Understanding the Opportunities and Risks of the Internet of Things Environment on CampusChuck Benson | Assistant Director for IT in Facilities Services, University of Washington
The Internet of Things, or IoT, is becoming an increasingly common phrase being used in IT circles both inside and outside of the higher education space. Broadly defined as interconnecting a wide range of everyday items via the internet, allowing those items to send and receive data, a shift to an IoT environment would transform the way colleges operate and change the way institutional IT teams work. It would also create a completely different risk environment. In this interview, Chuck Benson shares his thoughts on the benefits that IoT could bring to campus, and the risks leaders need to keep an eye out for.
The EvoLLLution (Evo): What does the Internet of Things mean in the context of higher education?
Chuck Benson (CB): Postsecondary campuses are unique because they offer so many different services. People live, eat, sleep, visit, study and work there. They have their own police departments and local government. Beyond the academic mission of learning and research, higher education institutions are very much like small- to medium-sized cities. An Internet of Things (IoT) system spans and services all of that from an infrastructure point of view.
For example, in energy management, smart meter technology is being implemented to measure power utilization across campus. That’s a very different way of doing business because, at one time, higher education campuses would measure one or two energy readings coming on to campus (from the city provider or locally generated) and divide it out amongst everybody. Now, you can measure individual buildings, floors and spaces across campus and you can track energy use more specifically, which changes facilities management models, allowing institutions opportunities for optimization via HVAC and lighting controls (for example), cost savings, more equitable distribution, and increased competitiveness. This changes the environment.
IoT systems can be used to improve the institution’s safety systems as well. They can facilitate systems like building access, facilitating card swipe or other kinds of identity monitoring to get into a building. This has a direct impact on student, faculty, staff and public safety. IoT systems can also transform the value of instructional learning systems by facilitating the capture and production of video and sound, not just in lecture halls but in meeting rooms and conference rooms across campus. (And also potentially violate privacy if there is not thoughtful policy and technology implementation).
Thoughtfully selected, procured, implemented and managed, IoT systems expand the breadth and depth of what higher education institutions can do.
Evo: What are a few of the most significant risks institutional IT leaders need to be aware of with the movement toward an IoT environment?
CB: There are some substantial risks involved with integrating and embracing an IoT environment. It’s important to note these aren’t risks that suggest the sky is falling—instead, I want to convey that the implementation approach that higher ed institutions choose matters.
If we want to categorize higher ed institutional risk into two high-level areas, one is the possibility of not seeing a return on investment as a result of not implementing well. We’ll purchase the system, spend the time and money it takes to implement the system, then it doesn’t work and it doesn’t deliver on its promise. That’s lost ROI. It’s money down the drain and, worse, it will influence the procurement of future systems that could have offered substantial value add.
Another risk area is cybersecurity. If we don’t implement these IoT Systems well, higher ed institutions can actually make their cyber risk profile worse because, within an IoT system, each of those little, often unseen, networked endpoints is a computer. The “thing” in the Internet of Things is a device that computes, networks and interacts with the environment. Pay special attention to those first two elements: computing and networking. When we introduce these IoT systems in a single contract or purchase, we can be installing hundreds or thousands or more tiny, non-traditional, often hidden-from-sight networked computers.
IoT systems are different from traditional IT systems. I think about those differences in five significant ways.
First, there are so many devices. While there are many prediction pundits, something they generally have in common is projections of tens of billions of devices in the next few years and ongoing exponential growth beyond that. There are more devices than we’ve ever seen before and they are coming onto our campuses faster than ever.
Second, there’s a high degree of variability between these devices. Many do very different things and are made by many different manufacturers. What’s more, there are multiple hardware and software manufacturers housed within any single device and there are many types of devices. There’s huge variability and that does not lend itself to easy risk or operational categorization.
Third, we don’t have great language for talking about IoT systems yet. These aren’t traditional enterprise systems, where we may have rack servers over here and endpoint desktops and laptops over there. That’s a traditional way of thinking about these things. IoT systems aren’t traditional and we don’t have mutually shared language for discussion, planning, or risk mitigation yet.
Fourth, these systems tend to span multiple, often silo’d, organizations within an institution. This is a big one because it’s powerful and insidious. For example, a higher ed institution could install an environmental control system for research areas. The central IT group will be involved, facilities management will be involved, and the end users—the PI’s, the researchers and the students—will all be involved. Some local IT staff will also be involved and multiple vendors will be involved. So ultimately, you have numerous parties involved in bringing that system to bear and between each party you create this crack or gap, and with it an opportunity for failure of accountability and ownership. We have to see that and we have to start looking at this whole system that spans many organizations to find these cracks.
The fifth thing that makes IoT different is that these endpoints tend to be out of sight and out of mind. It could be sensors in the building, sensors in the ceiling or something that’s outside. Traditionally, you would go into a data center and look at your rack of servers—even a rack of virtual machines—and you can mentally picture all the endpoints. I can see them, I know I need to manage risk for all them. But when we’re out and about on campus, we don’t have this mental picture of managing that risk.
Those are five big differences about managing and working with IoT systems that add substantial complexity and interdependency between these different systems. The toolsets that most IT groups have developed were built to solve different kinds of problems, problems from 10 years ago. Most of those problems are still there, but we have a new set of problems now with IoT Systems and the traditional toolsets are insufficient for that task.
Evo: How can IT leaders work to minimize these risks?
CB: The first thing we can do to minimize and mitigate risks in the IoT environment is to raise awareness to senior campus leadership— not just IT leadership, but across the board to the risk office, the president’s office, and the regents and trustees. They need to have some awareness of the realities of the IoT environment because we want to start minimizing these risks. This will take some time and will require us to start developing and sharing some business language so that senior leaders are conversant in this new type of risk, which also affects existing risks. Important to note, the advent of IoT risk does not mean that the existing risk disappeared. The other existing risk is still there—we just want to get IoT risk at the table.
Another part of this is how we interact with IoT system vendors. We want to raise our expectations of those vendors and reset the bar for how we define deliverables. If we don’t do that ourselves, the vendors will understandably look out for themselves and define these elements of this emerging space on their own terms. We need good partnerships with vendors, but the way our market economy works means they will optimize for themselves first. We have to raise the bar by clearly defining our expectations – so that we understand them and our vendor partners understand them. One critical part of the array of deliverables we need to ask for is an architecture diagram. When we partner with a vendor, they come on to our campus and put their systems in, and we’ve given them our IP addresses—our network backbone—in a show of trust. We need to have a work artifact, an architecture diagram, upon completion so our team clearly knows where all these things are, where all the IP addresses are and how this IoT System is configured so that we can manage the system after the implementation. This is not being anti-vendor at all—we need vendors to provide capabilities and services that we cannot sustainably produce internally. I just want to raise the bar with the partnership.
Another aspect IT leaders need to work on is the trajectory of an IoT System implementation, from the selection to procurement processes to implementation and system management. Often, IT systems get purchased without the central IT group’s involvement. It’s critical that central IT is part of these purchasing decisions to help provide guidance to the teams that need the tools. Another option is that non-central groups develop that critical IT expertise, but I think that is unlikely given the resources required for the subject matter expertise that group needs to be competitive. One of the things that campus constituents can do is help central IT—and central leadership in general—make better decisions regarding system selection, procurement and implementation.
Finally, tying all these pieces together is some kind of governance structure. We have to recognize that an IoT system is different than traditional enterprise systems. These IoT systems can span multiple organizations, which may or may not have a history of working well together within the institution. We need to develop a governance structure that manages all these relationships and sets the expectations around accountability, responsibility and outcomes.
Evo: Looking long term, how do you expect higher education institutions to transform with a successful shift to an IoT infrastructure?
CB: There are two rough trajectories for how an IoT infrastructure could evolve at a higher education institutions. There are, of course, an infinite number of possibilities in between, but two rough ends of the spectrum. On one side, we can have a well managed, risk-mitigated infrastructure. At the other extreme, stuff just shows up on the network as different teams and departments make their own purchases and we just don’t know what’s on our networks, in our space.
What we want to do is develop a well managed system so that we can better handle unexpected additions while mitigating risks. We’re not going to ever eliminate risk, but we can do things to help mitigate that risk.
To change the way we look at how we govern our system in an IoT environment is going to take some work. The more we can introduce language early on and get senior leadership talking about the realities of an IoT environment and how it ties into other risks (as well as competitive advantage), the better we’ll be.
Many universities have this as one of their risk items—they want to be competitive and attract the best faculty and the best grad students they can. To do that, you have to provide faculty a great research environment and a great research environment can be facilitated by some of these IoT Systems, like environmental control systems. If a researcher goes to an institution and those systems are working really well, with a secure and risk-managed back-end that’s probably invisible to them, you’re providing that researcher with a good experience. They can spend their time doing their research instead of monkeying with a broken technology system. On the flip side, if they go to an institution where the systems are either non-existent or broken, they spend their time wrestling with trying to get a broken system running as opposed to doing their research. That kind of experience ties into faculty and grad student recruiting and retention efforts, which is a risk item of its own. So, when we’re talking about IoT systems risks, it’s a good idea to tie that conversation back in to other risks institutional leadership has already identified and understood.
Author Perspective: Administrator