We address emerging threats to the security of photonic networks as these networks become heterogeneous being opened to the upper layers, multi-operator, and end users. We review the potential threats, mainly loss of the confidentiality of user data transmitted through optical fibres and disturbances of network control, both of which could seriously damage the entire network. We then propose a novel conceptual model of a secure photonic network by introducing a quantum key distribution (QKD) network to its legacy structure. Secure keys generated by the QKD network are managed by key management agents (KMAs) and used to encrypt not only user data but also control signals. The KMAs cooperate with the Generalized Multi-Protocol Label Switching (GMPLS) controller for secure path provisioning and drive photonic and modern crypto engines in appropriate combinations. Finally, we present a roadmap of a deployment scenario, starting from niche applications such as mission critical and business applications.