it significantly harder for security teams to enforce consistent cybersecurity measures across all distributed sites while reducing their risk posture. VPN-based and other standard IT solutions for OT remote access used among third-party OEMs and contractors creates additional security challenges and risks. This is due to their inability to provide stricter access controls, effective credential management, deep visibility into user activities, along with other security and operational challenges.
Additionally, many third-party contractors and vendors frequently require remote or on-site access to CPS environments within hospitality organizations. This creates barriers for both risk and visibility given that traditional access controls are often inadequate in shared operational models. This can especially be the case in protecting cyber-physical systems (CPS), where critical gaps commonly remain undiscovered and unaddressed.
Why Traditional Vulnerability Management Falls Short
Traditional asset discovery and vulnerability management strategies often fall short for the hospitality industry. Conventional IT solutions and insights have previously guided prioritization based on a Common Vulnerability Scoring System (CVSS) versus on exploit likelihood. This can overwhelm security teams with a misalignment of priorities including vulnerabilities that are not or will not be exploitable.
Critical exposures beyond known vulnerabilities—such as end-of-life firmware, internet-exposed devices, and weak password practices—are often missed altogether in traditional vulnerability management workflows. This can create security gaps for assets that could have an impact on supply chains, customer experience, operational efficiency, and safety challenging to remedy.
Operational context is necessary within the CPS environment to ensure that asset vulnerabilities are addressed and prioritized appropriately. This allows for teams to address the business impact of assets along with the impact of their vulnerability. Once context is established within the environment then security teams can effectively prioritize and remediate them more easily. It is also important that teams shift addressing vulnerabilities to include business impact and asset criticality.
Reducing the Attack Surface through Exposure Management
Due to the unique nature of and changing risk landscape within hospitality environments, organizations must evolve beyond traditional vulnerability management workflows. This entails creating a more focused approach to managing their overall exposure to risk to reduce their attack surface. When focused on the operational needs and challenges of these environments, a solution that empowers teams to identify, assess, and prioritize their exposure to risk across their CPS is key.
Creating an exposure management program that will work with dispersed sites needs to be tailored to the organization's real environmental conditions. These should include addressing asset complexities, unique governance, and the business-critical operational outcomes of the CPS environment. To truly reduce risk, organizations must build CPS-specific exposure management programs designed to achieve three core outcomes:
CPS Asset Identification – Gain full visibility into all CPS asset arrays and their exposure risks across all IoT, OT, and BMS within the environment. Hospitality environments can achieve a more secure infrastructure when asset purpose is integrated within the asset identification process. It can provide security teams with deeper insights into the interconnected functionality of assets within the ecosystem and their business criticality. This approach provides organizations with the opportunity to uncover hidden risks and address blind asset spots that would otherwise remain undetected under traditional asset discovery processes.
Business-Centric Risk Assessment – Assess exposures based on the operational criticality of processes and the potential impact on business continuity. This method provides organizations the ability to address risk with a focus on overall business impact rather than technical severity alone. Traditional methods can focus too heavily on the criticality scoring of vulnerabilities within the environment that may not ever be exploited. By combining internal knowledge of process criticality with external threat data, organizations can build a risk prioritization model that is both grounded in operational reality and responsive to evolving threat landscapes.
Actionable Remediation – Empower security and operations teams with actionable insights into the CPS environment to remediate risk. When teams prioritize exposures through a business centric lens, this ensures that remediation efforts are focused where they can drive the greatest risk reduction and business value. By providing validated, context-aware findings this enables teams with practical, non-disruptive risk reduction at scale.
Securing modern CPS environments for hospitality requires a proactive, specific approach to cyber risk management. Exposure management provides the structure and visibility needed to uncover hidden risks, prioritize based on operational impact, and take action without disrupting critical services for companies.
How Claroty xDome Supports Your CPS Journey
When protecting your CPS environment, it is key to partner with a CPS security vendor that meets your unique needs. That journey starts with understanding what criteria is most important to evaluate. The right vendor should not only be able to align with the above core capabilities, but should support all use cases no matter where you are in your cybersecurity journey.
Claroty’s comprehensive platform supports the full CPS cybersecurity journey for the hospitality industry. That journey begins with asset visibility and exposure management to build a strong foundation for your CPS environment. Claroty xDome provides organizations with a comprehensive and modular platform specifically designed to address all CPS cybersecurity use cases.
The foundation of the platform, xDome Essentials, encompasses a broad array of fundamental capabilities that begin with asset visibility. Beyond asset visibility xDome dives deeper for hospitality organizations to also expand into exposure management, network protection, and threat detection capabilities. xDome is designed with scalability in mind, offering advanced modules as your organization progresses along its CPS security journey.
Learn more about how Claroty can assist in your journey to CPS security by talking to one of our experts today.
