Category Archives: IoT Systems

Creating IoT Systems Manageability – A Risk-Managed Set of Networked Things

To achieve IoT Systems ROI and to ensure non-degradation of an institution’s existing cyber-risk profile, IoT Systems must be manageable. In turn, in order to build IoT Systems manageability, institutions will need to manage their IoT Systems risk with non- traditional approaches that includes assigning IoT endpoints (the ‘things’ in IoT) to risk categories that can be independent of the underlying technologies and vendors.

IoT Systems are increasingly complex to implement, manage, and to establish system ownership in institutions, whether cities, Higher Education institutions, or corporate campuses. In turn, an institution’s IoT Systems Portfolio – a systems of systems – rapidly deepens the complexity. We will need to tackle the problems and challenges in new ways and with new organizational concepts if we are to have an opportunity for well-managed and reasonably risk-mitigated systems. This includes thoughtful inter-organizational planning, partnerships, and development of a more common language between central IT, distributed operational organizations and departments, and vendors. Further, this will be required to establish system ownership and management plans between organizations such as facilities organizations, central IT, research groups, vendors, and others. One step toward this objective is identifying things to be managed independently of the technologies and vendors implementing them — a Risk-Managed Set of Networked Things.

Central IT won’t own all of the IoT Systems

Traditional enterprise network and system management tools, staffing models, and even language are ill-equipped to address this rapidly changing technology. Historically, network and system management tools have all been within the purview of central IT. Central IT will not be able to keep up with the accelerating growth of IoT Systems across an institution. Just like central IT organizations cannot manage every user/academic/business application on their networks (or even many of them), central IT will not be able to support all of the IoT Systems either. Business owners — operational (academic in the Higher Ed case) and administrative — will have to share that load. That’s better for them too — they are closer to the problem and have a truer understanding of desired outcomes from the system. Implementing this coordination across two or more organizations in the institution is new work though. There are not great precedents for this. Institutions, particularly Higher Education institutions, are known for their bureaucracies within bureaucracies, entrenched ways, and “cylinders of excellence..” (aka silos) .

system of system of systems ...

system of system of systems …

In a similar fashion facilities management organizations have substantial skill sets in building in and integrating equipment into built environments whether they are buildings or spaces. However, facilities management organizations don’t have network design, implementation, network management, and traditional server management skill sets. Finally, while operational departments, whether acting independently or in collective partnerships with other operational departments, know what they want systems to do and comment on performance, they do not have the required skill sets that facilities management and central IT groups bring to the table.

This organizational-spanning nature of IoT Systems in institutions make establishing ownership and a post-implementation management plan particularly challenging.

Designing for & building IoT System manageability

The growth in institutional system count, system complexity, and system interdependency makes for rapidly evolving systems management and owner environments for Higher Ed institutions. We have to take definitive steps to make things more manageable. That is, we have to design for system manageability. Applying historical and traditional tools and organizational approaches to this rapidly changing environment will no longer be sufficient.

A core component of any framework to facilitate manageability is a language, or at least shared concepts, that support it. In turn, a substantial objective of that shared language development (shared, for example, between central IT, facilities, and operational users) is to develop structures that make the systems more manageable. This sounds obvious, but in our complex environments and with our dwindling availability of time and cognitive bandwidth, it is easy to lose sight of this objective.

Agreeing on what is being managed

Before different organizations within an institution can establish those manageability- facilitating-structures and figure out how to partner, establish ownership, and mitigate risk to institutional systems, they have to be able to mutually identify and agree upon what is being managed. What is the set of things — devices, systems, spaces, buildings, infrastructure, etc — that we care about managing, from both operational and risk mitigation standpoints?

In days of relatively simpler systems, sets of networked things/devices to be managed were often defined by the network itself and/or systems on the network and/or the particular brand of technology supporting the network. Further, these networked things/devices were typically run by central IT organizations and these organizations were comfortable with using locally understood network terminology and concepts to define that set of things. Examples include — devices/things on a particular subnet or set of subnets, devices/things behind a particular firewall, on a particular VLAN or VRF, etc.

These examples above don’t mean much to potential system owners that are business organizations and/or academic organizations. The terms used are way too abstract, jargon-y, and/or colloquial. The cross-organizational planning and coordination needed for IoT Systems implementations and subsequent management cannot occur if participating groups can’t mutually identify what is to be managed.

Also problematic in trying to apply these old approaches of identifying things and systems to be owned, operationally managed, and risk-managed is that it is easy to slip into the high-granularity/high-entropy of technical details when the initial conversation is simply identifying and agreeing upon what is to be managed. Because these new and rapidly evolving technologies are increasingly complex, requiring increasingly deep technical skill sets, conversations in technical detail can be challenging even for technical professionals and effectively useless for potential academic and business partners and systems owners.

Finally, sets of things/devices to be managed might involve multiple technologies — eg maybe partially wired, partially wireless/near-field, on a VRF, behind a firewall, etc. So using a technology as a defining mechanism is further unhelpful. While a particular technology or network might happen to align well with a business need for defining a group of assets to be managed, we don’t want to start with that assumption.

IoT System Manageability Groups – A Risk-Managed Set of Networked Things

To address these shortcomings, we can consider a Risk-Managed Set of Networked Things (RMSONT). In this approach, we work to establish sets of networked things based on what best enhances manageability of the system. This is independent of underlying implementing technologies, particular vendors, and existing organizational charts.

What constitutes IoT System manageability?

A managed IoT System will have at least these attributes:

  • the IoT System was selected methodically and with purpose
  • the IoT System is named & known
    • the system has a common name that is known, shared, & published to participating parties (eg central IT, facilities management, operational departments, etc)
  • devices/things of the IoT System are enumerable
  • that is, via network process the device can be known and named
  • IoT System owners identified
  • IoT System component owners identified
  • satisfactory system performance is defined
  • system performance is measured
  • system performance is reviewed by business owners and systems support providers
  • estimates of total costs are established and shared — includes IT and Operational Technology (OT) costs
  • other

What are the qualities/attributes of a thing/device?

Things/devices in IoT Systems have at least these qualities or attributes —

  • a location
  • a function (what is it supposed to do)
  • an IP address; a MAC address
  • a power requirement
  • an associated data aggregator or controller
  • supports a user, users, or population (department, organization, constituency, etc)
  • rate of failure (estimated or known)
  • other

Creating a Risk-Managed Set of Networked Things

The #1 goal is to build and enhance IoT Systems manageability. A risk-managed set of networked things is established to create a manageable group. This could be a group managed by the business consumer or an institutional service organization such as facilities management or central IT — whatever best facilitates system ownership and management.

Multiple sets of risk-managed things can be created to facilitate overall system manageability. One example of a set of risk-managed sets might be:

  • law enforcement/security office owns and manages a set of networked video cameras (possibly with support from central IT, facilities management, local IT, vendor, etc)
  • in an academic setting, a researcher that uses a specialized HVAC IoT System with sensors, actuators, and data aggregation to provide tight environmental control of their research environment might be a logical choice to own that system
  • a metering system might best be managed by the institution’s energy management office
  • a building manager might have a risk-managed set of networked things local to their particular building, but of different types of things— surveillance cameras, energy management system, etc

In general, getting those most familiar with the IoT System’s performance expectations and actual performance into a system management role is probably a good idea.

As we talk about sets of things, and particular kinds of sets of things, we can borrow lightly from the mathematical idea of groups.

As I understand it, mathematical groups are:

  1. Sets of things
  2. These things abide by or participate in some set of rules

A selected set of things abiding by a certain set of conditions & operations …

Similarly, a Risk-Managed Set of Networked Things, can be:

1. A set of networked and computing things/devices (that interact with the environment)

2. These things/devices participate in or are governed by some sort of network management processes and human management processes — eg automated network device enumeration/inventory, device health/responsiveness, etc


RMSONT – A Risk-Managed Set of Networked Things


You gotta keep ‘em separated (or not)

To borrow from Offspring’s social commentary (and popular song) on gang membership, colors, and violence in Come Out and Play, the theme of IoT Systems and network segmentation seems to be, “you gotta keep ‘em separated.” The problem is that that is not as easy as it seems.


tie your own rope, tie your own rope, tie your own rope (hey!)

Network segmentation has been all the rage as an answer to IoT Security and risk mitigation. However, as we’ve seen, network segmentation alone is not sufficient. Risk-managed sets of things need to be thoughtfully chosen, the rules and operations supporting that set of things needs to be thorough, and systems owners thoughtfully coupled with systems in order to achieve manageability.

We can manage IoT Systems within our institutions. And we can manage portfolios of IoT Systems within our institutions. However, we need to acknowledge that these are different kinds of systems and that our existing traditional IT systems operational and risk management approaches are likely insufficient. From that point we can sculpt and evolve new management approaches that facilitate successful, well-managed IoT Systems portfolios.

Understanding data expectations is essential to IoT Systems & Smart City/Campus success

One of the subtle but powerful factors affecting IoT Systems implementation and management success in complex organizations such as a smart cities and smart campuses is the change required in becoming a data centric organization. In most cases, this is not a small transition. The evolutions of these cities and institutions has been from a place of relatively limited data – and certainly not ubiquitous data – available across multiple contexts. When an organization begins to shift, or seeks to shift, to an organization where data production, acquisition, consumption/analysis, and management are core to its operation and to its perception of self, subtle but powerful cultural and organizational change is required.

Data generation and/or acquisition is a major component in almost all IoT Systems that may be deployed in support of smart cities or smart campuses. It’s where the money is, so to speak. The challenge is that the expectations of data from the many constituencies and consumers can vary in significant ways and these variances in expectation, in turn, influence perceptions of IoT System, and hence smart city system, success. Further, early IoT System implementations that are viewed as failures in support of a smart city or smart campus not only mean lost investment on those particular systems, but also that these failures will (understandably) make constituents wary of funding or deploying subsequent systems.

Reflecting on and planning for what our expectations of data are in our different constituencies and contexts can go a long way to helping us identify what successful IoT Systems implementations and smart city deployments might look like.

A framework for an organization’s expectations of data

University of Washington researchers Brittany Fiore-Gartland and Gina Neff have proposed a framework for considering those data expectations in the context of health and wellness data that we might borrow from in considering IoT Systems data in smart cities and smart campuses. In their paper “Communication, Mediation, and the Expectations of Data: Data Valences Across Health and Wellness Communities,” Fiore-Gartland/Neff introduce the concept of data valences.

The authors identify six data valences:

  • self-evidence
  • actionability
  • connection
  • transparency
  • ’truthiness’
  • discovery

I’ll briefly describe these valences as I understand them and then suggest how they might be applied to an IoT System/Smart City System such as an energy management or smart grid system.

self-evidence valence

My interpretation of the self-evidence valence is that data is context-free or at least appears that way. The context-free-ness notion conflicts with the popular assumption of interpretation or mediation being required to make data meaningful as the researchers point out. My own opinion is that data does indeed need mediation to be relevant. In my mind, data without mediation devolves to the ‘just because’ answer. (While this can apply in parenting, eg ‘because I said so,’ it is extremely narrow in scope and its effectiveness has a much shorter timeline than I anticipated).

actionability valence

Actionability refers to the expectation that the data does something or drives something. From the context of the data consumer, can that data be used to do something meaningful for that consumer within their context? Fiore-Gartland/Neff give the example of a physician being presented with self-collected patient data. This may well not be “clinically actionable” because the physician has no basis for comparison or reference.

connection valence

This valence identifies data as a ‘site for conversation.’ To me, this one is particularly meaty. Because regardless of all of the other (important) valences, the connection valence draws people to the same table to discuss data for one reason or another. An example given in the paper is that of a home patient contacting their case manager about data being collected as a part of the telemedicine system. The call was not particularly important regarding the telemedicine question, but rather because it provided an opportunity for the case manager and patient to connect and share other information (which might have been written on the margins of a legal pad).

Even if the data-discussion reasons are possibly simple or seem unrelated to ostensible objectives, people are still showing up for whatever reason and in the course of that showing up, other things are shared and communicated. I believe that is a powerful valence. And possibly not easily quantifiable.

transparency valence

The transparency data valence is pretty much what it sounds like. It’s the idea or expectation of real or perceived benefit of data being “accessible, open, sharable, or comparable across multiple contexts.” As the researchers state,“Making data transparent across communities is one set of values or expectations.” The transparency valence also introduces the idea that when there is data transparency, when it is indeed shared across contexts, then new questions around ownership, access, and confidentiality present themselves. And from my perspective, addressing these new questions/issues is important work and requires some resources – time/effort/maybe dollars – and that has to come from somewhere.

truthiness valence

Stephen Colbert introduced the word truthiness during one of his shows. He uses truthiness, or the Dog Latin version “veritasiness” to describe something that feels right or just seems right, often regardless of facts or evidence. (Self-referentially, I think the idea of ’truthiness’ itself also seems right – most of us think, “yes, I understand what truthiness is. I don’t know why, but I’m pretty sure I know what it is.”

So the truthiness data valence has to do with the data quality of feeling right or seeming right.

discovery valence

Per Fiore-Gartland/Neff, the discovery valence “describes how people expect data to be the source or site of discovery of an otherwise obscured phenomenon, issue, relationship, or state.” This is not inconsistent with the popular notion of Big Data — which generally goes something like, ‘because there’s so much data there, there’s got to be something there – patterns, knowledge, etc and we can find it intentionally or accidentally’. I’m not saying that I subscribe to this, but it seems right (see ‘truthiness’ above).

Data valences in an IoT System example – smart grid

Because I’ve spent some time working with and reflecting on the challenges of implementing and managing a long-term institutional energy management system and the associated cultural and organizational challenges needed to be effective, the data valences idea proposed by the authors has made for highly relevant conversation.

So how might the six data valences reveal themselves in an institutional energy management system such as a smart grid system or a part of a smart grid system — themselves IoT Systems? Below is my take on how each of these valences might come into play in this context.

self-evidence valence in energy management data

My initial reaction is that I don’t see this valence playing out particularly well here. This energy management data sourced from thousands of energy sensors across an institution needs to have context and be interpreted to have relevance. Also, the data is too new and unfamiliar and often complex for there to be strong statements of self-evidence.

That said, the topic of climate change and all the misinterpretations and rhetoric therein comes to mind. So maybe the self-evidence valence has applicability here as well. Perhaps conclusions will indeed be drawn from energy data devoid of context.

actionability valence in energy management data

Definitely. Everyone — consumers, vendors, government, others — expect to do something useful here.

connection valence in energy management data

Definitely again. This data provides the site, as the authors say, to come together to problem-solve. And in the course of that problem-solving, a parade of assumptions and expectations come quickly to the surface. Finance people , energy management people, IT and data people, vendors, and a variety of end-users bring their expectations, assumptions, and desires to these meetings. This data valence is particularly important at this stage of the game regarding energy management systems and likely IoT Systems more generally.

transparency valence in energy management data

Yup. Everybody wants this. Much like youthful dating, this distribution of data interpretation across contexts is exciting, challenging, and fraught with peril for misunderstanding. That said, addressing topics around this valence can bring important issues to the surface (though it’s typically a lot of work).

truthiness in energy management data

I’m not sure about the truthiness valence in institutional energy management data. Similar to the self-evidence valence, I don’t know that we have enough exposure to the data to have a truthiness feel about institutional energy management data. But again, misinterpreting climate change data has become a worldwide sport.

discovery valence in energy management data

Without a doubt. Almost all of us have this expectation of discovery, at least at some point — Start capturing energy data and we’ll make awesome decisions !! I do believe that capturing this data will yield useful, actionable (see above) data. However, I think it’s going to be more work than is immediately apparent.

Data valences in IoT Systems

How we, across our multiple constituencies within an institution, perceive various aspects of data has a strong influence on the perceived success of the system that produced the data. This is true for institutional energy management systems and I believe that that is broadly generalizable to IoT Systems of whatever institutional purpose.

Understanding data perceptions across an institution or population base is essential for successful IoT System implementations and hence Smart City or Smart Campus implementations. As I mentioned in the IoT Systems Hamburger Diagram, while not sexy and ‘blingy‘, the capability and capacity of an institution to implement complex IoT Systems in a complex environment is essential to success. Understanding the varied data consumers and their perceptions and needs in a complex organization such as a city or campus is, in turn, a critical component to a successful IoT System implementation.