Do you have any thoughts on how to verify the validity of a relay's firmware prior to installing it outside of taking the software's word for it?

One question that I thought about too late was in regards to firmware from vendors where they have some form of digital signature (I'll have to leave off the name, but two of them are very prominent ICS protective relay vendors). The firmware they provide isn't verifiable in Windows, but they attest that their relays have some method of verifying the validity of the firmware prior to installing it. Do you have thoughts on how to verify that outside of just taking their word for it?

Producer's Note: This question was posed during the recent Energy Central PowerSession: 'Cybersecurity on the U.S. Power Grid: Software Supply Chain Risks and Mitigations for NERC CIP-010-3,' with keynote speaker Richard Brooks. The PowerSession was so lively and packed with great information that Richard was not able to address all questions live, so we thought we would bring the question to the community so he could answer in writing, as well as provide an opportunity for the community to keep the conversation going with followup questions, comments, and discussion by anyone who was or wasn't able to attend the PowerSession live. 

In case you missed the live event, a recording of the PowerSession can be accessed here.

More Q&A responses from Richard that came after the PowerSession ended can be found here. 

Richard will also be holding a live Q&A discussion on the topic on Thursday August 27 at 4 PM Eastern. This informal chat will let you share any other questions you may have or topics you want to discuss. Join at any point during the hour when you're free and hop off when you need. More information and calendar reminder sign-up can be found here.