2) Protect Your Bootloaders!
If you think of a device as a car, the firmware would be the engine and the bootloader is the starter/ignition. It's the thing that starts your firmware when your device boots. Attackers can use unprotected bootloaders to easily extract firmware from devices. Once an attacker has access to the firmware, they can bypass all other protection mechanism.
3) Figure Out Firmware Updates
Firmware updates are a touchy subject in some of the safety- and compliance-heavy market segments but they are important. If you don't have a firmware update policy, implement one. If you implement one, make sure it is secure. Your cell phone stays up to date and more secure than your desktop because of its ability to receive regular updates.
Continuous monitoring is paramount but traditional monitoring/IDS/IPS solutions don’t work well with embedded devices and allow attackers to fly under the radar. You should deploy and use tools specifically designed for monitoring embedded devices. These systems pay for themselves quickly as they provide actionable insights for multiple parts of the organization: operations, security, and IT. These tools may detect and prioritize security events but can also detect device misconfiguration or other operational issues. Think of them as a "security camera" for your networked embedded devices.
5) Train All Your Staff
The attack vector emanating from firmware and embedded devices is very different from traditional cyber threats. Include ALL your developers in trainings that teach how to understand this: from hardware designers and firmware authors to business logic coders that use higher-level languages such as PHP, Python, and Perl. Having everyone in your stack aware of attack vectors is important because it’s the “uncanny valley” between hardware and software that creates gaps and opportunities for attackers.