[…]Security begins with the modular components of the system. The first requirement for a secure module is a secure boot. No unauthorized party should be able to tamper with the software while the processor is starting up—something that cannot just be bolted on. A secure boot starts with an initial phase loaded from on-chip masked ROM, so it must be built into the microprocessor silicon. Numerical cryptokeys that authenticate, decrypt, load, and start additional levels of encrypted software are stored in this secure memory. A secure ICS must be able to start up and to decay in a secure state. Intentional or unintentional power cycling must not degrade the level of cyber protection and cybersecurity. A secure boot of every system-wide microprocessor is essential to meeting this requirement.[…]
https://blog.isa.org/industrial-control-system-cybersecurity-build-bolt
Firmware Security 