Increased connectivity in modern aircraft also significantly increases the attack surface available to adversaries and the number of possible attack paths. It is therefore of essence to characterise the attacks that can impact safety. We present Cassandra , a novel methodology combining System Theoretic Process Analysis Security (STPA-Sec) with formal verification to automatically identify safety critical threat scenarios. Unlike previous methodologies for safety and security analysis, Cassandra leverages the integration with the aircraft architecture, together with the set of threats and the privileges required to execute them, to also identify safety critical attack paths. We employ Bayesian inference to compute the probability of success for the safety critical attacks found. We describe how Cassandra can be used in the system early design phase to reason about attack paths leading to safety critical threat scenarios and discuss how it can be further used to evaluate mitigation and assurance cases by reducing threat vectors and increasing safety. In particular, we apply Cassandra to analyse the safe operation of a Flight Management System (FMS) when the adversary tries to access safety critical information by compromising the device used as the Electronic Flight Bag (EFB). We evaluate the probability of successful attacks in three different scenarios: EFB available on pilot owned device, EFB available on airline controlled device with limited connectivity, and EFB available on aircraft only. While the outcome of Cassandra may be intuitive in this case, the example allows us to show how Cassandra improves automation and integration of safety and security analysis for modern avionic architectures, where complexity hinders intuition and manual analysis is laborious and error prone.