While the article (referenced below) is an interesting read, it is another extension of the traditional Container-Related Asset Protection (CRAP) security approach, but targeted to protect IoT. This is not necessarily a bad thing, in that at least IoT will have something, whereas today that sector has nothing.
This still will not provide protection for digital assets that may interact with, or be used by, the IoT device(s). Consider this example: you have images on a USB drive or personal website you want to play on a smart TV in your hotel room. You have no idea to what systems that TV is connected. From the perspective of the TV owner, the device may well be secure, but from the content of the I/P represented by your photos (which is what REALLY matters), no way in hell. Was the nighttime security guard legitimately given access rights by the hotel to make sure no one was playing any content (that the hotel isn’t profiting from) on that TV, and is now capturing your personal photos for whatever reason?
Or, you download your cycle data from your smart thermostat to compare it with your electricity bill and have it e-mailed to you by the thermostat. How does that data (showing the precise times you spend away from your home) get protected all the way through the world outside the thermostat and ensure that no one but you can read intercepted copies of that data (perhaps after you’ve read it and archived it to your e-mail server)?
So, while this may provide more targeted protection for devices in the IoT world, it will likely provide another attack surface, and once hackers find their weakness and learn to hack something that is in 50 million devices The Exact Same Way.
Remember “security” these days is being defined in the eye of the beholder, not in the generally accepted sense. “All that matters is, are my interests being protected? Forget everyone else, in fact, rob from what protects them to protect myself if I can get away with it.”
F. Scott Deaver