I don't get it...
(yet?) First off, I can't see that their examples are even "IoT". Jeeps and Boeings aren't part of the IoT. Somebody just (allegedly) screwed up their entertainment systems, and failed to separate them from the control systems. I don't need a paper on that. Somebody managed to gain access to a rifle targeting system because it had a WiFi connection; not even the Internet. And anyone who builds Linux and WiFi into a rifle deserves all they get. And somebody else built a drug infusion system so that it could be controlled over the Internet; I think I see what their problem was. This was the only example where there was a possible use case for external control, but I would like to see their justification for remote *control*, rather than *monitoring*. The place to control drugs is at the bedside.
Back in the real world, I get asked to monitor taps, for example, over the internet, to see how often they're used (really). They have a tiny micro and a GPRS connection. I might be asked to turn something on occasionally. I thought this was the "IoT", and the paper is pretty much irrelevant to that. It doesn't even mention TLS/SSL, and even that's a big deal on the electronics I've got. My #1 problem is ensuring that a request to turn on a tap comes from a trusted source, which isn't even mentioned. My interest in trusted hypervisors, having cryptographically signed boot software on the micro, chain of trust authentication, and all the rest of it, is exactly zero. Putting in all this overhead is far more liekly to cause a problem than to cure it.