Consumers are growing more comfortable using smart devices at home and while traveling. Asking their Amazon Alexa, Apple Siri and other AI-enabled products to do everything from opening the front door, to turning on/off lights and playing music has become almost second-nature. There are even smart kitchen appliances that you can order to start making dinner while you’re on your way home. That means that offering similar experiences is becoming table stakes for the hospitality industry. However, realize that the more Internet of Things (IoT) devices you connect to your network, the more possible access points to your IT systems and data stores you open for cyber attackers. The onus is on you to harden your security posture, because for now at least, security is typically an afterthought among the device manufacturers.
That may sound ominous, and the risk is real. But I do not want to discourage you from deploying smart devices to create memorable guest experiences and improve customer service levels. In fact, if you haven’t started doing so, you are falling behind.
AccorHotels recently announced a smart room concept that leverages voice activation and IoT to transform the in-room guest experience. Features include a connected tablet guests use to adjust the room's lights, close/open the curtains, control all audiovisual equipment and even tilt the headboard. Similarly, some guests at Wynn Las Vegas can ask Amazon Alexa to control lights, room temperature, drapery and the television, and the hotel plans to add additional capabilities. Marriott is testing out voice-controlled systems in a number of its properties to serve guests who are more likely to search their smartphones for nearby restaurants instead of calling the concierge.
All smart devices, no matter what their functions, must connect to the Internet. That increases the risk of a data breach exponentially. To make matters worse, most were built without basic security principles in mind like device authentication, the ability to change default passwords, secure update methods and basic firewalls. Security is an afterthought, not a necessity, and that opens the virtual door to cybercriminals who are always looking for entry ways into the network.
Consider the findings of a recent survey by the Ponemon Institute and Shared Assessments Program. The resulting report entitled “The Internet of Things (IoT): A New Era of Third Party Risk” is not specific to the hospitality industry, but it does raise several red flags:
97 percent of respondents believe they will suffer a catastrophic IoT-related event within the next two years. 81 percent of respondents believe a data breach due to unsecured IoT devices is “likely.”
The report lists a number of reasons for this pessimism: the increase of IoT devices in the average workplace (nearly 25,000, up about 10,000 devices from last year); unsecure applications on IoT devices; and concerns over third-party contracts and control over the devices. And while the study found “some advances in third-party risk focused on IoT devices and applications from 2017, risk management in this area is still at a relatively low level of maturity.”
These findings should prompt you to ask two questions: Who would take advantage of such weaknesses in my network, and what damage could they cause? The answer to the former is anyone with motive and opportunity. Perhaps a disgruntled guest who happens to be a hacker. Or maybe a terminated employee with some computer skills. And the list of attacks is almost as broad.
The hacker can install “ransomware” like the WannaCry attack that crippled enterprise IT systems worldwide last year to lock out legitimate users until you pay a ransom. They can compromise the devices by installing firmware that turns them into remote-controlled bots. Then they can create a network of these compromised devices to create a “botnet” and launch a Distributed Denial of Service (DDOS) attack on an external target, or targets, like the 2016 Murai attack that took down several companies and educational institutions.
Your challenge is offering guests amazing experiences from IoT devices while maintaining your strong security posture. IoT devices create an expanded attack surface for the hospitality industry, which most properties are either unaware of or unprepared for. So, let’s examine what steps you can take immediately to ensure the safety and security of your IT systems, employees and customers.
Follow basic security protocols, like changing default passwords, and making sure to regularly update the firmware/software on all devices. You have (or should have!) these policies in place for any PCs, laptops and employees’ smartphones that connect to your network, and the same applies to IoT devices. Create and maintain an up-to-date inventory of all IoT devices so you know what you have in case of product recalls or manufacturer updates.
Ensure your IT department manages the devices, not a third party. In the event of a compromise, disconnect devices from the network and notify authorities as soon as possible. Do not power down until authorities tell you to do so.
You should only partner with manufacturers that take a “secure by design” approach to the development of their devices. That typically eliminates first-generation products and relegates you to only buy from vendors that have been in the market a while. The IoT industry is extremely competitive, with vendors rushing their products to market to beat their competitors. Make sure you do not sacrifice security for the sake of having the latest and greatest smart speaker or thermostat in your guest rooms.
Investigate how a vendor ensures the basic security requirements for data confidentiality, data integrity, and data accessibility. One effective approach is the incorporation of Public Key Infrastructure (PKI) using digital certificates. Digital certificates serve as the backbone of Internet security, even if you are not aware that you rely on digital certificates every time you browse the web.
Similarly, a PKI framework can provide assurances for IoT devices and the people who use them. This makes PKI a perfect match for the exploding IoT sector, providing trust and control at scale and in a user-friendly way that traditional authentication methods like tokens and passwords can’t do. Digital certificates used for mutual authentication can authenticate devices to other devices within or outside your networks, as well as authenticating users to devices behind the scenes with minimal-to-no user interaction. They enable safe authentication without the friction to the user experience that comes from user-initiated factors such as tokens and password policies. This protects all devices and networks from malicious actors, even if a data stream or data source were captured or compromised.
Digital certificates leveraging PKI also encrypt sensitive data to ensure only authorized parties can read messages in transit. Using code signing certificates, technical teams can securely patch IoT device firmware, including over the air updates in a similar fashion to how your smart phone gets updates. Code signing also enables secure boot of the device and the integrity of software to the device to protect against malicious files.
Be proactive in taking the necessary precautions before implementing any new IoT devices. Be sure to incorporate PKI into your IT security best practices and policies, and carefully vet any manufacturers before you source from them. You cannot force an IoT device manufacturer to adopt a “secure by design” mindset, but you can demand it of any that want to partner with you.