Protecting Hotels & Event Venues From Cyber-Physical Threats During Fall Conference Season

The Rising Threat of Cyber-Physical Attacks

Omni Hotels’ 2024 ransomware attack disrupted digital check-ins, locked out guests, and exposed 3.5 million records across North America; while the February 2025 Munich car attack left 39 injured on the eve of a major international security summit. Both incidents underscore that malicious actors cannot just target a venue’s digital or physical weaknesses, but the spaces where technological connectivity and public gatherings intersect. 

The increased connectivity of smart buildings and event spaces creates new attack surfaces that threat actors actively exploit. Hotels and convention centers increasingly rely on networked infrastructure to manage operations, which can include everything from HVAC and lighting systems to surveillance cameras and access control. While these interconnected building management systems (BMS) enhance efficiency and guest experience, they simultaneously introduce vulnerabilities that blur the already translucent line between cyber and physical security.

With over 75% of building management systems harboring known vulnerabilities and high-profile events drawing global attention, the convergence of cyber and physical threats can be disastrous for conference and eventgoers. Vigilance and integrated safeguards are critical for protecting people and infrastructure alike. Executives, event planners, and venue managers must contend with this reality as the fall conference season peaks.

The Converging Cyber and Physical Threat Spaces

Recent research from Claroty reveals that 75% of building management systems have known exploited vulnerabilities, with more than half insecurely connected to the internet. These systems, which control heating, ventilation, lighting, and security infrastructure in hotels and convention centers, were often designed decades ago when cybersecurity wasn’t a primary concern. Threat actors can exploit these weaknesses to gain unauthorized access, disrupt operations, or use compromised systems as entry points for lateral movement across networks—this is particularly concerning for hospitality venues where such systems are critical to day-to-day operations.

The federal government has taken notice. The President’s Council of Advisors on Science and Technology (PCAST) released a comprehensive report in February 2024 emphasizing that “America’s infrastructure systems were created and operated long before they acquired cyber dependencies,” with protections evolving unevenly over time. The report stresses that organizations must shift from pursuing absolute invulnerability to building resilience that controls the impacts of failures.

Understanding The Risk of Cyber-Physical Threat Convergence in Large-Scale Events

Fall conferences and trade shows create conditions where cyber-physical threats flourish. Large-scale events strain both physical and digital infrastructure while attracting significant attention. The National Institute of Standards and Technology (NIST) Special Publication 1900 (NIST SP 1900-207) emphasizes that cyber-physical systems – the integrated digital and physical infrastructures crucial to daily operations – require holistic security approaches addressing:

• Interoperability of connected building systems.
• Comprehensive protection across technological, physical, and operational domains.
• Layered resilience that ensures critical services continue despite adversity.

The integration of cybersecurity and physical security has reshaped how security professionals must operate, requiring coordinated approaches that address both visible and invisible vulnerabilities.

Building Integrated Security Strategies to Safeguard Large-Scale Events

Effective protection demands strategies that seamlessly integrate vulnerability assessments, physical security measures, cybersecurity protocols, and advanced intelligence tools. For hotels and convention centers hosting fall conferences, this includes:

• Evaluating networked building systems for vulnerabilities through comprehensive assessments.
• Implementing robust access controls spanning digital and physical domains.
• Conducting regular security audits addressing both cyber and physical dimensions.
• Maintaining situational awareness across all operational systems.

Security must adhere to proven principles: comprehensive, layered, redundant, integrated, and enduring. This means conducting threat and vulnerability assessments that evaluate both cyber and physical dimensions while maintaining awareness across all operational systems.

Forging a Safer Path Forward For Hotels and Event Venues During Conference Season

As fall conference season continues, the intersection of physical security and cybersecurity demands vigilant attention. Organizations hosting or managing conferences need partners who understand both the visible and less-visible aspects of today’s cyber-physical threat environment.

Organizations seeking to navigate this cyber-physical risk environment benefit from working with partners – like Convoy Group – whose deep operational expertise, combined with specialized skills in threat and vulnerability assessments, protective operations, security program development, and intelligence analysis, enables more robust and resilient security strategies.