An EDUCAUSE Review article in 2016 proclaimed that the Internet of Things (IoT) is here. Really? Yes, really. Is it just hype? No. Well, then let’s discuss what IoT is, how it can impact a campus today and into the future, and what we can do to leverage it, while being mindful of issues related to privacy, ethics, security, and more.
Internet of Things is a term used to classify systems where Information Technology plus Operational Technology are deployed together to gather data that can be leveraged for improved outcomes. Simply stated, IT + OT = IoT.
Here are some benefits that institutions can expect, leading to the term “smart campus”:
- Smart buildings. Building automation/management systems, sensors, and connections to HVAC, lighting systems, and cameras improve security and comfort, and reduce energy use.
- Smart stadiums. Consider Arizona State University’s Sun Devil Stadium, which uses wireless and broadband technology to improve or amplify the visitors’ experience. Smart parking notifies drivers of parking availability, with real-time parking meters updated every 15 seconds. Smart noise meters at the game capture real sound data by stadium section, and display them on video monitors to drive fan engagement and increased cheering. Push notification notifies the winners.
- Scientific instruments. IoT devices connect to scientific instruments in the pursuit of research and discovery.
- Smart transportation systems. These range from the “One Bus Away app” developed at the University of Washington, Seattle, to improve the rider experience, to deployment of future autonomous vehicles, including cars, buses, service, or emergency vehicles.
- Industrial control systems. These include supervisory control and data acquisition, electric grids, and power and water systems.
- Personal devices. From smartphones to fitness trackers to connected entertainment, these systems improve the student experience and quality of life.
- Internet of medical things. Implanted pacemakers, glucose meters, or infusion pumps on humans; instruments in a hospital room or operating room; and EHR/EMR systems gather data from devices and enable doctors or “things” to make decisions.
- Wayfinding systems. These allow campuses to leverage GPS information from students with their schedules to improve the student experience, and enable camaraderie among students.
- Smart health and wellness systems. At Georgia Institute of Technology, Atlanta, students can be encouraged to increase physical activity via a notification to their smartphones when the campus recreation center equipment is available and their personal schedules align.
Whether we realize it or not, IoT devices are on every campus. They walk onto campus every day, they live in buildings, they support scientific research, and they provide care for patients and students, while connecting to campus networks, administrative and operational systems and infrastructure, and the community.
Business officers at colleges and universities can work with campus leaders to determine the opportunities and challenges related to IoT on campus, as well as how the data can be used to meet their institutional mission, and improve student and researcher experience. They can determine the ethics of IoT data use, and then develop an action plan to embrace the opportunity, today and longitudinally, while protecting the campus from harm—physical, reputational, and financial. If wearable devices, cameras, or door locks are hacked, intruders can infiltrate the campus environment and cause physical harm. There can be reputational harm from these instances as well if scientific instruments are hacked, which affects the research community and the intellectual property of the university. And if IoT devices are hacked and allow access to administrative and financial systems, there can be financial harm.
Although this might seem like a tall order, campus leaders can begin by assessing the current state at their institutions, and developing tactical and strategic plans to make the journey to smarter campuses safer and more valuable for all.
Data Analytics and Ethics
In May 2017, the American Council on Education (ACE) convened a focus group of leaders in academia and industry to discuss how higher education executives could better use data to inform decision making. (For more on this topic, see “Data 411.”) The discussion included the challenges in building a smarter campus. Regardless of a college or university’s level of data analytics sophistication, the leaders agreed that institutions must continue to make investments in data infrastructure and human capacity in order to:
- Improve student outcomes.
- Promote equity and inclusion.
- Optimize resource strategies.
“A key component of a successful data strategy is a coherent plan to deploy actionable information so that leaders may implement programs and policies that promote student success,” says Stephanie A. Bond Huie, vice chancellor for strategic initiatives, the University of Texas System, who participated in the ACE workshop.
There are already many creative applications of IoT across academia to improve student outcomes.
One such project at Georgia Tech is leveraging IoT sensor input from the Campus Recreation Center equipment, correlated with the student’s class schedule, to notify the students of optimal times for them to exercise at the center. The goal is to engage the students proactively via their smartphones to increase their likelihood for physical activity. This can improve their physical health and well-being, which, in turn, can help enhance their psychological health and well-being—potentially leading to improved GPAs, retention, and graduation rates. This pilot deployment is one example of how IoT data can be used to improve student outcomes, while also optimizing resource usage at the recreation center.
As we look at leveraging IoT-related data to improve student outcomes, we must also consider the ethics related to their use. There are trust and privacy considerations when an institution captures information from connected personal devices. The data captured can relate to students, administration, visitors, and devices on campus—from smartphones, to connected scientific instruments, to connected vehicles.
There need to be clear policies and expectations regarding how the institution might use that data. If we correlate location-based data with housing and class locations, and then with GPA, the institution must have policies on how that data can be used and who might have access to them. It must make clear the rights that the students and visitors have on opting in or opting out of location-based data capture. Institutional review boards need policies on the allowable use of IoT-related data. If the data are used for a research experiment on campus, and are not anonymized, the board must determine if there are rules regarding how that data can be published in the future.
A workshop sponsored by IEEE, Internet2, and the National Science Foundation, held at George Washington University (GWU) in February 2016, focused on the need for end-to-end trust and security for IoT, and ethics. Similarly, Princeton University hosted a workshop in September 2017, led by its CIO Jay Dominick and the Center for Information Technology Policy, bringing together leaders from academia, government, and industry—from IT and security teams to policy leaders and provost offices—to discuss ethics related to IoT.
We must act consciously, and openly and transparently communicate with citizens who are impacted by the data, to engender trust and responsibility.
TIPPSS for IoT
There is also an increasing awareness of the need to address privacy and security issues regarding IoT data and devices. For instance, it is commonly held that CIOs have full knowledge of data flow and privacy. However, ethical approaches to student data tracking, collection, storage, and use go well beyond the legal parameters set forth in the Family Educational Rights and Privacy Act (FERPA).
Regarding security issues, many IoT devices are hackable. Digital door locks can be hacked, posing physical security risks in administrative and academic buildings, scientific laboratories, and living spaces. Cameras, too, can be hacked to affect security and privacy of individuals in their dormitories or classrooms.
In the February 2016 GWU workshop, more than 150 participants from academia, not-for-profits, industry, and government discussed the need for a Trust, Identity, Privacy, Protection, Safety, and Security (TIPPSS) framework for IoT. While such frameworks exist for employees accessing data and systems on campus, the trust and identity framework for “things” needs to evolve. TIPPSS considerations for systems deployed on campus include:
- Trust. Allowing only designated people/services to have device or data access.
- Identity. Validating the identity of people, services, and “things.”
- Privacy. Ensuring that the device, and personal and sensitive data, are kept private.
- Protection. Protecting devices and users from harm—physical, financial, and reputational.
- Safety. Providing safety for devices, infrastructure, and people.
- Security. Maintaining security of data, devices, people, and more.
Smart Management of a Smart Campus
For years, many campuses have been deploying sensors for improved facilities, such as lights that go off automatically when there is no movement in a room, and automated key locks. In some cases, these systems were the beginnings of IoT on a campus. Your opportunity is to get a handle on the smart technologies on campus, and to develop a management protocol for your increasingly connected campus.
Conduct an inventory of all IoT devices on your campus. Include academic buildings, dormitories, and even medical equipment used in academic medical centers, as well as surveillance cameras across campus. Also, consider wearables such as fitness trackers, transportation vehicles with sensors, and scientific instruments. You can use open source tools such as Shodan or Censys, which can find devices connected to your campus network. If you can find IoT devices on your campus with these tools, then anyone can. So, this is a signal to ensure that those devices are not discoverable or hackable. Some campuses have firewalls that block incoming connections to all devices to avoid external Internet access. In such cases, IT staff can use NMap and Nessus security tools to scan the campus.
Assess the security posture of IoT devices on campus. The risk of these devices being hacked to infiltrate campus systems, or to be commandeered to attack other devices, is real. IoT introduces a number of risk vectors, from data privacy, to financial, operational, reputational, compliance, and safety and cybersecurity risk.
Professional hackers work around the clock to try and infiltrate campus systems and access individual financial information. Robots with the sole purpose of hacking into major college databases to steal student information or research run through millions of passwords per minute. In October 2016, hundreds of thousands of IoT devices, including cameras and printers were used to launch an attack on a critical part of the Internet. The attack was a success, crippling the websites of major companies such as Amazon, Netflix, and Twitter for hours at a time. Campus websites, too, have been victims of these types of DDoS (distributed denial of service) attacks, affecting student registration and online class access.
Develop procurement and management processes for IoT devices on campus. Before a device is brought onto campus, or after you discover that it is on campus, there are management considerations to reduce risks to the campus infrastructure. Questions to ask include:
- Will the device be connected to the network?
- Is the device discoverable and hackable?
- Who will change the default passcode, and manage it over time?
- Is there a data feed or connection to a system/application/database on or off campus?
Create an IoT/smart campus risk management plan and execution model. Complete a TIPPSS framework and assessment to set a baseline. Each member of the campus IoT/cloud committee should review the TIPPSS risk to the campus from his/her perspective. Then, document the risk assessments and review on a periodic basis.
The management plan should also include restrictions on having IoT devices reachable from the Internet. Sometimes, vendors do not keep up with patching IoT security vulnerabilities, so allowing the Internet to connect to these devices can be a huge risk. Default passwords and general security hygiene are also essential. The plan should also include vendor management considerations regarding IoT devices to assess and address connectivity, passwords, and vulnerabilities, before devices are brought onto campus and connected to the Internet and campus systems.
Continue ongoing IoT systems risk and benefit assessments. Scan the campus at least quarterly, if not more frequently, and address any issues quickly. The TIPPSS framework and assessment, and ongoing plans should be reviewed and updated with new scans and assessments at least quarterly. Every institution needs to develop its own plan, based on the risks it finds and expects.
There are many valuable opportunities to leverage IoT on a campus for improved efficiencies, a better student and researcher experience, and reduced energy use. There are also risks that need to be identified and addressed to make the smart campus a safe campus. IoT is here, and will continue to grow. We need to embrace it, and determine how best to leverage it today and into the future to make the smarter campus a safer and more enjoyable place for administration, researchers, faculty, and students alike.
FLORENCE D. HUDSON is special adviser to Next Generation Internet, Northeast Big Data Innovation Hub. She also serves on the editorial board of Blockchain in Healthcare Today.