Dr Paul N Stockton, the managing director of Washington-based advisory firm Sonecon, who also served as US assistant secretary of defence for Homeland Defense and Americas' Security Affairs for nearly five years, has warned that cyber security is a vital consideration for any CEO looking to expand internationally, particularly in the Western hemisphere, and notably in Latin America. The reason for this is that trojan-disguised malicious software is experiencing a huge rise in countries such as Brazil and Peru. 

He claimed that Peru in particular is home to an increasing number of university graduates who studied in Russia and learned how to operate malware while there. Many of these graduates are now disenfranchised in their home countries, and therefore more likely to forge links with experienced criminals in Russia and eastern Europe. 


Mr Stockton has strongly recommended that companies add cyber threats to their risk assessment metrics and put building risk mitigation initiatives into FDI projects. “We know that BlackEnergy and other tools for cyber attack are proliferating on a global basis,” he said. 

BlackEnergy, which experts say originated with Russian government-sponsored hackers, is designed to target critical energy infrastructure. “Cyber weapons to be used against infrastructure are sophisticated and for sale to the highest bidder on the web,” said Mr Stockton. 

FDI projects can be at risk in two ways. First, the project itself may be subject to a cyber attack. Second, the activity presents an indirect threat to electricity, water and other infrastructure structures. “If adversaries or extortionists are able to take down a function of the infrastructure, a company’s ability to sustain continuation of operation will be jeopardised,” said Mr Stockton. 

He emphasised that attacks on operating technology systems are less understood by CEOs and site selectors. “These are systems on which FDI depends,” he added.

Examples are industrial control systems that run building operations and manufacturing facilities. “The operation control systems that operate machinery, censors and everything necessary for the projects to function are increasingly under attack,” he said. “Potential adversaries abroad, including criminals and extortionists, have tools now to map operating technology systems, imbed malware on those systems and prepare for malicious attacks against them.” 

Traditionally, IT and operating technology systems were not connected to the internet and were isolated in a way that made them better protected from attack. Increasingly, however, they are connected to the internet, and can be accessed by wireless systems to help them operate more efficiently and effectively. 

Mr Stockton said that companies would benefit from exploring the degree to which the infrastructure on which they are going to depend has been hardened against an attack. He added that protections to OT systems should be planned for at the start of a project. 

“Do everything necessary to isolate networks from the internet to [protect] against spear phishing attacks and other common threats,” he said. “It’s a challenge. But CEOs should not imagine that just because they are investing in Latin America that their investments are immune from the kinds of attacks that are increasingly growing in the US.”