The Internet of Things (IoT) is a vast network of devices that are connected to the internet, and, consequently, each other. Internet-connected devices generally sense, collect, process, and transmit a wide array of data ranging from consumer information to proprietary company data to infrastructure data. They use it to make real-time decisions or to effect a change in the physical world. Increasingly, people and businesses are leveraging IoT products, with the number of connected devices estimated to reach 25 billion by 2021. All this interconnectivity is expected to help organizations increase operational efficiency, improve the customer experience, grow revenue and achieve business agility.
Many hotels have already implemented some forms of IoT, such as centrally monitoring guestroom temperature through sensors installed in thermostats. This reduces energy costs by not cooling or heating unoccupied rooms. For guests, IoT offers a growing range of options that not only anticipate their needs during a hotel stay, but personalize the experience using an in-room tablet, smart speaker, or even their own smartphone.
While IoT can help transform the hotel stay experience, it can also introduce risk to property owners and guests. Many IoTsupported devices were manufactured with little to no cybersecurity protection in mind, making them vulnerable to threats.
Alexa, How Do I Know My IoT Device is Secure?
IoT devices are designed to perform a single function, which often means they have limitations in the areas of processing, timing, memory and power. These limitations mean IoT devices have less baseline security capabilities to guard against threats. Many of these gadgets lack the ability to manage, update and patch devices at scale, making them attractive to malicious actors who can exploit them --sometimes within minutes of connecting to the internet. Rapidly increasing use of insecure IoT devices has the damaging side effect of enabling cost-effective development of extremely large and widely distributed cybersecurity attacks.
A collective push for better cybersecurity standards around IoT is forming, particularly with regard to integrating such features from a manufacturing or pre-market standpoint. For example, Hospitality Technology Next Generation (HTNG) rechartered its IoT Workgroup earlier this year to address these very concerns as they apply to hospitality IoT use cases.
The State of California passed broad IoT legislation in 2018 that applies, with some exceptions, to “…any device, or other physical object that is capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address.” IoT devices sold after Jan. 1, 2020 will be required to have basic security capabilities installed, though details on those capabilities aren’t spelled out in the legislation.
In March 2019, the United States Senate introduced the Internet of Things (IoT) Cybersecurity Improvement Act of 2019, which would mandate that devices purchased by the U.S. Government meet certain minimum security requirements. It would also require the National Institute of Standards and Technology (NIST) to issue recommendations addressing secure development, identity management, patching and configuration management for IoT devices.
In March 2019, the United States Senate introduced the Internet of Things (IoT) Cybersecurity Improvement Act of 2019
NIST’s Information Technology Laboratory, a globally recognized and trusted source of high-quality, independent, and unbiased research and data, supports a Cybersecurity for the IoT Program in its non-regulatory role. In advance of the legislative push that may come from the Senate bill, and continuing its work to support the IoT security focus found in Executive Order (EO)13800, “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure,” technical experts in this program recently drafted a discussion paper, Considerations for a Core IoT Cybersecurity Capabilities Baseline.

It’s designed to seek consensus on basic security capabilities for IoT devices. In it they proposed eight core IoT cybersecurity capabilities that are thought to be important or vital for most IoT devices and could be used by IoT device manufacturers to guide the security capabilities they implement in their products (see figure below).
In advance of the ability to procure IoT with security standards built in, NIST’s National Cybersecurity Center of Excellence (NCCoE) is addressing IoT cybersecurity concerns in hospitality, building automation sensor networks, and protecting IoT devices against botnets and other threats. Working with technology partners – from Fortune 50 market leaders to smaller companies specializing in information technology security – the NCCoE is developing modular, easily adaptable example cybersecurity solutions demonstrating how to apply standards and best practices using commercially available technology.
Specific to IoT in the hospitality sector, NIST is exploring best practices and cybersecurity considerations for how physical access control systems (such as digital door locks) exchange and protect data and interact with a hotel’s property management system (PMS). We’re building out a cybersecurity reference architecture together with collaborating vendors, testing to make sure it functions as expected, and documenting it so PMS owners have a working example of modular cybersecurity features they can select as they begin to address risk.
A Call to Action
For many hospitality organizations, IoT is viewed as crucial technology to the future development of smart hotels, which will rely increasingly on the flow of data and information between guests and hotel management for improved stays. Whether good cybersecurity is manufactured into the product or applied after market, it’s important for device manufacturers and users alike to hold each other responsible and challenge their standards of security in the IoT space.
The efforts at NIST around defining core cybersecurity capabilities for IoT present a unique opportunity to influence how IoT devices are manufactured and sold. Hospitality organizations and trade associations with an interest in IoT should closely review the discussion draft and consider weighing in on the effort. Public comments are encouraged and welcomed.
Likewise, the NCCoE anticipates issuing a draft of its Securing Property Management Systems practice guide for public comment later this year. Anyone with an interest in cybersecurity for the hospitality sector can join the NCCoE Hospitality Community of Interest at any time to stay up to date, or influence, current and future projects.
Be part of the conversation, or at a minimum, follow the progress of these initiatives to ensure that the IoT you’re purchasing and implementing for your hospitality organization incorporates core, baseline cybersecurity
©2019 Hospitality Upgrade
This work may not be reprinted, redistributed or repurposed without written consent. For permission requests, call 678.802.5302 or email info@hospitalityupgrade.com.