Still working through it, - I did have a response from the policy maker themselves, although they cannot give comment on different vendors, it has caused them to go back to the working table and work through the different scenarios I painted for them. In summary, traditional networks, Software Derived Networks, Network Functional Virtualisation - each and every category of device regardless of whether it is physical or virtual has to be examined and research conducted as to what individual vendor can provide to ensure that the underlying Operating System can detect changes both externally or in use i.e. by external control means or at command line level. So basically each case has to be worked through individually and the appropriate risks, threats identified and mitigated.
I will update upon further research and analysis with examples - as this is going to crop up again and again.
Update from the Policy authorities: They cannot comment on individual vendors and associated products, of course, but their suggestion is to categorise each and every Vendor as well as devices types regardless of whether they are physical, virtual, edge or NFVs etc. Then carefully work through each vendors offerings, and device types and work out whether or not they each of inherent capabilities to detect minute changes to their updates, or patches and examine their capabilities.
Some vendors with some device types do have some command line capabilities, whereas others require additional external solutions to detect unauthorised changes or attempts to modify updates or patches.
Obviously, the source is a key area, which can be handled by judicious use of Characterisation as well as confirming the validity of the downloaded update or patch via cryptographic hashing.
This is turning out to be a journey on a case by case basis.
As a result of my chasing the policy authorities, they are now apparently updating their policy documentation, to provide further clarity as to what is acceptable for Software Defined Network (SDN) environments network devices.