By Dean Coclin
A few weeks ago, I stayed at a hotel in Las Vegas. I’m always nervous when I open the door to my room. What if it’s not as clean as I’d hoped? What if I discover something mildly disturbing? What I found this time wasn’t alarming, but it was surprising.
Opening the door to my room triggered an impressive display of the hospitality industry’s potential for a richer guest experience — the curtains began gliding open, the lamps slowly lit, the TV monitor switched on, displaying my name, the weather and some useful entertainment options. When I got hungry, a robot showed up with room service.
Instead of a wake-up call, I made some easy adjustments using my TV. With the click of a button, I set up a custom, automated experience to wake me at 6:30 a.m. The next morning, I didn’t wake to the sound of an obnoxious phone; rather, the curtains parted, the lamps slowly brightened, the news quietly came on, and the room cooled to 70 degrees — all without me saying or doing a thing.
THE HIDDEN COST OF AN AUTOMATED GUEST EXPERIENCE
A custom, automated experience like this one, however, doesn’t come without costs. Each internet-connected device presents a certain level of security risk. Even seemingly innocent devices can offer an open door into more sensitive areas of your network.
Unfortunately, our Internet of things (IoT) devices haven’t been developed with security in mind. Most were even built without basic security principles like device authentication, ability to change default passwords, secure update methods and basic firewalls. The fact that the hospitality industry uses the same devices that we use in our homes exacerbates the problem. Consumer electronics is a hypercompetitive market where devices are brought to the public as quickly as possible — security sits quietly in the back seat.
Last month, a group of hackers exploited a vulnerability in the thermostat of a casino’s fish tank. Once in the network, they pulled the high-roller database of gamblers, brought it out of the thermostat and up to the cloud. If something as simple as a fish tank can be used to cause harm, how should hotels, casinos, cruise lines and others in the industry balance keeping a competitive customer experience with prioritizing strong security?
HOW TO MAKE THEIR STAY COMFORTABLE — AND SAFE
The answer depends on how much risk you’re willing to take. With the current state of IoT security, it’s impossible to avoid some level of risk. That said, you can mitigate security risks with the following recommendations:
1. Take inventory of your devices
Just being aware of what devices are connected to your network is a great start to mitigating risk. You should live by one simple rule: If it doesn’t need to be connected to the internet, don’t connect it. Even before that, make sure to buy from vendors that have been in the market for a while, rather than adopting first-generation products.
2. Understand the risk presented by each type of device
If a fish tank can help a hacker steal a high-roller database, imagine what he or she could do using some of the connected devices in your network. All it takes is one disgruntled employee or irritated guest and a little bit of IT knowledge to take control of your smart thermostats, irrigation systems, door keys or something else. These may seem like innocent devices but, in the wrong hands, they can seriously harm your business.
3. Find out how your devices handle authentication, encryption and integrity
How is your IT or security team protecting data as it travels between the device and the network? How are they ensuring that only trusted devices are connecting to the network in the first place? How are they verifying the integrity of the code sent during software updates? These are questions you could ask your IT team so that you better understand the current vulnerabilities.
4. Create and follow policies and procedures
Policies and procedures help you to not only stop attacks, but also limit their damage when they happen. If compromised, disconnect all devices from the network and notify authorities; don’t power your systems down until authorities tell you to do so. Additionally, it’s always wise to immediately change default passwords and regularly update the device firmware/software.
5. Implement PKI and device certificates
A Public Key Infrastructure (PKI) solution can solve many of the aforementioned issues. PKI provides authentication, integrity, non-repudiation and encryption. So, when it comes time to authenticate a device, perform an over-the-air software update or encrypt communications between devices, PKI is the standard.
Now, you can delight your guests and keep them safe with automated experiences they’ll want to share — this article is living proof.