The attacks may breach critical systems and establish a presence within those systems (often undetected) that allows the attacker to inflict immediate and long-term damage.

Self-service automation (including check-in), room phones as hubs to in-room digital services, guest applications for mobile phones and fully tech capable meeting spaces are among the innovations being added, integrated and implemented in ways that could introduce more vulnerabilities. These new technologies will require monitoring to ensure they’re secure and available for use. Otherwise, the hotel risks frustrating its guests.

Does a hotel have a cyber savvy staff that’s able to meet the challenges of keeping its digital services running, while also managing aspects of cybersecurity related risk? This is a question that hotel owners and operators are increasingly being asked to consider. Fortunately, the hospitality industry can leverage an expansive network of people focused on growing an ecosystem of cybersecurity education, training and workforce development designed to prepare people to perform cybersecurity work that reduces organizations’ risk.

AN ECOSYSTEM OF CYBERSECURITY EDUCATION, TRAINING, AND WORKFORCE DEVELOPMENT
According to the CyberSeek, an online tool developed by the U.S. Commerce Department’s National Institute of Standards and Technology (NIST), to show cybersecurity supply and demand, between September 2017 and August 2018, there were 313,735 online job listings for cybersecurity related positions in the United States. To increase the number of skilled cybersecurity workers who can keep our nation secure, the Commerce Department established the National Initiative for Cybersecurity Education (NICE), which is overseen by NIST.

NICE is a partnership between government, academia, and the private sector working to energize and promote a robust network and an ecosystem of cybersecurity education, training and workforce development. NICE fulfills this mission by coordinating with government, academic, and industry partners to build on existing successful programs, facilitate change and innovation and bring leadership and vision to increase the number of skilled cybersecurity professionals helping to protect our nation’s infrastructure.

To help create a workforce capable of meeting growing cybersecurity needs, NICE published a fundamental reference that offers a common, consistent lexicon describing cybersecurity work. The NICE Framework, NIST SP 800-181, supports consistent organizational and sector communication for cybersecurity education, training and workforce development. This includes a taxonomy made up of categories containing specialty areas. The specialty areas include at least one work role described via a superset of cybersecurity knowledge, Skills and Abilities (KSAs), and tasks.

Employers can view the NICE Framework as a workforce cyber skills dictionary to reference for tasks like assessing an organization’s cybersecurity workforce, identifying critical gaps in cybersecurity staffing, and improving position/job vacancy descriptions (as shown in Figure 1). 

                        
The NICE Framework has evolved over the last decade with more training and education providers communicating via its taxonomy and lexicon. As such, hospitality organizations, which are just beginning to commit to addressing cybersecurity workforce needs, will be able to leverage best practices and innovations already in use in other sectors.

ANSWERING YOUR ORGANIZATION’S WHAT, WHY AND WHO
As NIST’s National Cybersecurity Center of Excellence (NCCoE) continues its collaborative project to demonstrate stronger security measures within and around the property management system (PMS), we’re documenting the risks and building strong sample architectures while introducing work roles from the NICE Framework that perform the tasks to mitigate risks.

This NCCoE hospitality project demonstrates key security measures such as network segmentation; point-to-point encryption; data tokenization, multifactor authentication for remote and partner access; network and user behavior analytics; and business only usage restrictions. The measures are mapped to consensus based security references, such as the subcategories of the NIST Cybersecurity Framework (CSF). The CSF subcategories describe desired cybersecurity activities and outcomes. Every NCCoE project team identifies and documents, within each reference architecture, which subcategories and technical security and privacy controls are being addressed from NIST Special Publication 800-53 Rev. 4, Security and Privacy Controls.

Following this initial mapping to subcategories and controls that answer what and why questions about the reference architecture, the NCCoE offers some insight regarding who may be needed to build and maintain the reference architecture. It identifies the work roles from the NICE Framework most likely to perform the tasks needed to successfully implement the CSF subcategories.

The NCCoE Hospitality Project team will release Special Publication 1800-27, Securing Property Management Systems. All the information referenced here will be presented and available for public feedback. Hospitality organizations can consider adopting all or part of the practice guide reference architecture. They can also begin to explore whether their workforce can perform the cybersecurity work required by the identified roles. If their findings indicate a skills gap, NICE offers a maturing ecosystem with more resources pouring into cybersecurity education, training and workforce development. Most resources touch upon some aspect of the NICE Framework or the growing list of supporting materials being built around it.