Easy if it’s on a small number of machines or a central computer. Just combine a ROM and flash with some software. The ROM has a high-assurance implementation of trusted boot of signed image on the flash. It normally just loads it. A flick of a switch or code entered inside the engine or whatever switches it into update mode where it pulls data from a connected computer, checks signature, and does the update if it’s authentic. In even the cryptosystem is broken, the ROM itself is replaced.
This way, most upgrades cost about nothing with most serious ones still inexpensive vs a recall or whole new computer.