When SP800-160 was finalized, a lot of the popular computer industry trade press keyed in on the one mention of the "Internet of Things" in the entire document (A subordinate clause in the Abstract section) and stated that NIST had released guidelines for building security into the IoT. That's not really what SP800-160 does, of course. While systems security engineering discipline can and should be applied to IoT devices as well, they bring with them their own special challenges, particularly when one considers their inclusion in Smart Cities.
I was poking around today on cybersecurity.ieee.org, which is a sub-project of the IEEE Computer Society (of which I am also a member in addition to (ISC)2) and found a linked document entitled "Building Code for the Internet of Things," which I thought might be of interest to you all here. The document itself can be found here:
It is, by its own admission, more of a series of questions compelling systems designers for IoT and smart cities to think about things rather than a prescriptive set of requirements or criteria, however I think it provides insight into the types of things which engineers building cyber-physical systems for deployment amongst the general public need to take into consideration from the perspective of safety, security and privacy.
If you've had a chance to read through it, what are some other things which folks here might want to see added to considerations when designing, deploying or managing these types of systems?