Safety and security disciplines are often independent domains, with little interaction. There is increasing convergence driven by common technologies, platforms and networking, where safe operation of complex systems requires appropriate security. The two disciplines may also conflict, creating new hazardous that may require new safety functionality to reduce the security derived risk. Solely using the information assurance security attributes (confidentiality, integrity, and availability — CIA) is unsatisfactory when applied to the control systems and safety environments. This paper discusses emerging developments in the treatment of malicious acts in safety standards, and illustrates continuing challenges in vertical sectors, including medical. An adapted Parkerian Hexad assurance model is presented, which combines engineering good practice with information security, offering a more granular framework. The need to for a holistic approach to security is illustrated, with a recent cyber-attack, being one of the few causing physical destruction since Stuxnet in 2010. In this case the perpetrators traversed enterprise IT systems to compromise control and safety systems, causing significant damage.