(1) Over the network. Typically when this is done with a network update, a digital signature is used to make sure the right software (or at least authorized software) is being loaded. Another trick is to force the update to come from some known IP address (like an internal address configured in known to be the sysadmin's workstation) or some known MAC address.
(2) Over the serial port. This has the advantage of requiring someone to be present, so it's more likely it is going to be done by an authorized person.
(3) Something else -- for example, some systems might have a compact flash port that you can put updates on.
This was first published in May 2002