This is a list of useful documentation and links for anyone interested in IoT security, either for building products or as general reference material. The list is alphabetical and doesn’t denote any priority. I’ll maintain this and update it as new documentation gets published. Please feel free to add links in the comments and I will add them to the list.

• [GDPR] Article 29 Data Protection Working Party – Opinion 8/2014 on the on Recent Developments on the Internet of Things: http://www.dataprotection.ro/servlet/ViewDocument?id=1088
• Alliance for Internet of Things Innovation (AIOTI) (includes security recommendations): https://aioti.eu/wp-content/uploads/2017/03/AIOTI-Digitisation-of-Ind-policy-doc-Nov-2016.pdf
• Alliance for Internet of Things Innovation (AIOTI) – Report on Workshop on Security and Privacy in the Hyper-Connected World: https://aioti-space.org/wp-content/uploads/2017/03/AIOTI-Workshop-on-Security-and-Privacy-in-the-Hyper-connected-World-Report-20160616_vFinal.pdf
• Alliance for Internet of Things Innovation (AIOTI) – Internet of Things Applications: https://aioti.eu/wp-content/uploads/2017/03/AIOTIWG01Report2015-Applications.pdf
• Alliance for Internet of Things Innovation (AIOTI) – High Level Architecture (HLA; Release 3.0): https://aioti.eu/wp-content/uploads/2017/06/AIOTI-HLA-R3-June-2017.pdf
• Alliance for Internet of Things Innovation (AIOTI) – Report: Working Group 4 – Policy: https://aioti.eu/wp-content/uploads/2017/03/AIOTIWG04Report2015-Policy-Issues.pdf
• Alliance for Internet of Things Innovation (AIOTI) – Smart Living Environment for Ageing Well: https://aioti.eu/wp-content/uploads/2017/03/AIOTIWG05Report2015-Living-Environment-for-Ageing-Well.pdf
• AT&T – The CEO’s Guide to Securing the Internet of Things: https://www.business.att.com/cybersecurity/docs/exploringiotsecurity.pdf
• Atlantic Council Scowcroft Center for Strategy and Security – Smart Homes and the Internet of Things (issue brief): http://www.atlanticcouncil.org/images/publications/Smart_Homes_0317_web.pdf
• Automotive Information Sharing and Analysis Centre (Auto ISAC) – Automotive Cybersecurity Best Practices: https://www.automotiveisac.com/best-practices/
• Bipartisan Group Revised IoT Security Bill – Internet of Things (IoT) Cybersecurity Improvement Act of 2019: https://www.scribd.com/document/401616402/Internet-of-Things-IoT-Cybersecurity-Improvement-Act-of-2019
• BITAG: https://www.bitag.org/documents/BITAG_Report_-_Internet_of_Things_(IoT)_Security_and_Privacy_Recommendations.pdf
• CableLabs – A Vision for Secure IoT: https://www.cablelabs.com/insights/vision-secure-iot/
• CCDS – Security Guidelines for Product Categories – Automated Teller Machines (ATMs) – Security Measures Review Practice Guide – Analyzing Crime Incidents and Formulating Countermeasures – Ver. 1.00: http://ccds.or.jp/english/contents/CCDS_Security_Guidelines_for_ATMs_(Security_Measures_Review_Practice_Guide)_v1.0_eng.pdf
• CCDS – Security Guidelines for Product Categories – Automotive On-board Devices – Ver. 2.0: http://ccds.or.jp/english/contents/CCDS%20Security%20Guidelines%20for%20Product%20Categories%20Automotive%20On-board%20Devices_v2.0_eng.pdf
• CCDS – Security Guidelines for Product Categories – IoT GW – Ver. 2.0: http://ccds.or.jp/english/contents/CCDS%20Security%20Guidelines%20for%20Product%20Categories%20IoT-GW_v2.0_eng.pdf
• Cloud Security Alliance – Future-proofing the connected world: 13 steps  to Developing Secure IoT Products: https://downloads.cloudsecurityalliance.org/assets/research/internet-of-things/future-proofing-the-connected-world.pdf
• Cloud Security Alliance (CSA) – Security Guidance for Early Adopters of the Internet of Things (IoT): https://downloads.cloudsecurityalliance.org/whitepapers/Security_Guidance_for_Early_Adopters_of_the_Internet_of_Things.pdf
• Council to Secure the Digital Economy (CSDE) – International Anti-Botnet Guide 2018: https://securingdigitaleconomy.org/wp-content/uploads/2018/11/CSDE-Anti-Botnet-Report-final.pdf
• Cellular Telecommunications Industry Association (CTIA) – Cybersecurity Certification Test Plan for IoT Devices: https://api.ctia.org/wp-content/uploads/2018/10/CTIA-IoT-Cybersecurity-Certification-Test-Plan-V1_0_1.pdf
• DIN – DIN SPEC 27072 – Information Technology – IoT Capable Devices – Minimum Requirements for Information Security (German): https://www.din.de/en/getting-involved/standards-committees/nia/din-spec/wdc-beuth:din21:303463577?sourceLanguage&destinationLanguage
• Dutch Cyber Security Council – European Foresight Cybersecurity Meeting: Public Private Academic Recommendations to the European Commission About Internet of Things And Harmonization of Duties of Care: https://www.cybersecurityraad.nl/binaries/Report%20European%20Foresight%20Cyber%20Security%202016_tcm107-263227.pdf
• Department of Homeland Security – Strategic Principles for Securing the Internet of Things: https://www.dhs.gov/sites/default/files/publications/Strategic_Principles_for_Securing_the_Internet_of_Things-2016-1115-FINAL….pdf
• European Union – Article 5 EU GDPR “Principles relating to processing of personal data”: http://www.privacy-regulation.eu/en/article-5-principles-relating-to-processing-of-personal-data-GDPR.htm
• European Union Agency for Network and Information Security (ENISA) – ENISA Workshop on Cyber security for IoT in Smart Home Environments: https://www.enisa.europa.eu/events/copy_of_enisa-workshop-on-cyber-security-for-iot-in-smart-home-environments
• European Union Agency for Network and Information Security (ENISA) – Baseline Security Recommendations for Internet of Things: https://www.enisa.europa.eu/publications/baseline-security-recommendations-for-iot/at_download/fullReport
• European Union Agency for Network and Information Security (ENISA) – Good practices for IoT and Smart Infrastructures Tool: https://www.enisa.europa.eu/topics/iot-and-smart-infrastructures/iot/good-practices-for-iot-and-smart-infrastructures-tool
• European Union Agency for Network and Information Security (ENISA) – Good Practices for Security of Internet of Things in the Context of Smart Manufacturing: https://www.enisa.europa.eu/publications/good-practices-for-security-of-iot
• European Union Agency for Network and Information Security (ENISA) – Security and Resilience of Smart Home Environments: https://www.ENISA.europa.eu/publications/security-resilience-good-practices
• European Commission and AIOTI – Report on Workshop on Security & Privacy in IoT: http://ec.europa.eu/information_society/newsroom/image/document/2017-15/final_report_20170113_v0_1_clean_778231E0-BC8E-B21F-18089F746A650D4D_44113.pdf
• GSMA IoT Security Guidelines: https://www.gsma.com/connectedliving/future-iot-networks/iot-security-guidelines/
• GSMA IoT security checklist for self-assessment: https://www.gsma.com/iot/iot-security-assessment/
• Internet Engineering Task Force (IETF): https://www.ietfjournal.org/internet-of-things-standards-and-guidance-from-the-ietf/
• Internet Engineering Task Force (IETF) – Best Current Practices (BCP) for IoT Devices: https://tools.ietf.org/html/draft-moore-iot-security-bcp-01
• I am the Cavalry – Five Star Automotive Cyber Safety Framework: https://www.iamthecavalry.org/wp-content/uploads/2014/08/Five-Star-Automotive-Cyber-Safety-February-2015.pdf
• I am the Cavalry – Hippocratic Oath for Connected Medical Devices: https://www.iamthecavalry.org/wp-content/uploads/2016/01/I-Am-The-Cavalry-Hippocratic-Oath-for-Connected-Medical-Devices.pdf
• IEEE – IoT Security Principles and Best Practices: https://internetinitiative.ieee.org/images/files/resources/white_papers/internet_of_things_feb2017.pdf
• IERC European Research Cluster on the Internet of Things – IoT Governance, Privacy and Security Issues – IERC Position Paper: http://www.internet-of-things-research.eu/pdf/IERC_Position_Paper_IoT_Governance_Privacy_Security_Final.pdf
• IIC Industrial Internet Security Framework: https://www.iiconsortium.org/IISF.htm
• Intel – Policy Framework for the Internet of Things (IoT): https://www.intel.com/content/dam/www/public/us/en/documents/corporate-information/policy-iot-framework.pdf
• International Electrotechnical Commission (IEC) – IoT 2020: Smart and secure IoT platform: http://www.iec.ch/whitepaper/pdf/iecWP-loT2020-LR.pdf
• Internet Engineering Task Force (IETF) – Best Current Practices for Securing Internet of Things (IoT) Devices: https://tools.ietf.org/html/draft-moore-iot-security-bcp-01
• Internet Engineering Task Force (IETF) – CBOR Object Signing and Encryption (COSE): https://tools.ietf.org/pdf/draft-ietf-cose-msg-24.pdf
• Internet Engineering Task Force (IETF) – RFC 2904: AAA Authorization Framework: https://tools.ietf.org/rfc/rfc2904.txt
• Internet Engineering Task Force (IETF) – RFC 3552: Guidelines for Writing RFC Text on Security Considerations: https://tools.ietf.org/html/rfc3552
• Internet Engineering Task Force (IETF) – Object Security of CoAP (OSCOAP) July 2017. Internet-Draft: https://tools.ietf.org/pdf/draft-ietf-core-object-security-04.pdf
• Internet Engineering Task Force (IETF) – RFC7519: JSON Web Token (JWT): https://tools.ietf.org/html/rfc7519
• Internet Research Task Force (IRTF) Thing-to-Thing Research Group (T2TRG) – State-of-the-Art and Challenges for the Internet of Things Security: https://datatracker.ietf.org/doc/draft-irtf-t2trg-iot-seccons/
• Internet Research Task Force (IRTF) – Thing-2-Thing Research Group (T2TRG) – State-of-the-Art and Challenges for the Internet of Things Security: https://tools.ietf.org/html/draft-irtf-t2trg-iot-seccons-15
• Internet Research Task Force (IRTF) – Internet of Things (IoT) Security: State of the Art and Challenges: https://tools.ietf.org/html/rfc8576
• Internet Society (ISOC) – Enhancing IoT Security: Final Outcomes and Recommendations Report: https://www.internetsociety.org/wp-content/uploads/2019/05/Enhancing-IoT-Security-Report-2019_EN.pdf
• Internet Society (ISOC) – The Internet of Things: An Internet Society Public Policy Briefing: https://www.internetsociety.org/wp-content/uploads/2017/09/ISOC-PolicyBrief-IoT.pdf
• IoT Acceleration Consortium (IOTAC) – IoT Security Guidelines Ver. 1.0: http://www.iotac.jp/wp-content/uploads/2016/01/IoT-Security-Guidelines_ver.1.0.pdf
• IoT Alliance Australia – Internet of Things Security Guideline (v1.2): https://www.iot.org.au/wp/wp-content/uploads/2016/12/IoTAA-Security-Guideline-V1.2.pdf
• IoT Security Foundation – Connected Consumer Secure Design Best Practice Guidelines: https://www.iotsecurityfoundation.org/best-practice-guidelines/
• IoT Security Foundation – Whitepaper: Establishing Principles for IoT Security: https://iotsecurityfoundation.org/wp-content/uploads/2015/09/IoTSF-Establishing-Principles-for-IoT-Security-Download.pdf
• IoT Security Foundation – IoT Security Compliance Framework: https://iotsecurityfoundation.org/best-practice-guidelines/
• IoT Security Foundation – Connected Consumer Best Practice Guidelines: https://iotsecurityfoundation.org/best-practice-guidelines/
• IoT Security Foundation – Vulnerability Disclosure Best Practice Guidelines: https://iotsecurityfoundation.org/best-practice-guidelines/
• IoT Security Foundation – Best Practice User Mark: https://iotsecurityfoundation.org/best-practice-user-mark/
• IoT Security Foundation – IoT security training: https://iotsecurityfoundation.org/iot-security-training
• IoT Security Foundation – White Paper: Mapping the IoT Security Foundation’s Compliance Framework to ETSI TS103 645 Standard: https://www.iotsecurityfoundation.org/wp-content/uploads/2019/02/Mapping-the-IoTSF%E2%80%99s-Compliance-Framework-to-ETSI-TS-103-645-Standard.pdf
• IoT Security Initiative: https://www.iotsi.org
• ISO/IEC JTC 1 – Smart Cities. Preliminary Report 2014: https://www.iso.org/files/live/sites/isoorg/files/developing_standards/docs/en/smart_cities_report-jtc1.pdf
• ioXt Alliance: The ioXt Security Pledge: https://ioxt-cs.squarespace.com/s/IoXt-Security-Pledge.pdf
• Microsoft – Internet of Things security architecture (STRIDE threat model for IoT): https://docs.microsoft.com/en-us/azure/iot-suite/iot-security-architecture
• Microsoft- IoT Security Best Practices: https://docs.microsoft.com/en-us/azure/iot-fundamentals/iot-security-best-practices
• MIT Laboratory for Computer Science – Dos and Don’ts of Client Authentication on the Web: http://pdos.csail.mit.edu/papers/webauth:sec10.pdf
• Mozilla – Minimum Standards for Tackling IoT Security: https://medium.com/read-write-participate/minimum-standards-for-tackling-iot-security-70f90b37f2d5
• New York City – Guidelines for the Internet of Things: https://medium.com/read-write-participate/minimum-standards-for-tackling-iot-security-70f90b37f2d5 (security):  https://iot.cityofnewyork.us/security/
• NISC – General Framework for Secure IoT Systems 2016: https://www.nisc.go.jp/eng/pdf/iot_framework2016_eng.pdf
• National Institute of Standards and Technology (NIST) – Considerations for a Core IoT Cybersecurity Capabilities Baseline: https://www.nist.gov/sites/default/files/documents/2019/02/01/final_core_iot_cybersecurity_capabilities_baseline_considerations.pdf
• NISTIR 8228 – Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks: https://nvlpubs.nist.gov/nistpubs/ir/2019/NIST.IR.8228.pdf
• NIST Lightweight Project: www.nist.gov/sites/default/files/documents/2016/10/17/sonmez-turan-presentation-lwc2016.pdf
• NIST Systems Security Engineering – 800.160: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-160.pdf
• Draft NIST Interagency Report (NISTIR) 8200, Interagency Report on Status of International Cybersecurity Standardization for the Internet of Things (IoT): https://www.nist.gov/news-events/news/2018/02/draft-nist-interagency-report-nistir-8200-interagency-report-status
• US National Telecommunications and Information Administration (NTIA) – Multistakeholder Process; Internet of Things (IoT) Security Upgradability and Patching: https://www.ntia.doc.gov/files/ntia/publications/ntia_iot_capabilities_oct31.pdf
• NTIA – Multistakeholder Process; Internet of Things (IoT) Security Upgradability and Patching: https://www.ntia.doc.gov/other-publication/2016/multistakeholder-process-iot-security
• Object Management Group (OMG) Cloud Standards Customer Council (CSCC) – Cloud Customer Architecture for IoT: https://www.omg.org/cloud/deliverables/CSCC-Cloud-Customer-Architecture-for-IoT.pdf
• OECD – Digital Security Risk Management for Economic and Social Prosperity: OECD Recommendation and Companion Document: https://read.oecd-ilibrary.org/science-and-technology/digital-security-risk-management-for-economic-and-social-prosperity_9789264245471-en#page58
• OECD – OECD Council Recommendation on Principles for Internet Policy Making: https://www.oecd.org/internet/ieconomy/49258588.pdf
• Ofcom – Review of latest developments in the Internet of Things: https://www.ofcom.org.uk/__data/assets/pdf_file/0007/102004/Review-of-latest-developments-in-the-Internet-of-Things.pdf
• Online Trust Alliance – IoT Security & Privacy Trust Framework (v2.5): https://otalliance.org/system/files/files/initiative/documents/iot_trust_framework6-22.pdf
• OneM2M – Security (Technical Report): http://www.onem2m.org/images/files/deliverables/Release2A/TR-0008-Security-v_2_0_1.pdf
• OneM2M – Security Solutions (Technical Specification): http://www.onem2m.org/images/files/deliverables/Release2A/TS-0003-Security_Solutions-v_2_12_1-.pdf
• Open Web Application Security Project (OWASP) – OWASP Secure Coding Practices Quick Reference Guide: https://www.owasp.org/images/0/08/OWASP_SCP_Quick_Reference_Guide_v2.pdf
• Open Connectivity Foundation (OCF) – OCF Security Specification v2.0.1: https://openconnectivity.org/specs/OCF_Security_Specification_v2.0.1.pdf
• OWASP – IoT Security Guidance: https://www.owasp.org/index.php/IoT_Security_Guidance
• Smart Card Alliance – Embedded Hardware Security for IoT Applications: https://www.securetechalliance.org/wp-content/uploads/Embedded-HW-Security-for-IoT-WP-FINAL-December-2016.pdf
• Software and Information Industry Association (SIIA) – Empowering the Internet of Things: Benefits: http://www.siia.net/Portals/0/pdf/Policy/Reports/Empowering%20the%20Internet%20of%20Things.pdf
• Software Assurance Forum for Excellence in Code (SAFECode) – Fundamental Practices for Secure Software Development: http://safecode.org/wp-content/uploads/2014/09/SAFECode_Dev_Practices0211.pdf
• Software Assurance Forum for Excellence in Code (SAFECode) – Call it the Internet of Connected Things: The IoT Security Conundrum: https://safecode.org/call-it-the-internet-of-connected-things-the-iot-security-conundrum/
• Symantec – An Internet of Things Security Reference Architecture: https://www.symantec.com/content/dam/symantec/docs/white-papers/iot-security-reference-architecture-en.pdf
• Telecommunications Industry Association (TIA) – Realizing the Potential of the Internet of Things: Recommendations to Policy Makers: https://www.tiaonline.org/wp-content/uploads/2018/05/Realizing_the_Potential_of_the_Internet_of_Things_-_Recommendations_to_Policymakers.pdf
• Trustonic – A Handbook for Approaching IoT Security and Why it is Important: https://www.iotca.org/wp-content/themes/iot/pdf/resources-page/iotca-resources-trustonic-white-paper.pdf
• UK government Walport report: https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/409774/14-1230-internet-of-things-review.pdf
• U.S. Department of Homeland Security – Strategic Principles for Securing The Internet of Things (IoT): https://www.dhs.gov/sites/default/files/publications/Strategic_Principles_for_Securing_the_Internet_of_Things-2016-1115-FINAL….pdf
• US Senate – S.1691 – Internet of Things (IoT) Cybersecurity Improvement Act of 2017 (Bill): https://www.congress.gov/bill/115th-congress/senate-bill/1691/text?format=txt
• W3C Web of Things: https://www.w3.org/WoT/ (not yet published specific security material)
• W3C – Web of Things (WoT) Security Best Practices: https://w3c.github.io/wot-security-best-practices/#secure-transport

Privacy-specific:

• GSMA Building Trust and Respecting Privacy in the ‘Internet of Things’:  https://www.gsma.com/connectedliving/iot-knowledgebase/introduction-iot-privacy-building-trust-iot/
• GSMA’s IoT Privacy by Design Decision Tree: https://www.gsma.com/connectedliving/wp-content/uploads/2016/09/IoT-%E2%80%98Privacy-By-Design%E2%80%99-decision-tree.pdf
• New York City – Guidelines for the Internet of Things (privacy and transparency): https://iot.cityofnewyork.us/privacy-and-transparency/
• Nominet – Privacy Guidelines for IoT – What you need to know: https://www.nominet.uk/privacy-guidelines-for-iot-what-you-need-to-know-infographic/
• OLSWANG – Privacy and Security in the Internet of Things Challenge or Opportunity: http://www.cms-lawnow.com/-/media/nabarro-olswang-pdfs/olswang_privacy_and_security_in_the_iot.pdf?la=en&hash=E65A570F04C9F72B99304ADA7524B97A543E2FAA

Additional papers and analysis of interest:

• Think Tank at the intersection of technology and security – Internet of Insecure Things: https://www.stiftung-nv.de/en/node/2119
• NCC – Security of Things: An Implementers Guide to Cyber Security for Internet of Things devices and beyond: https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2014/april/security-of-things-an-implementers-guide-to-cyber-security-for-internet-of-things-devices-and-beyond/
• Zachary Crockett, founder and CTO of Particle – Six principles to secure the IoT: https://www.techradar.com/uk/news/six-principles-to-secure-the-iot
  
  

With special thanks to Mike Horton, Mohit Sethi, Ryan Ng and those others who have contributed or have been collecting these links on other sites, including Bruce Schneier and Marin Ivezic.

Updates:

16^th July 2019: Added NIST, W3C, CSDE, IOTAC, OCF and PSA Certified

01^st July 2019: Added multiple CCDS, NIST, NISC, ioXt, Internet Society, ENISA, Zachary Crockett, founder and CTO of Particle, Mozilla, IRTF, IoT Security Foundation, CTIA, Bipartisan Group, Trustonic, DIN and European Union

28th August 2018: Added [GDPR] Article 29 Data Protection Working Party, multiple AIOTI links, Atlantic Council, CableLabs, CSA, Dutch Cyber Security Council, ENISA links, European Commission and AIOTI  report, IEEE, IERC, Intel, IEC, multiple IETF links, IRTF, ISOC, IoTSF, ISO/IEC JTC 1 report, Microsoft links, MIT, NTIA, CSCC, OECD links, Ofcom, OWASP, SIAA, SAFECode links, TIA, U.S. Department of Homeland Security and US Senate

3rd July 2018: Updated broken OneM2M report, GSMA IoT security assessment, AIOTI policy doc and IETF guidance links.

6th March 2018: Added NIST draft report on cybersecurity standardisation in IoT.

14th February 2018: Added IoTSI, NIST and IRTF additional links.

1st February 2018: Updated with the following organisations: ENISA, IoT Alliance Australia, ISAC, New York City, NTIA, Online Trust Alliance, OneM2M, OWASP, Smart Card Alliance, US Food & Drug Administration. Added additional papers section.

24th April 2017: Added additional IoTSF links.

5th December 2016: Added GSMA, Nominet and OLSWANG IoT privacy links as well as AIOTI security link.

24th November 2016: Added GSMA self-assessment checklist, Cloud Security Alliance research paper, Symantec paper and AT&T CEO’s guide.