Hospitality organizations are adopting more smart technologies with the goal of enhancing their guest experiences and streamlining operational efficiency. This digital transformation has paved the way for organizations to integrate more smart building and internet of things (IoT) devices into their environments to drive sustainability. The use of technologies such as keyless entry, smart room controls, lighting, security, and other IoT devices has provided more operational support with use of advanced Building Management Systems (BMS).
These advancements have resulted in IT/OT convergence increasing the attack surface. Several of the most notable attacks that have occurred included global hospitality brands such as MGM and Omni Hotels. In the discovery of both incidents, deployment of ransomware was the primary attack method used against these companies. These types of attack can often derive from the use of insecure remote access protocols, allowing threat actors to gain unauthorized access to systems to execute their attack successfully.
The challenge this industry faces is that many of these attacks can not only disrupt IT systems but also their cyber-physical systems (CPS) as well. Although remote access is beneficial to the interconnected hospitality industry, it also introduces greater security risks and expands the attack surface for companies. Redefining the importance of secure access for hospitality organizations starts with addressing the risks faced while also building a solid foundation to protect the CPS environment effectively.
Security Challenges within the Hospitality Industry
For hospitality organizations, the security challenges faced are complex and unique. A recent report on the Global State of CPS Security 2024: Commercial found that over 60% of the respondents who reported a security incident experienced financial losses of $100,000 or more. Some of the most common impacts respondents faced were financial loss, operational downtime, and loss of customer or partner relationship — emphasizing the far-reaching ramifications of cybercrime and advanced attacks against CPS.
Many hospitality organizations operate under a decentralized network structure that interconnects parent companies with franchised and third-party-owned properties. These geographically dispersed sites depend on a variety of IoT, OT, and BMS assets to govern their essential processes. They also often rely on third-party OEMs and contractors that require OT remote access, which can create critical security challenges and risks for companies.
Traditional IT remote access solutions often fall short within a globally dispersed CPS environment. Conventional IT solutions commonly fail to implement effective role-based access controls effectively and enforce access policies. This challenge can also contribute to poor password hygiene among third-party users and limit control of their activities within the environment. Lack of adequate access controls for third-party users can create more risk for hospitality organizations leaving the CPS environment susceptible to malware attacks, system failures, unauthorized activities, and operational data theft. These traditional IT solutions used within OT environments limit the ability to proactive manage the attack surface creating more risk for companies.
Adopting a Zero Trust Framework to Minimize Risk
As organizations increasingly adopt new technology and devices become further interconnected, traditional perimeter-based security controls have become less effective. Within the hospitality industry, the reliance of systems across various geographic sites and third-party partnerships has driven security teams to look for better solutions for their remote access needs. This has led to widespread adoption of a Zero Trust model across countless industries with the goal to minimize operational risks for organizations for both their internal and external parties.
The Zero Trust framework approaches remote access with the assumption that no entity should be trusted. This means that security teams must operate under the assumption that there are threats present on both sides of the network firewall. It requires teams to take additional measures to reinforce that no communication should be conducted until all users are properly authenticated and authorized before being provided access. By leveraging this model organizations can maintain the objectives of reducing risk and minimizing their attack surface.
In hospitality organizations, a Zero Trust framework can support both the IT and OT assets within the environment. It provides security teams with the ability to better monitor third parties user activities and devices within their interconnected global network. However, Zero Trust goes beyond a security framework to support more strict remote access control for companies. It requires organizations to move beyond traditional strategies and take a hardware-free approach to asset visibility and exposure management.
Secure Access Controls to Remediate Third-Party Risks
Addressing the many challenges to third-party risks for hospitality organizations requires adopting OT remote access solutions that can proactively work within a diverse CPS environment. By centrally managing third-party secure remote access through a comprehensive solution simplifies the process, it also supports mitigating the risks associated with unmanaged and uncontrolled access. Here are some proactive secure access controls you can implement to better remediate third-party risks in your hospitality CPS environment:
Alleviate complexities in training and onboarding third-party users accessing the OT network by streamlining the process via a platform that can facilitate quick access to it. Utilize authentication capabilities to shorten maintenance windows, providing rapid access to external users and streamlining processes to reduce errors and miscommunication. Employing the use of role-based access controls (RBAC) can also simplify processes by allowing administrators to easily define and manage user access permissions while tailoring roles to each third-party user’s needs.
Minimize risk with access enforcement and termination policies for third-party users by implementing time-based access control, session timeouts, and restricted access duration. This will ensure limited access is only available when needed and manages third-party users effectively. Integration with identity providers (IdPs) and auto-user provisioning also prevents unauthorized access by allowing timely access granting and revocation.
Address poor credential management by third-party users with a solution that stores them within a secure database. This prevents the user from retaining direct access to their credentials which can prevent unauthorized access and grant them varying levels of privileges for secure OT network access. It also allows for the safeguarding of passwords through vaulting for enhanced security and establishes user-level privileges to minimize potential exposure.
Eliminate diverse remote access technologies with a purpose-built and unified remote access solution catered to meet the specific needs of the hospitality domain. This will operationalize the right balance between frictionless access and secure control over third-party interactions with CPS, thereby enhancing productivity, reducing complexities and risk, and ensuring compliance in complex and unique hospitality CPS environments.
Purpose-Built Secure Remote Access with Claroty
Today’s hospitality industry relies heavily on geographically disparate sites and support from third-parties to ensure operational efficiency. Organizations must prioritize implementing advanced security solutions that adequately cater to the unique requirements of third-party OT remote access. It also involves recognizing the distinct differences between IT and OT environments to reduce risk. Traditional VPN-based methods and standard IT solutions fall short for managing third-party remote access in OT environments.
Purpose-built solutions like Claroty xDome Secure Access (SA) are designed to overcome the challenges associated with third-party remote access in hospitality networks. This is done by providing a centralized platform for efficient user management and secure access. By implementing a solution like Claroty xDome SA, hospitality organizations can enhance security, reduce the attack surface, increase operational efficiency, and drive greater sustainability.
Claroty helps hospitality companies extend their CPS security controls to cover network protection, secure access, and threat detection use cases. By partnering with a comprehensive platform that supports the full CPS cybersecurity journey, hospitality organizations can more quickly and easily progress their CPS security and reduce their attack surface.
