You own the security architecture for an embedded network appliance that boots Linux, exposes a local management plane, processes untrusted network traffic, and receives signed firmware updates in the field. A recent internal review found inconsistent hardening across the boot chain, weak separation between management and dataplane processes, and limited telemetry when devices are tampered with or downgraded. The device may be deployed in hostile environments where attackers can reach network services and may gain temporary physical access.
How would you design and operate security for this embedded application end to end, from manufacturing and boot through runtime, updates, key management, monitoring, and incident response? Be explicit about the threats you are prioritizing, the controls you would implement, and how you would verify those controls actually work on deployed devices.