Making Sense of the Internet of Things in Higher EducationChuck Benson | Assistant Director for IT in Facilities Services, University of Washington
Internet of Things Systems, aka IoT systems, offer substantial potential for use in postsecondary environments. They can be used to enhance student, faculty and staff safety such through building access systems, provide energy management and conservation capabilities, and enhance learning environments. IoT systems also have broad application in research to include arrays of sensors and actuators that together can meticulously control and monitor research environments. However, IoT systems must be selected, procured, implemented and managed well in order to see the success of the IoT system investment by the institution.
Not only do IoT systems offer a potential value-add for an institution, they are also essential for the institution to be competitive with its peers and attract the highest caliber of faculty and students possible. This is particularly true in research institutions. Those institutions that do this well—select, procure, implement, and manage IoT systems—will have faculty that are satisfied with their systems. Notably, they will be satisfied with not having to spend their research and teaching time trying to keep their IoT systems running. These faculty will tend to be motivated to remain at that institution—and they will tell colleagues about how well things are going.
Universities and colleges that do not implement IoT systems well will tend to have faculty that are less motivated to stay because they are using valuable research and teaching time to keep their IoT systems, which are required for their work, operating well enough to support their respective endeavors. These faculty will have less motivation to stay at that institution—and they will also tell colleagues about how not-so-well things are going.
Because institutional experience with IoT systems implementation, management and support is still nascent yet evolving rapidly, it is easy for senior leadership to have misconceptions—or more commonly, a lack of awareness of some of the pitfalls of these systems when not planned, implemented and managed well. (It’s easier for leadership to see potential benefit of these systems because there are countless vendors knocking down their door or the doors of their respective staffs to say what is possible).
Below are five aspects of IoT systems that institutional leaders may not be aware of:
- The T in IoT is a Networked Computer
The “Thing” in Internet of Things, or the T in IoT, is a device that computes, is networked, and that interacts with the environment in some way, such as sensing or moving something. That is, that Thing—regardless of how small, embedded and unseen it may be—is a networked computer. As such, it has the same exposure to malicious online activity as any other networked computer, and often these Things are deployed by the hundreds, thousands or more. So, without thoughtful implementation and management, institutions can unwittingly be installing thousands of under-managed or unmanaged networked computing devices ripe for operational failure or malicious compromise.
- The T in IoT is a Device that has Many Different Components
An IoT device can have many different hardware and software components, and these components may come from many different sources. For example, a device might have a hardware sensor, a piece of firmware that communicates with that hardware, software for networked communication, software for multiple wireless protocols, a web service, business logic, encryption software, and others. Each of these could come from a different source—a large software developer, code developed in somebody’s garage, a company in a currently hostile nation-state, or elsewhere. We typically don’t know (and typically don’t ask) where these components come from or whether they have been vetted (by anybody)—and we may be deploying them by the thousands in our institutions. Because of scale of deployment, the issue of supply chain awareness, or lack thereof, can be particularly poignant in the IoT environment.
- IoT Systems Support and Management Is Not Free
For successful implementation, both in terms of ROI and cybersecurity, IoT Systems need to be appropriately configured and subsequently well managed. This includes all of the devices, possibly in the hundreds or thousands or more, and any supporting server and supporting client applications. Further, the underlying network supporting the IoT System has to be managed and resourced as well. Network segmentation is a popular approach to supporting IoT Systems. While this can offer benefits, the network segment also has to be managed. Institutions will continue to see growth in the number of network segments that must be managed.
- Central IT is Probably Not Managing the IoT System
Because IoT systems have so many different routes and purchase paths into an institution, without institutional oversight it is unlikely that the central IT organization can know about all of the IoT systems. In fact, it may not even know about many of the IoT systems. IoT systems can enter the institution through departmental purchases, minor or major capital purchasing, personal or institutional credit card purchases, or by other means. Once purchased, these systems may only need a wifi connection or network wall port to begin operation. Central IT may not have been included in IoT system selection—they may not even know that a new IoT system has been purchased and installed. Even if they do know, the central IT group may not have the resources to support the system on its networks.
- IoT Systems Vendors Need Clearly Defined Expectations
Institutions need to be specific in the selection and procurement process regarding exactly what the IoT systems provider will deliver as a part of systems implementation and what they will subsequently manage. For example, if the institution does not explicitly communicate that all installed devices should have default logins and passwords changed and unnecessary services disabled, there is no reason to assume that the vendor will automatically include this as part of the deliverable. Other aspects of the IoT systems deliverable could include network diagram, installation locations, as well as software and firmware version numbers, IP addresses, MAC addresses of all installed devices, patch plan, and other requirements.
These are just a few of the concepts that may not be readily grasped by senior institutional leadership. Indeed, it may not be readily grasped by most. IoT systems are different from traditional enterprise IT systems in many ways and institutions have very limited to no experience in implementing and managing these systems. Without thoughtful planning and oversight, IoT systems deployments run the risk of delivering a poor return on investment as well as exposing the institution to significantly increased cyber risk.
Benson is currently working on a book on IoT Systems Manageability for publisher Taylor and Francis.
Author Perspective: Administrator