OneM2M

This is a list of useful documentation and links for anyone interested in IoT security, either for building products or as general reference material. The list is alphabetical and doesn’t denote any priority. I’ll maintain this and update it as new documentation gets published. Please feel free to add links in the comments and I will add them to the list.

[GDPR] Article 29 Data Protection Working Party – Opinion 8/2014 on the on Recent Developments on the Internet of Things: http://www.dataprotection.ro/servlet/ViewDocument?id=1088
Alliance for Internet of Things Innovation (AIOTI) (includes security recommendations): https://aioti.eu/wp-content/uploads/2017/03/AIOTI-Digitisation-of-Ind-policy-doc-Nov-2016.pdf
Alliance for Internet of Things Innovation (AIOTI) – Report on Workshop on Security and Privacy in the Hyper-Connected World: https://aioti-space.org/wp-content/uploads/2017/03/AIOTI-Workshop-on-Security-and-Privacy-in-the-Hyper-connected-World-Report-20160616_vFinal.pdf
Alliance for Internet of Things Innovation (AIOTI) – Internet of Things Applications: https://aioti.eu/wp-content/uploads/2017/03/AIOTIWG01Report2015-Applications.pdf
Alliance for Internet of Things Innovation (AIOTI) – High Level Architecture (HLA; Release 3.0): https://aioti.eu/wp-content/uploads/2017/06/AIOTI-HLA-R3-June-2017.pdf
Alliance for Internet of Things Innovation (AIOTI) – Report: Working Group 4 – Policy: https://aioti.eu/wp-content/uploads/2017/03/AIOTIWG04Report2015-Policy-Issues.pdf
Alliance for Internet of Things Innovation (AIOTI) – Smart Living Environment for Ageing Well: https://aioti.eu/wp-content/uploads/2017/03/AIOTIWG05Report2015-Living-Environment-for-Ageing-Well.pdf
AT&T – The CEO’s Guide to Securing the Internet of Things: https://www.business.att.com/cybersecurity/docs/exploringiotsecurity.pdf
Atlantic Council Scowcroft Center for Strategy and Security – Smart Homes and the Internet of Things (issue brief): http://www.atlanticcouncil.org/images/publications/Smart_Homes_0317_web.pdf
Automotive Information Sharing and Analysis Centre (Auto ISAC) – Automotive Cybersecurity Best Practices: https://www.automotiveisac.com/best-practices/
Bipartisan Group Revised IoT Security Bill – Internet of Things (IoT) Cybersecurity Improvement Act of 2019: https://www.scribd.com/document/401616402/Internet-of-Things-IoT-Cybersecurity-Improvement-Act-of-2019
BITAG: https://www.bitag.org/documents/BITAG_Report_-_Internet_of_Things_(IoT)_Security_and_Privacy_Recommendations.pdf
CableLabs – A Vision for Secure IoT: https://www.cablelabs.com/insights/vision-secure-iot/
CCDS – Security Guidelines for Product Categories – Automated Teller Machines (ATMs) – Security Measures Review Practice Guide – Analyzing Crime Incidents and Formulating Countermeasures – Ver. 1.00: http://ccds.or.jp/english/contents/CCDS_Security_Guidelines_for_ATMs_(Security_Measures_Review_Practice_Guide)_v1.0_eng.pdf
CCDS – Security Guidelines for Product Categories – Automotive On-board Devices – Ver. 2.0: http://ccds.or.jp/english/contents/CCDS%20Security%20Guidelines%20for%20Product%20Categories%20Automotive%20On-board%20Devices_v2.0_eng.pdf
CCDS – Security Guidelines for Product Categories – IoT GW – Ver. 2.0: http://ccds.or.jp/english/contents/CCDS%20Security%20Guidelines%20for%20Product%20Categories%20IoT-GW_v2.0_eng.pdf
Cloud Security Alliance – Future-proofing the connected world: 13 steps to Developing Secure IoT Products: https://downloads.cloudsecurityalliance.org/assets/research/internet-of-things/future-proofing-the-connected-world.pdf
Cloud Security Alliance (CSA) – Security Guidance for Early Adopters of the Internet of Things (IoT): https://downloads.cloudsecurityalliance.org/whitepapers/Security_Guidance_for_Early_Adopters_of_the_Internet_of_Things.pdf
Council to Secure the Digital Economy (CSDE) – International Anti-Botnet Guide 2018: https://securingdigitaleconomy.org/wp-content/uploads/2018/11/CSDE-Anti-Botnet-Report-final.pdf
Cellular Telecommunications Industry Association (CTIA) – Cybersecurity Certification Test Plan for IoT Devices: https://api.ctia.org/wp-content/uploads/2018/10/CTIA-IoT-Cybersecurity-Certification-Test-Plan-V1_0_1.pdf
DIN – DIN SPEC 27072 – Information Technology – IoT Capable Devices – Minimum Requirements for Information Security (German): https://www.din.de/en/getting-involved/standards-committees/nia/din-spec/wdc-beuth:din21:303463577?sourceLanguage&destinationLanguage
Dutch Cyber Security Council – European Foresight Cybersecurity Meeting: Public Private Academic Recommendations to the European Commission About Internet of Things And Harmonization of Duties of Care: https://www.cybersecurityraad.nl/binaries/Report%20European%20Foresight%20Cyber%20Security%202016_tcm107-263227.pdf
Department of Homeland Security – Strategic Principles for Securing the Internet of Things: https://www.dhs.gov/sites/default/files/publications/Strategic_Principles_for_Securing_the_Internet_of_Things-2016-1115-FINAL….pdf
European Union – Article 5 EU GDPR “Principles relating to processing of personal data”: http://www.privacy-regulation.eu/en/article-5-principles-relating-to-processing-of-personal-data-GDPR.htm
European Union Agency for Network and Information Security (ENISA) – ENISA Workshop on Cyber security for IoT in Smart Home Environments: https://www.enisa.europa.eu/events/copy_of_enisa-workshop-on-cyber-security-for-iot-in-smart-home-environments
European Union Agency for Network and Information Security (ENISA) – Baseline Security Recommendations for Internet of Things: https://www.enisa.europa.eu/publications/baseline-security-recommendations-for-iot/at_download/fullReport
European Union Agency for Network and Information Security (ENISA) – Good practices for IoT and Smart Infrastructures Tool: https://www.enisa.europa.eu/topics/iot-and-smart-infrastructures/iot/good-practices-for-iot-and-smart-infrastructures-tool
European Union Agency for Network and Information Security (ENISA) – Good Practices for Security of Internet of Things in the Context of Smart Manufacturing: https://www.enisa.europa.eu/publications/good-practices-for-security-of-iot
European Union Agency for Network and Information Security (ENISA) – Security and Resilience of Smart Home Environments: https://www.ENISA.europa.eu/publications/security-resilience-good-practices
European Commission and AIOTI – Report on Workshop on Security & Privacy in IoT: http://ec.europa.eu/information_society/newsroom/image/document/2017-15/final_report_20170113_v0_1_clean_778231E0-BC8E-B21F-18089F746A650D4D_44113.pdf
GSMA IoT Security Guidelines: https://www.gsma.com/connectedliving/future-iot-networks/iot-security-guidelines/
GSMA IoT security checklist for self-assessment: https://www.gsma.com/iot/iot-security-assessment/
Internet Engineering Task Force (IETF): https://www.ietfjournal.org/internet-of-things-standards-and-guidance-from-the-ietf/
Internet Engineering Task Force (IETF) – Best Current Practices (BCP) for IoT Devices: https://tools.ietf.org/html/draft-moore-iot-security-bcp-01
I am the Cavalry – Five Star Automotive Cyber Safety Framework: https://www.iamthecavalry.org/wp-content/uploads/2014/08/Five-Star-Automotive-Cyber-Safety-February-2015.pdf
I am the Cavalry – Hippocratic Oath for Connected Medical Devices: https://www.iamthecavalry.org/wp-content/uploads/2016/01/I-Am-The-Cavalry-Hippocratic-Oath-for-Connected-Medical-Devices.pdf
IEEE – IoT Security Principles and Best Practices: https://internetinitiative.ieee.org/images/files/resources/white_papers/internet_of_things_feb2017.pdf
IERC European Research Cluster on the Internet of Things – IoT Governance, Privacy and Security Issues – IERC Position Paper: http://www.internet-of-things-research.eu/pdf/IERC_Position_Paper_IoT_Governance_Privacy_Security_Final.pdf
IIC Industrial Internet Security Framework: https://www.iiconsortium.org/IISF.htm
Intel – Policy Framework for the Internet of Things (IoT): https://www.intel.com/content/dam/www/public/us/en/documents/corporate-information/policy-iot-framework.pdf
International Electrotechnical Commission (IEC) – IoT 2020: Smart and secure IoT platform: http://www.iec.ch/whitepaper/pdf/iecWP-loT2020-LR.pdf
Internet Engineering Task Force (IETF) – Best Current Practices for Securing Internet of Things (IoT) Devices: https://tools.ietf.org/html/draft-moore-iot-security-bcp-01
Internet Engineering Task Force (IETF) – CBOR Object Signing and Encryption (COSE): https://tools.ietf.org/pdf/draft-ietf-cose-msg-24.pdf
Internet Engineering Task Force (IETF) – RFC 2904: AAA Authorization Framework: https://tools.ietf.org/rfc/rfc2904.txt
Internet Engineering Task Force (IETF) – RFC 3552: Guidelines for Writing RFC Text on Security Considerations: https://tools.ietf.org/html/rfc3552
Internet Engineering Task Force (IETF) – Object Security of CoAP (OSCOAP) July 2017. Internet-Draft: https://tools.ietf.org/pdf/draft-ietf-core-object-security-04.pdf
Internet Engineering Task Force (IETF) – RFC7519: JSON Web Token (JWT): https://tools.ietf.org/html/rfc7519
Internet Research Task Force (IRTF) Thing-to-Thing Research Group (T2TRG) – State-of-the-Art and Challenges for the Internet of Things Security: https://datatracker.ietf.org/doc/draft-irtf-t2trg-iot-seccons/
Internet Research Task Force (IRTF) – Thing-2-Thing Research Group (T2TRG) – State-of-the-Art and Challenges for the Internet of Things Security: https://tools.ietf.org/html/draft-irtf-t2trg-iot-seccons-15
Internet Research Task Force (IRTF) – Internet of Things (IoT) Security: State of the Art and Challenges: https://tools.ietf.org/html/rfc8576
Internet Society (ISOC) – Enhancing IoT Security: Final Outcomes and Recommendations Report: https://www.internetsociety.org/wp-content/uploads/2019/05/Enhancing-IoT-Security-Report-2019_EN.pdf
Internet Society (ISOC) – The Internet of Things: An Internet Society Public Policy Briefing: https://www.internetsociety.org/wp-content/uploads/2017/09/ISOC-PolicyBrief-IoT.pdf
IoT Acceleration Consortium (IOTAC) – IoT Security Guidelines Ver. 1.0: http://www.iotac.jp/wp-content/uploads/2016/01/IoT-Security-Guidelines_ver.1.0.pdf
IoT Alliance Australia – Internet of Things Security Guideline (v1.2): https://www.iot.org.au/wp/wp-content/uploads/2016/12/IoTAA-Security-Guideline-V1.2.pdf
IoT Security Foundation – Connected Consumer Secure Design Best Practice Guidelines: https://www.iotsecurityfoundation.org/best-practice-guidelines/
IoT Security Foundation – Whitepaper: Establishing Principles for IoT Security: https://iotsecurityfoundation.org/wp-content/uploads/2015/09/IoTSF-Establishing-Principles-for-IoT-Security-Download.pdf
IoT Security Foundation – IoT Security Compliance Framework: https://iotsecurityfoundation.org/best-practice-guidelines/
IoT Security Foundation – Connected Consumer Best Practice Guidelines: https://iotsecurityfoundation.org/best-practice-guidelines/
IoT Security Foundation – Vulnerability Disclosure Best Practice Guidelines: https://iotsecurityfoundation.org/best-practice-guidelines/
IoT Security Foundation – Best Practice User Mark: https://iotsecurityfoundation.org/best-practice-user-mark/
IoT Security Foundation – IoT security training: https://iotsecurityfoundation.org/iot-security-training
IoT Security Foundation – White Paper: Mapping the IoT Security Foundation’s Compliance Framework to ETSI TS103 645 Standard: https://www.iotsecurityfoundation.org/wp-content/uploads/2019/02/Mapping-the-IoTSF%E2%80%99s-Compliance-Framework-to-ETSI-TS-103-645-Standard.pdf
IoT Security Initiative: https://www.iotsi.org
ISO/IEC JTC 1 – Smart Cities. Preliminary Report 2014: https://www.iso.org/files/live/sites/isoorg/files/developing_standards/docs/en/smart_cities_report-jtc1.pdf
ioXt Alliance: The ioXt Security Pledge: https://ioxt-cs.squarespace.com/s/IoXt-Security-Pledge.pdf
Microsoft – Internet of Things security architecture (STRIDE threat model for IoT): https://docs.microsoft.com/en-us/azure/iot-suite/iot-security-architecture
Microsoft- IoT Security Best Practices: https://docs.microsoft.com/en-us/azure/iot-fundamentals/iot-security-best-practices
MIT Laboratory for Computer Science – Dos and Don’ts of Client Authentication on the Web: http://pdos.csail.mit.edu/papers/webauth:sec10.pdf
Mozilla – Minimum Standards for Tackling IoT Security: https://medium.com/read-write-participate/minimum-standards-for-tackling-iot-security-70f90b37f2d5
New York City – Guidelines for the Internet of Things: https://medium.com/read-write-participate/minimum-standards-for-tackling-iot-security-70f90b37f2d5 (security): https://iot.cityofnewyork.us/security/
NISC – General Framework for Secure IoT Systems 2016: https://www.nisc.go.jp/eng/pdf/iot_framework2016_eng.pdf
National Institute of Standards and Technology (NIST) – Considerations for a Core IoT Cybersecurity Capabilities Baseline: https://www.nist.gov/sites/default/files/documents/2019/02/01/final_core_iot_cybersecurity_capabilities_baseline_considerations.pdf
NISTIR 8228 – Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks: https://nvlpubs.nist.gov/nistpubs/ir/2019/NIST.IR.8228.pdf
NIST Lightweight Project: www.nist.gov/sites/default/files/documents/2016/10/17/sonmez-turan-presentation-lwc2016.pdf
NIST Systems Security Engineering – 800.160: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-160.pdf
Draft NIST Interagency Report (NISTIR) 8200, Interagency Report on Status of International Cybersecurity Standardization for the Internet of Things (IoT): https://www.nist.gov/news-events/news/2018/02/draft-nist-interagency-report-nistir-8200-interagency-report-status
US National Telecommunications and Information Administration (NTIA) – Multistakeholder Process; Internet of Things (IoT) Security Upgradability and Patching: https://www.ntia.doc.gov/files/ntia/publications/ntia_iot_capabilities_oct31.pdf
NTIA – Multistakeholder Process; Internet of Things (IoT) Security Upgradability and Patching: https://www.ntia.doc.gov/other-publication/2016/multistakeholder-process-iot-security
Object Management Group (OMG) Cloud Standards Customer Council (CSCC) – Cloud Customer Architecture for IoT: https://www.omg.org/cloud/deliverables/CSCC-Cloud-Customer-Architecture-for-IoT.pdf
OECD – Digital Security Risk Management for Economic and Social Prosperity: OECD Recommendation and Companion Document: https://read.oecd-ilibrary.org/science-and-technology/digital-security-risk-management-for-economic-and-social-prosperity_9789264245471-en#page58
OECD – OECD Council Recommendation on Principles for Internet Policy Making: https://www.oecd.org/internet/ieconomy/49258588.pdf
Ofcom – Review of latest developments in the Internet of Things: https://www.ofcom.org.uk/__data/assets/pdf_file/0007/102004/Review-of-latest-developments-in-the-Internet-of-Things.pdf
Online Trust Alliance – IoT Security & Privacy Trust Framework (v2.5): https://otalliance.org/system/files/files/initiative/documents/iot_trust_framework6-22.pdf
OneM2M – Security (Technical Report): http://www.onem2m.org/images/files/deliverables/Release2A/TR-0008-Security-v_2_0_1.pdf
OneM2M – Security Solutions (Technical Specification): http://www.onem2m.org/images/files/deliverables/Release2A/TS-0003-Security_Solutions-v_2_12_1-.pdf
Open Web Application Security Project (OWASP) – OWASP Secure Coding Practices Quick Reference Guide: https://www.owasp.org/images/0/08/OWASP_SCP_Quick_Reference_Guide_v2.pdf
Open Connectivity Foundation (OCF) – OCF Security Specification v2.0.1: https://openconnectivity.org/specs/OCF_Security_Specification_v2.0.1.pdf
OWASP – IoT Security Guidance: https://www.owasp.org/index.php/IoT_Security_Guidance
Smart Card Alliance – Embedded Hardware Security for IoT Applications: https://www.securetechalliance.org/wp-content/uploads/Embedded-HW-Security-for-IoT-WP-FINAL-December-2016.pdf
Software and Information Industry Association (SIIA) – Empowering the Internet of Things: Benefits: http://www.siia.net/Portals/0/pdf/Policy/Reports/Empowering%20the%20Internet%20of%20Things.pdf
Software Assurance Forum for Excellence in Code (SAFECode) – Fundamental Practices for Secure Software Development: http://safecode.org/wp-content/uploads/2014/09/SAFECode_Dev_Practices0211.pdf
Software Assurance Forum for Excellence in Code (SAFECode) – Call it the Internet of Connected Things: The IoT Security Conundrum: https://safecode.org/call-it-the-internet-of-connected-things-the-iot-security-conundrum/
Symantec – An Internet of Things Security Reference Architecture: https://www.symantec.com/content/dam/symantec/docs/white-papers/iot-security-reference-architecture-en.pdf
Telecommunications Industry Association (TIA) – Realizing the Potential of the Internet of Things: Recommendations to Policy Makers: https://www.tiaonline.org/wp-content/uploads/2018/05/Realizing_the_Potential_of_the_Internet_of_Things_-_Recommendations_to_Policymakers.pdf
Trustonic – A Handbook for Approaching IoT Security and Why it is Important: https://www.iotca.org/wp-content/themes/iot/pdf/resources-page/iotca-resources-trustonic-white-paper.pdf
UK government Walport report: https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/409774/14-1230-internet-of-things-review.pdf
U.S. Department of Homeland Security – Strategic Principles for Securing The Internet of Things (IoT): https://www.dhs.gov/sites/default/files/publications/Strategic_Principles_for_Securing_the_Internet_of_Things-2016-1115-FINAL….pdf
US Senate – S.1691 – Internet of Things (IoT) Cybersecurity Improvement Act of 2017 (Bill): https://www.congress.gov/bill/115th-congress/senate-bill/1691/text?format=txt
W3C Web of Things: https://www.w3.org/WoT/ (not yet published specific security material)
W3C – Web of Things (WoT) Security Best Practices: https://w3c.github.io/wot-security-best-practices/#secure-transport

Privacy-specific:

GSMA Building Trust and Respecting Privacy in the ‘Internet of Things’: https://www.gsma.com/connectedliving/iot-knowledgebase/introduction-iot-privacy-building-trust-iot/
GSMA’s IoT Privacy by Design Decision Tree: https://www.gsma.com/connectedliving/wp-content/uploads/2016/09/IoT-%E2%80%98Privacy-By-Design%E2%80%99-decision-tree.pdf
New York City – Guidelines for the Internet of Things (privacy and transparency): https://iot.cityofnewyork.us/privacy-and-transparency/
Nominet – Privacy Guidelines for IoT – What you need to know: https://www.nominet.uk/privacy-guidelines-for-iot-what-you-need-to-know-infographic/
OLSWANG – Privacy and Security in the Internet of Things Challenge or Opportunity: http://www.cms-lawnow.com/-/media/nabarro-olswang-pdfs/olswang_privacy_and_security_in_the_iot.pdf?la=en&hash=E65A570F04C9F72B99304ADA7524B97A543E2FAA

Additional papers and analysis of interest:

Think Tank at the intersection of technology and security – Internet of Insecure Things: https://www.stiftung-nv.de/en/node/2119
NCC – Security of Things: An Implementers Guide to Cyber Security for Internet of Things devices and beyond: https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2014/april/security-of-things-an-implementers-guide-to-cyber-security-for-internet-of-things-devices-and-beyond/
Zachary Crockett, founder and CTO of Particle – Six principles to secure the IoT: https://www.techradar.com/uk/news/six-principles-to-secure-the-iot

With special thanks to Mike Horton, Mohit Sethi, Ryan Ng and those others who have contributed or have been collecting these links on other sites, including Bruce Schneier and Marin Ivezic.

Updates:

16^th July 2019: Added NIST, W3C, CSDE, IOTAC, OCF and PSA Certified

01^st July 2019: Added multiple CCDS, NIST, NISC, ioXt, Internet Society, ENISA, Zachary Crockett, founder and CTO of Particle, Mozilla, IRTF, IoT Security Foundation, CTIA, Bipartisan Group, Trustonic, DIN and European Union

28th August 2018: Added [GDPR] Article 29 Data Protection Working Party, multiple AIOTI links, Atlantic Council, CableLabs, CSA, Dutch Cyber Security Council, ENISA links, European Commission and AIOTI report, IEEE, IERC, Intel, IEC, multiple IETF links, IRTF, ISOC, IoTSF, ISO/IEC JTC 1 report, Microsoft links, MIT, NTIA, CSCC, OECD links, Ofcom, OWASP, SIAA, SAFECode links, TIA, U.S. Department of Homeland Security and US Senate

3rd July 2018: Updated broken OneM2M report, GSMA IoT security assessment, AIOTI policy doc and IETF guidance links.

6th March 2018: Added NIST draft report on cybersecurity standardisation in IoT.

14th February 2018: Added IoTSI, NIST and IRTF additional links.

1st February 2018: Updated with the following organisations: ENISA, IoT Alliance Australia, ISAC, New York City, NTIA, Online Trust Alliance, OneM2M, OWASP, Smart Card Alliance, US Food & Drug Administration. Added additional papers section.

24th April 2017: Added additional IoTSF links.

5th December 2016: Added GSMA, Nominet and OLSWANG IoT privacy links as well as AIOTI security link.

24th November 2016: Added GSMA self-assessment checklist, Cloud Security Alliance research paper, Symantec paper and AT&T CEO’s guide.