Understanding the Challenges of IoT Security in Smart, Connected Hotels

IoT technologies effectively blend the physical and digital realms, creating personalized journeys that can delight guests and empower hoteliers to achieve unparalleled efficiency and productivity. However, the increasing number of connected devices also amplifies the potential attack surface for cyberattacks and data breaches.
By Mariana Rosen, research analyst, Starfleet Research - 6.20.2024

This article is excerpted with permission from the new research report IoT Security: Best Practices of Top-Performing Hotels and Resortsindependently produced by Starfleet Researchwith underwriting support from global cybersecurity leader Palo Alto Networks.

In the era of smart hotels, also known as intelligent or connected hotels, hoteliers are leveraging IoT devices and other technologies to revolutionize the guest experience. These technologies effectively blend the physical and digital realms, creating personalized journeys that can delight guests and empower hoteliers to achieve unparalleled efficiency and productivity.

Picture autonomous robots gracefully navigating hotel corridors, assisting guests with expert guidance. Imagine real-time room and inventory monitoring systems ensuring optimal service levels, eliminating the frustration of unavailable amenities. And envision lightning-fast check-in systems, enabling instant room access and liberating guests from long queues. Beyond enhancing the guest experience, smart hotel technology optimizes staffing costs and engenders guest loyalty, enticing them to return for future stays, as well as increased employee satisfaction.

To a large degree, the future is already here. Today, according to Starfleet Research, more than three-quarters (76%) of hotels and resorts have implemented IoT technology for smart guest engagement and security systems. Additionally, there is a growing trend in sustainability solutions that use IoT technology, with almost two-thirds (64%) of hotels having deployed energy management solutions, connected lighting, and water monitoring applications to improve energy efficiency and reduce waste.

However, the increasing number of connected devices also amplifies the potential attack surface for cyberattacks and data breaches, which have been on the rise in the hospitality sector. Hackers have developed more sophisticated techniques, and IoT devices have emerged as a particular vulnerability in terms of security.

This is due to the diverse range of use cases across hotels, which adds complexity to the overall security landscape. In 2022, ransomware attacks in the hospitality sector reportedly witnessed an increase of 67% compared to 2021. According to SecurityScorecard, the hospitality industry ranked second to last, receiving an average grade of “D” in terms of overall cybersecurity performance. Ironically, among the low-performing entities, technology-focused hotels scored the lowest compared to other types of accommodations.

The security risks associated with internet-connected devices in the hotel industry are evident through a continuous stream of publicly-reported incidents. To illustrate just a few recent examples: A North Carolina hotel encountered a breach in its payment system when a hacker exploited the hotel’s smart thermostat, using it as a point of entry. Another incident involved hackers stealing guest data from a smart vending machine. Similarly, a prominent hotel chain experienced a data breach that exposed the personal information of thousands of guests due to a vulnerability in its IoT-enabled check-in system.

In another case, an Australian hotel’s IoT-based security cameras were discovered to have a vulnerability that led to the exposure of sensitive details of numerous employees. Likewise, a French hotel faced a breach where personal data of thousands of guests was stolen, exploiting a vulnerability in the hotel’s IoT-connected thermostat, which granted the hackers access to the hotel’s network. A major hotel chain became a target of a ransomware attack that disrupted its operations across multiple countries, specifically targeting the hotel’s IoT-powered platform utilized for managing smart room services.

These examples highlight the growing difficulty faced by hotels in effectively safeguarding their networks against potential attacks. The sheer number of IoT devices connected to their networks can be overwhelming. Another challenge arises from the diversity of IoT devices in hotel environments.

Regrettably, IoT device manufacturers have not always taken all necessary measures to ensure their devices are adequately safeguarded. In fact, IoT devices are frequently shipped with vulnerabilities, run on unsupported operating systems, pose challenges in terms of patching, and lack encryption in communication, making them susceptible to attacks. More than three-quarters (76%) of survey respondents struggle to achieve visibility of all IoT devices on their networks.

In response to these concerns regarding IoT security, governments in the United States, Europe, and other regions have implemented a series of mandates and laws. Notably, the Internet of Things Cybersecurity Improvement Act in the United States and the EU Cybersecurity Act are significant examples. These laws compel IoT device manufacturers to take measures to protect against malicious attacks and data breaches. However, while the enactment of laws aimed at safeguarding internet-connected devices is crucial, it is not sufficient on its own.

The range of devices presents an additional challenge in implementing a one-size-fits-all security solution. Hoteliers also face challenges in keeping up with the pace of technological change. As hotels continue to adopt new IoT technologies to improve their operations, they must also ensure that their security measures are staying up to date. This is particularly challenging given the constantly evolving threat landscape and the need to stay ahead of cybercriminals who are constantly developing new attack methods. Finally, hoteliers face the challenge of balancing security with convenience. IoT devices are designed to make operations more efficient and convenient, but they also increase the risk of an attack. Hoteliers must balance the need for security with the convenience of these devices to ensure that they do not disrupt operations.

The following are brief descriptions of some of the biggest challenges that hoteliers face when it comes to IoT security:

Complexity: As IoT device types, uses, and numbers grow, so does the complexity of managing them all. Hotels and resorts must now manage a variety of different types of IoT devices, from different manufacturers, running different operating systems (some of which may be proprietary), with disparate management tools. This complexity creates operational challenges and increases the chances that something will be missed, leading to increased risk. According to the research, 73% of hoteliers view the complexity of their IoT ecosystem as a “major challenge” in securing their network and IoT devices.

Lack of visibility: IoT devices on a network need to be monitored on an ongoing basis to detect attacks or suspicious activity—a nearly impossible feat without the right technology. Less than one-third (31%) of survey respondents indicated that their organizations have “complete visibility of all devices, including quick and accurate discovery of previously unseen and unmanaged devices.” This lack of visibility can be a security nightmare for hoteliers as hackers can easily gain access to unmonitored devices and use them to collect sensitive data or launch attacks on other systems.

Varied security levels: IoT devices often have different levels of security, which can make it difficult to ensure that all devices are properly protected. For example, a consumer device might have basic security features, while an industrial machine might have more robust security measures in place.

Inadequate protections: Many IoT devices have inadequate security features, leaving them open to attack. Hackers can exploit these vulnerabilities to gain access to sensitive data, disable critical infrastructure, or even take control of the devices themselves.

Poorly designed networks: The way in which IoT devices are interconnected can create security vulnerabilities. Poorly designed networks can create “islands” of devices that can be used by attackers to launch attacks on other parts of the network.

Unencrypted data: In many cases, data collected by IoT devices is not encrypted, making it easier for attackers to access and use it. There are a few reasons why data might not be encrypted. In some cases, encryption adds complexity and cost to the device. In other cases, the device may not have the necessary processing power to encrypt the data.

Lack of standards: There are no universally accepted standards for IoT security, making it difficult for hotel and resort management to know what measures they should be taking to protect their devices.

Regulation: In some industries, such as healthcare and financial services, there are now specific regulations around the use of IoT devices. These regulations add another layer of complexity and can create additional challenges around compliance. In some cases, the regulations may conflict with each other, adding yet another level of complexity.

Insufficient resources: Implementing effective IoT security measures requires significant time and financial resources, including costs related to IT staffing and technology deployment. This may present a challenge for smaller hotels and other lodging properties as well as highly decentralized hospitality organizations.

Limited understanding: Even today, there tends to be a lack of understanding among some hotels and resorts about the risks posed by IoT devices and how to effectively mitigate them. This lack of understanding hinders their ability to address the challenges posed by IoT devices and implement appropriate security measures.

Taken together, these challenges shed light on why many, if not most, hotels and resorts remain susceptible to potentially severe attacks through IoT devices on their networks. These challenges also underscore the need for implementing advanced IoT security technology and measures. Importantly, more than three-quarters (76%) of hoteliers cite “technology shortcomings of [their] current security solution(s)” as a top challenge their organizations face in securing their IoT devices. By addressing these challenges, hoteliers can reduce the vulnerabilities associated with IoT devices and mitigate the risk of attacks.

IoT Security: Best Practices of Top-Performing Hotels and Resorts is now available for complimentary download.

Palo Alto Networks is the world’s cybersecurity leader. We innovate to outpace cyberthreats, so organizations can embrace technology with confidence. We provide next-gen cybersecurity to thousands of customers globally, across all sectors. Our best-in-class cybersecurity platforms and services are backed by industry-leading threat intelligence and strengthened by state-of-the-art automation. Whether deploying our products to enable the Zero Trust Enterprise, responding to a security incident, or partnering to deliver better security outcomes through a world-class partner ecosystem, we’re committed to helping ensure each day is safer than the one before. It’s what makes us the cybersecurity partner of choice.

Mariana Rosen heads up cross-vertical industry research for Starfleet Research, a world leader in benchmarking best practices in technology-enabled business initiatives, directing research analysts, overseeing project management and guiding the company’s custom market research deliverables. She comes to Starfleet Media with extensive experience as a senior research analyst, with subject matter expertise across multiple industry sectors. She previously served as a senior investment banking research analyst at Citigroup’s Corporate Bond Research Division, with over 100 published research reports and notes, including company initiations, industry pieces, and earnings recaps. As a labor of love, Mariana is pursuing a Ph.D. at the CUNY Graduate Center and is also a co-founder and editor-in-chief of Fine Art Globe.

Are you an industry thought leader with a point of view on hotel technology that you would like to share with our readers? If so, we invite you to review our editorial guidelines and submit your article for publishing consideration.