Summary
Designing safety‐critical software in domains ensuring essential services like transportation, energy, or health requires high assurance techniques and compliance with domain specific standards. As a result of the global interconnectivity and the evolution toward cyber‐physical systems, the increasing exposure to cyber threats calls for the adoption of cyber security standards and frameworks. Although safety and security have different cultures, both fields share similar concepts and tools and are worth being investigated together. This paper provides the background to understand emerging co‐engineering approaches. It advocates for the use of a model‐based approach to provide a sound risk‐oriented process and to capture rationales interconnecting top‐level standards/directives to concrete safety/security measures. We show the benefits of adopting goal‐oriented analysis that can be transposed later to domain‐specific frameworks. Both qualitative and quantitative reasoning aspects are analyzed and discussed, especially to support trade‐off analysis. Our work is driven by a representative case study in drinking water utility in the scope of the NIS regulation for operator of essential services.