Tying software to hardware using processors or FPGAs that enable burn-in of keys (one -time programmable) will provide authentication and encryption. Best to use asymmetric encryption for authentication so that private keys do not reside on the board.
Keys can be extracted from hardware using a variety of methods, most common are bus snooping and side channel attacks (DPA, timing).
Using hardware write-protects features such as VITA NVMRO can protect executable memory locations, which significantly slows down ability for malicious logic to persist on embedded systems.
This can be a moving target, which is an Achilles heal for embedded systems since patches are difficult to apply sometime impossible on fielded systems, but using established solutions for ssh, ssl, tftp, etc is paramount. Ensuring that communication channels are encrypted and options are limited to specific use cases (through build options) can help reduce the attack surface.