Okay.
What I would suggest you do is to accept that threats are going to get inside. In fact, accept that a threat has already arrived. Maybe it arrived through your supply chain, through your third party vendors and all that kind of thing. Expect that it's going to happen and start coming up with some systems that expect this to happen but can find it without having to know what it is and without having to know what the bad stuff is.
There are a lot of stringent regulations right now. I think CSE publishes a lot of stuff about what you have to abide by when you get a government contract, but at the end of the day, if somebody got at the chip in the factory, as one of the MPs mentioned earlier, the only way you're going to find out about it is once you've plugged the chip in and have seen what has happened.