• President 
• Executive Order 13636:  Improving Critical Infrastructure Cybersecurity (Feb 2013)
• National Security Telecommunications Advisory Committee Report to the Pres (56p PDF, Nov 2014)
• smartamerica.org - interesting, but now gone ... revisit via internet wayback
• Executive Order 13800:  Strengthening the Cybersecurity of FederalNetworks and Critical Infrastructure.
• Department of Commerce - Report to the President on Enhancing the Resilience of the Internet and Communications Ecosystem Against Botnets and OtherAutomated, Distributed Threats, 51p PDF, May 2018
• Senate/Congress
• Tracking & Hacking:  Security & Privacy Gaps Put American Drivers at Risk by Sen Ed Markey (15p PDF, Feb 2015)
• Senate Resolution 110 on the Internet of Things by Sen Deb Fischer (3p PDF, Mar 2015, Press Release)
• House Resolution 195 on Internet of Things by Rep Lance Leonard (4p PDF, Apr 2015)
• US Dept of Intelligence 2016 Worldwide Thread Assessment (33p PDF, Feb 2016)
• H.R.1224 - NIST Cybersecurity Framework, Assessment, and Auditing Act of 2017, March 2017
• H.R.1324 - Securing IoT Act of 2017,  March 2017
• US Congress S.J.Res.34, Remove Broadband Privacy Protection, April 2017  
• FTC's Response/Objection, March 2017
• Children’s Connected Toys: Data Security and Privacy Concerns, Rep Bill Nelson Committee on Science, Commerce and Transportation, Office of Oversight and Investigations, Dec 2016, 17p PDF
• Bruce Schneier Testimony before Congress' subcommittee on Commerce, MFG & Trade (Role of connected devices in recent cyberattacks), 6p PDF, Nov 2016
• Senate Bill introduced:  S.1691 - Internet of Things (IoT) Cybersecurity Improvement Act of 2017, 20p PDF, August 2017
• S.2234 - The Internet of Things Consumer Tips to Improve Personal Security Act introduced Dec 2017
• US House drafted proposed "Smart IoT Act", 4p PDF, May 2018.  Related Article
• Department of Commerce
• National Telecommunications & Information Administration (NTIA)
• Request for Public comment:  "The Benefits, Challenges, and Potential Risks for the Government Fostering the Advancement of the Internet of Things" (15p PDF, April 2016)
• Posted responses 
• Federal Trade Commission (FTC) response (17p PDF)
• Final:  Fostering The Advancement of The Internet of Things, 69p PDF, Jan 2017
• Internet of Things (IoT) Security Upgradability and Patching & Initial Report Jan 2017
• Draft Communicating IoT Device Security Update Capability to Improve Transparency for Consumers, April 2017
• FTC's Comments on NTIA's "Communicating IoT Security Update Capability to Improve Transparency for Consumers" - (10p PDF) June 2017
• Chamber of Commerce report:  The IoT Revolution and Our Digital Security (40p PDF, Sept 2017)
• Report to the President on Enhancing the Resilience of the Internet and Communications Ecosystem Against Botnets and OtherAutomated, Distributed Threats, 51p PDF, May 2018
• DOE - Energy focused, but potential overlap - see www.smartgrid.gov 
• Voluntary Code of Conduct (VCC) - Mostly Privacy (15p PDF, Jan 2015)
• FCC - Spectrum Focused
• TAC IoT Working Group Position: Covers Privacy, EOL and Etiquette  (11p PDF, Sep 2014)
• Proposal:  Protecting the Privacy of Customers of Broadband & other Telecommunications, April 2016
• Privacy Proposal Fact Sheet (3p PDF, March 2016)
• Link to full proposal "Protecting the Privacy of Customers of Broadbandand Other Telecommunications Services"  (150p PDF, April 2016)
• FCC White Paper - Cybersecurity Risk Reduction, 50p PDF Jan 2017 
• FTC - Consumer focused
• Internet of Things Privacy & Security in a Connected World - (70p PDF, Jan 2015)
• Interesting Dissenting Statement by FTC Commissioner!?! (4p PDF, Jan 2015)
• Start with Security - A Guide for Business. Lessons Learned from FTC Cases - (June 2015, 20p)
• PrivacyCon 2016 - Agenda, session videos, papers and other artifacts (Jan 14, 2016)
• Careful Connections:  Building Security into the Internet of Things (10p PDF, Jan 2015)
• DMCA security research exemption for consumer devices, Nov 2016
• PrivacyCon 2017 - Agenda, session videos, papers and other artifacts (Jan 12, 2016)
• COPPA compliance to include internet-connected toys and devides for kids, June 2017
• IoT Home Inspector Challenge, Winners announced Aug 2017
• Uber Settles FTC Allegations that It Made Deceptive Privacy and Data Security Claims, Aug 2017
• Consumer Product Safety Commission request for comments IoT safety issues and Hazards, May 2018
• FTC Bureau Consumer Protection Comments, 11p PDF, June 2018 
• Epic.org Comments, 4p PDF, May 2018
  
  
• FDA - Medical
• Alerts:   FDA Medical Device Safety Communications - you can subscribe
• Cyber Security for Hospital Networks and Medical Devices - (Jun 2013)
• Radio Frequency Wireless Technology in Medical Devices - ( Aug 2013)
• Information on Medical Device Compliance and Reporting
• Premarket Submissions for Management of Cybersecurity in Medical Devices (p PDF, Oct 2014) 
• DRAFT Guidance for Postmarket Management of Cybersecurity in Medical Devices (25p PDF, Jan 2016)
• FINAL Guidance for Postmarket Management of Cybersecurity in Medical Devices Guidance for Industry and Food and Drug Administration Staff, 30p PDF, December 2016 
  
  
• NIST - A LOT! - Search for "Cybersecrity Publications"
• SP-800-160:  An Integrated Approach to Building Trustworthy Resilient Systems (20+p PDF, May 2014)
• Cyber Security Framework (est Feb 2013) 
• Cybersecurity Framework Draft Update v1.1 (Jan 2018, 50+p PDF)
• Update http://www.nist.gov/cyberframework/upload/nist-cybersecurity-framework-update-120514.pdf
• SP-800-82:  Guide to Industrial Control Systems (ICS) Security (170p PDF, May 2013)
• Paper: A Cybersecurity Testbed for Industrial Control Systems (16p PDF, Oct 2014)
• Bulletin:  Guidelines for Smart Grid Interagency Report - NISTIR 7628 Rev. 1 (6p PDF, Sep 2014)
• Interagency Report 7628 Revision 1, (600+p PDF, Sep 2014)
  Guidelines for Smart Grid Cybersecurity [3 volumes in one GIANT PDF]: 
• Vol. 1, Smart Grid Cybersecurity Strategy, Architecture, and High-Level Requirements;
• Vol. 2, Privacy and the Smart Grid [Approx pg 291 in PDF]; 
• Vol. 3, Supportive Analyses and References. [Approx pg 474 in PDF]
• Special Publication 1108R2, (225+p PDF, Feb 2012)
  NIST Framework and Roadmap for Smart Grid Interoperability 
• Cyber-Physical Systems Public Working Group (CPS PWG) 
• Framework for Cyber-Physical Systems (260+p PDF, May 2016)
• SP-800-183:  Networks of Things (30p PDF, July 2016)
• SP-800-160:  Systems Security Engineering Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems (257p PDF, Nov 2016)
• NIST Cybersecurity for IoT Program, initiated in November 2016
• Draft SP800-53: Security/Privacy Controls for Information Systems and Organizations (495p PDF, Aug 2017)
• Why Security and Privacy Matter in a Digital World, Sept 2017
• NISTIR 8222 (Draft) - Internet of Things (IoT) Trust Concerns, Sept 2018
  
  
• NSA
• Next Wave Vol 21, No 2 - Internet of Things Special Edition (50 p PDF July 2016)
• DOJ
• US Department of Justice, Computer Crime & Intellectual Property Section Criminal Division.  
  Securing Your Internet of Things, 6p MSWord, July 2017    
• Department of Homeland Security
• Securing the Internet of Things
• Internet of Things Fact Sheet (2p PDF),  15 Nov 2016
• Strategic Principles for Securing the Internet of Things (17p PDF), 15 Nov 2016 
• GAO
• Internet of Things Status and implications of anincreasingly connected world (78p PDF), May 2017

European Commission

Guidance

Products/Vendors

F-Secure Sense - Security WiFi Router and Mobile App.  Device+Subscription Availabile in late 2016
Bastille Networks, Inc
• IoT Past, Present, Future Whitepaper (4p PDF 2015)
• Enterprise IoT Security Whitepaper (7p PDF)
CSS - VerdeTTo IoT Security Platform 
BullGuard - Previously known as Dojo Labs (Seems like home IDS) Device+subscription 
• Dojo 'pebble', APP and Intelligence (preorderable)
Gemalto - IoT Security - Device, Cloud and Security lifecycle management
Bitdefender BOX - Home Device Security
Samsung ARTIK Cloud (IoT Development Environment) - Overview.  Device Security Accommodations Here
Mocana - Software Development Platform (Embeddable)
UL - Cyber Security Assurance Program - Announced in April 2016
• UL 2900-1:  Standard for Software Cybersecurity for Network-Connectable Products, Part 1: General Requirements, July 2017
• UL 2900-2-1:  Outline of Investigation for Software Cybersecurity for Network-Connectable Products, Part 2-1: Particular Requirements for Network Connectable Components of Healthcare Systems June 2016
• UL 2900-2-2: Outline of Investigation for Software Cybersecurity for Network-Connectable Products, Part 2-2: Particular Requirements for Industrial Control Systems, March 2016
Senrio Sensor - IoT Cybersecurity Sensor - June 2016 Launch
Nokia IMPACT IoT Platform - Securely manage devices 
Claroty Platform - Industrial Controls/Operational Technology
Intel 
• Intel Gateway Solutions for IoT - Product Brief (4p PDF)
• Intel Secure Device Onboard - 4p PDF Product Brief
Microsoft 
• Azure - Internet of Things Security Overview
• Internet of Things Security Architecture
• Microsoft's Project Sopris (also listed in research area below including published works) 
Arxan 
• Application Protection for IoT and Embedded
SIDN Labs - opensource project called SPIN on Github focusing on Security for in-home Networks
FireFX - Network Guardian Internet of Things (IoT) Cyber-Security Router and Intrusion Prevention System
Neuromesh, interesting IoT Security and Intelligence Platform 
Zingbox, Inc - IoT Guardian "Internet of Trusted Things" - Feb 2017 Press Release
Icon Labs (saw security framework a while ago - added here too)
• Floodgate IoT Toolkit - Developer tools: secure boot, secure software updates, firewall, intrusion detection, MQTT, TLS, and a management agent.
• Floodgate Security Framework (Draft) May 2015
ADI Engineering - MicroFirewall IoT Security Appliance 
Cloudflare Orbit (IoT VPN) added, April 2017 Press Release
Shodan IoT Search Engine
• Malware/BOT Search 
Zvelo IoT Security Sensor, June 2017 Press Release
SecureRF - Security for embedded devices.  Sensors, toolkits and applications
Cisco IoT Threat Defense
Norton Core - Secure WiFi Router for connected home

Avira SafeThings - Router-based Home/Biz IoT Intrusion Prevention - Nov 2017 Press Release
ForeScout - CounterAct - dynamically identifies and evaluates devices and applications as they connect
Indegy - ICS Security and Control solutions
MagicCube - Software Trusted Execution Environment
Centri IoTAS - Standards-based IoT security platform
WISeKey - IoT security / Root of Trust + MegaSync Program 
Trustonic - Device Security and Authentication - Trusted Identities
Ericsson's IoT Security Offering 
Rambus' CryptoManager IoT Security Service
VDOO - IoT Security Platform
Zuul Technology - Industrial IoT Security
Device Authority (PKA Cryptosoft) IoT Security Blueprint.  April 2018 Press Release
Microsoft Azure Sphere.  April 2018 Announcement
ForceShield
• GatewayShield Network protection for OT and IoT
• DeviceShield Embedded Security
Trustonic Solutions for IoT - application class processors as well as resource constrained microcontrollers
Armis See Everything Solution - Agentless device security that instantly protects businesses
Xage - blockchain-protected security platform for Industrial IoT.
Extreme Networks Extreme Defender for IoT  - secure medical and connected devices
VisualThreat Added - Connected Car Security Solutions
Karumba Security - Automotive Security

Research/Publications

• Independent Security Evaluators 
• Hacking Hospitals & Securing Hospitals Research Study and Blueprint (70p PDF, Feb 2016)  
• MIT Technology Review
• Cyber Survival Report  includes IoT Insecurity section (High-level, 16p PDF, Feb 2016) Registratio Req'd
• O'Reilly
• Governing the IoT - Free (registration required) e-book, (19p epub, mobi or pdf, Feb 2016)
• Pew Research 
• Report on Privacy and Information Sharing (47p PDF, Jan 2016) - Intro/Summary
• Beecham Research
• IoT Security Study Initial Report:  Executive Summary (3p PDF, July 2014)
• IoT Security Threat Map - 300dpi Image (4p PDF Overview, March 2016)
• Embedded Security for Internet of Things (Ukil, Sen and Koilakonda)
• Adventures in Automotive Networks and Control Units (Miller and Valasek)
• Security Challenges of IP-Based Internet of Things (Heer, Garcia-Morchon, Hummen, Keoh, Kumar and Wehrle)
• Industry Self Regulation of Consumer Data Privacy and Security (Listokin)
• Privacy Mediators:  Helping IoT Cross the Chasm (Davies, Taft, Satyanarayanan, Clinch, Amos) Feb 2016
• BitDefender Research Paper - The Internet of Things: Risk in the Connected Home (16p PDF, Feb 2016)
• Trend Micro Study:  Privacy and Security in Connected Life (50p PDF, March 2016)
• Intel Security's Study:  Smart Homes and the Internet of Things (12p PDF by Atlantic Council, March 2016)
• Berkman Center's Don't Panic report on 'going dark', (37p PDF)
• NSA's reaction letter to Sen Ron Wyden, May 2016
• IoT Privacy and Security Challenges for Smart Home Environments, Lin & Bergmanb, July 2016
• Challenges and Opportunities for SecuringIntelligent Transportation System, Zha, Walker & Wang, Feb 2013
• IoT Goes Nuclear:  Creating a ZigBee Chain Reaction, Ronen. O'Flynn, Shamir & Weingarten (17p PDF)
•  Project Website - with demos
• Mozilla's internethealthreport.org
• Privacy and Security Section  (v1 online, Jan 2017)
  
• IoT Privacy Guide - *privacy not included
• isaca.org
• Risks and Rewards ofthe Internet of Things, 2013 
• Security and Privacy Challenges of IoT Enabled Solutions, ISACA Journal Number 4, 2015
• Ponemon Institute 
• 2017 Study on Mobile and IoT Application Security, 28p PDF, Jan 2017
  
• Medical Device Security: An IndustryUnder Attack and Unprepared to Defend, (35p PDF), May 2017
• University of Michigan IoT Security Research
• Security Analysis of Emerging Smart Home Applications
  Earlence Fernandes, Jaeyeon Jung, and Atul Prakash 
  Security Analysis of Emerging Smart Home Applications (19p PDF) 
  In Proceedings of 37th IEEE Symposium on Security and Privacy, May 2016
• FlowFence: Practical Data Protection for Emerging IoT Application Frameworks
  Earlence Fernandes, Justin Paupore, Amir Rahmati, Daniel Simionato, Mauro Conti, and Atul Prakash 
  FlowFence: Practical Data Protection for Emerging IoT Application Frameworks (19p PDF)
  In Proceedings of the 25th USENIX Security Symposium, August 2016
• ContexIoT: Towards Providing Contextual Integrity to Appified IoT Platforms 
  Yunhan Jack Jia, Qi Alfred Chen, Shiqi Wang, Amir Rahmati, Earlence Fernandes, Z. Morley Mao, and Atul Prakash 
  ContexIoT: Towards Providing Contextual Integrity to Appified IoT Platforms 
  21st Network and Distributed Security Symposium (NDSS 2017), Feb 2017
• Institute for Critical Infrastructure Technology (ICIT)
• Rise of the Machines: The Dyn Attack Was Just a Practice Run, 62p PDF Dec 2016
• Security and Privacy Consideration for Internet of Things in Smart Home Environments,  Desai & Upadhyay, (11p PDF, Nov 2014)
• Industroyer: Biggest threat to industrial control systems since Stuxnet, June 2017
• Duo Labs' Bug Hunting, Drilling into the Internet of Things, June 2017 (31p PDF)
• Internet of Things Security Research:A Rehash of Old Ideas or New Intellectual Challenges?, Fernandes, Rahmati, Eykholt and Prakash,  (5p PDF) July 2017
• Spying on the Smart Home: Privacy Attacksand Defenses on Encrypted IoT Traffic, Apthorpe, Reisman, Sundaresan, Narayanan & Feamster, (16p PDF, Aug 2017)
  
• University of South Wales School of Electrical Engineering:  Inside job - Security and privacy threats for smart-home IoT devices (40p PDF, May 2017)
• KRACK:  Vanhoef & Piessens:  Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 (16p PDF, Oct 2017)
• The Internet of Things:Implications for Consumer Privacy under Canadian Law, Trosow, Taylor & Hanam (97p PDF, Oct 2017) 
• Blockchain for IoT Security and Privacy: The Case Study of a Smart Home, Dorri, Jurdak, Kanhere & Gauravaram (7p PDF, Oct 2017)
• Altman Vilandrie & Co. Whitepaper - Are your company’s IoT devices secure?Internet of Things Breaches are Common, Costly for U.S Firms (7p PDF, June 2017)
• Forrester - The State of IoT Security 2018 ($$$, Jan 2018)
• ESET Report - IoT AND PRIVACY BYDESIGN IN THE SMARTHOME (19p PDF, Feb 2018)
• Cyber Security Research Institute - Pinning down the IoT (24p PDF, Jan 2018, sponsored by F-Secure)
• Vodafone - IoT Barometer 2017/18 (36p PDF, Sept 2017)
• DÏoT: A Self-learning System for Detecting Compromised IoT Devices, May 2018
• Princeton's' Center for Information Technology Policy added.  Interesting IoT Inspector project
• BlackIoT: IoT Botnet of High Wattage DevicesCan Disrupt the Power Grid, Princeton. 19p PDF, Aug 2018 
• Personalized Privacy Assistants for the Internet of Things, 2018 IEEE Pervasive Computing: Special Issue - Securing the IoT, Apr 2018, 11p PDF
• Added PrivacyAssistant.org project, focused on user-oriented machine learning techniques
• Ponemon's Second Annual Study on the Internet of Things (IoT): A New Era of Third-Party Risk, March 2018 42p PDF
• Zingbox 2018 Annual Threat Report Medial Devices, 16p PDF
• Web-based Attacks to Discover and Control Local IoT Devices,  Aug 2018, 7p PDF
• Infoblox report:  What is Lurking on your Network, exposing the threat of shadow devices, May 2018, 7p PDF
  
• ACM Proceedings of 2018 Workshop on IoT Security and Privacy
• HighIoT - Token Launch Whitepaper on decentralized storage of IoT behavior profiles for protecting devices, 30p PDF, June 2018

• Gartner:  The Connected Home:  Impact on CIOs and Buisness Leaders 
• Rapid7 - Hacking Iot:  A Case Study on Baby Monitor Exposures and Vulnerabilities (17p PDF, Sept 2015)
• ITU & Cisco's Report: Harnessing the Internet of Things for Global Development (60p+ PDF, Jan 2016)
  Relevant discussion beginning on pg 41 - Challenges to the Deployment in Developing Countries
• Symantec's Insecurity in the Internet of Things (20p PDF, Mar 2015)
• TRAPX Anatomy of an Attack - Internet of Things (20+p PDF, Mar 2015) 
• Vericode Internet of Things Research Study - household IoT Devices (Reg req'd 12p PDF, Apr 2015) 
• HP IoT Security Study -  Widely shared: 10 popular devices tested, 70% vulnerable (6p PDF, July 2014)
• Intel/McAfee - 2017 Threats Predictions Report (57p PDF) Nov 2016 
• Medical Device Vulnerability Intelligence Program for Evaluation and Response (MD-VIPER) added
• IoT Related Advisories (Still digging here - need to find a better way!)
• IC3/FBI 
• Alert I-031716-PSA, "MOTOR VEHICLES INCREASINGLY VULNERABLE TO REMOTE EXPLOITS", March 2016
• Alert I-091015-PSA, "IOT  POSES OPPORTUNITIES FOR CYBER CRIME", Sept 2015
• Alert I-071717-PSA, "INTERNET-CONNECTED TOYS COULD PRESENT PRIVACY AND CONTACT CONCERNS FOR CHILDREN", July 2017
• Public Service Announcments
• I-091015-PSA - INTERNET OF THINGS POSES OPPORTUNITIES FOR CYBER CRIME, Sept 2017
• I-101717a-PSA - COMMON INTERNET OF THINGS DEVICES MAY EXPOSE CONSUMERS TO CYBER EXPLOITATION, Oct 2017
• I-080218-PSA - CYBER ACTORS USE INTERNET OF THINGS DEVICES AS PROXIES FOR ANONYMITY AND PURSUIT OF MALICIOUS CYBER ACTIVITIES, Aug 2018
• Industrial Control Systems Cyber Emergency Response Team (ICS-CERT)
• Alerts 
• Advisories
• Cert Vulnerability Note 656302:  Belkin Wemo Home Automation Devices (Orig Feb 2014)
• Official Belkin Support - Wemo & Security, fixes, versions & related (Feb 2014)
• Cert Vulnerability Note 796883:  HomeSeer HS2 Web Interface (Orig 2011)
• Cert Vulnerability Note 525132:  Foscam IP camera authentication bypass (Orig Mar 2014) 
• Cert Vulnerability Note 265532:  Multi-vendor IP camera web interface authentication bypass (Orig Oct 2012)
• IOActive:  Petcube Remote Wireless Pet Camera Vulnerabilities (2p PDF, Apr 2015)
• Hospira LifeCare PCA3 and PCA5 Infusion Pump Systems
• FDA Safety Alert, 13 May 2015
• Cert Advisory (ICSA-15-125-01A), 13 May 2015
• Original post @ 0XTech, 28 April 2015
• Cert Vulnerability Note VU#719736:  Fisher-Price Smart Toy platform unauthenticated web API commands
• Cert Alert IR-ALERT-H-16-056-01 - Cyber Attack Against Ukrainian Critical Infrastructure, Feb 2016
• New York City Consumer Affairs Warns Parents to Secure Video Baby Monitors, Jan 2016 
• CERT Advisory ICSMA-16-196-01 - Philips Xper-IM Medical Monitoring System, July 2016
• CERT Advisory ICSMA-16-089-01 - Carefusion Pyxis SupplyStation System . March 2016
• CERT Advisory ICSMA-16-279-01 - Animas OneTouch Ping Insulin Pump Vulnerabilities, Oct 2016
• CERT/NIST Vulnerability Summary for CVE-2016-6452 - Cisco Prime Home Authentication Bypass 
• CERT/NIST Vunerability Summary for CVE-2016-6408 -  Cisco Prime Home Web-Based User Interface 
• CERT Advisory ICSMA-17-009-01 - St. Jude Merlin@home Transmitter Vulnerability, Jan 2017
• CERT ICS-ALERT-17-102-01A - BrickerBot Permanent Denial-of-Service Attack, April 2017
• CERT Alert (TA17-293A) - Persistent Threat Activity Targeting Energy & Critical Infrastructure Sectors, Oct 2017
• CERT/NIST Vulnerability Summary for CVE-2018-10987 - Dongguan Diqee Diqee360 vacuum cleaner remote code execution vulnerability, July 2018
• CERT/NIST Vulnerability Summary for CVE-2018-10988 -  Diqee Diqee360 devices execute code, without a digital signature, as root, July 2018

IoT Security News

Revision History