Security Breach Closes European Emissions Trading Systems

Reveals systemic security flaws?

3 min read

Security Breach Closes European Emissions Trading Systems

Last Wednesday, the European Commission decided to suspend carbon trading on the European Union (EU) emissions trading system (EU ETS) until at least Wednesday, the 27th of January, after it was found that "cybercriminals were hacking into the national registries where allowances are stored and stealing them to sell on the open market," the Financial Times of London reported.

According to the EU web site, the EU emissions trading system is:

 "...  a cornerstone of the European Union's policy to combat climate change and its key tool for reducing industrial greenhouse gas emissions cost-effectively. Being the first and biggest international scheme for the trading of greenhouse gas emission allowances, the EU ETS covers some 11,000 power stations and industrial plants in 30 countries."

The EU carbon market is estimated to be worth about 90 billion Euros per year. You can read more about carbon trading here, here and here.

Hacking attacks against EU ETS have gone on for well over a year, but escalated late last year, the FT said. For instance, in November, some 1.6 million carbon trading certificates worth at least 15 million Euros were stolen from the Romanian unit of Holcim Ltd., the world’s second-biggest cement maker. After that theft, the EC proposed improved trading system security procedures but time ran out before anything meaningful could be put into place.

The impetus behind the EC's decision to suspend trading was the recent discovery that carbon trading certificates worth some 7 million Euros were stolen by hackers from an account in the Czech Republic.

That was bad enough, but on Thursday, the FT reported that in fact it was nearly 30 million Euros worth of allowances that had been stolen including some from Austria. As a result, all 30 emission trading systems in Europe were shut down in addition to EU ETS. The FT said:

"Exchanges including ICE Futures Europe, Nasdaq OMX Commodities Europe and London-based LCH.Clearnet stopped trading of emissions contracts, which are central to the bloc’s fight against global warming."

Henry Derwent, head of the International Emissions Trading Association in Brussels., was quoted as saying:

"There is no point in denying that this is a pretty big deal."

Today, Bloomberg News is reporting in this story that Austria has found and thinks it can recover "almost half a million carbon allowances illegally removed from its national registry." Each carbon credit is worth about $19, according to this UPI story from last week.

This AP story appearing today at Bloomberg says that the latest theft shows a systemic security problem exists in Europe's carbon trading systems that needs to be rapidly and comprehensively fixed before confidence in the feasibility in carbon trading is lost.

The AP story also quotes Nikos Tornikidi, a portfolio manager in the Czech Republic working at emissions permits trading company Blackstone Global Ventures (which was one of the trading firms apparently hacked), as saying:

"No one had any clue."

Sounds like a fair assessment of the overall carbon trading system security situation, especially after you read this blog post over at the Wall Street Journal that discusses not only how easy it was (is) to steal these carbon allowances but to resell them. Seems that neither allowance buyers and sellers are all that curious as to the legal ownership of the carbon trading credit allowances.

Finally, there is this story over at the London Guardian this morning that says that it is highly unlikely that all the security holes in EU ETS will be patched by Wednesday's planned reopening.

I am not sure that I would have a high level of confidence in EU ETS's security even after it is eventually reopened, given its hodgepodge nature and "Let's build in security after the fact" system design approach. I have no deep insight into the security of the other 30 EU emissions trading systems, but I suspect more than one is also - shall we say - less than ideally secure.

The Conversation (0)