Following the January theft of emissions allowances worth €7 million (US$9.4 million) from an account in the Czech Republic -- plus hacked trading accounts in Austria, Poland, Greece and Estonia -- the European Commission (EC) has temporarily suspended the national registries that manage its emissions trading scheme (ETS).
Launched in 2005, the ETS encourages companies to invest in low-polluting technologies by making the firms buy allowances to cover their annual emissions. Each country within the European Union (EU) is allocated a certain quantity of permits which are then issued to companies. More efficient companies profit by selling or banking unused allowances. Sales last year reached €90 billion (US$124 billion).
Henry Derwent, president and CEO of the International Emissions Trading Association (IETA), Geneva, Switz., outlined why criminals are attracted to the registries in an interview with National Public Radio on Jan. 22.
"It is essentially an allowance. This piece of paper allows my company to emit a ton of carbon dioxide through a combustion process. So it has value. Companies that produce less carbon than they're permitted can sell what's left of their allowance to companies that produce more than they should. There's actually a market where these allowances are traded electronically. Over the past few months, but especially in the last week, criminals have been able to break into one of the registries where those carbon allowances were recorded and change who owns what. If you make sure that it's transferred to an account that you own and you sell it very quickly, then you've essentially got something for nothing, sold it for a lot, and you get out of town with all the dollars in your bag."
What the theft proves, he added, is that carbon emission allowances are now seen as commodities like gold or wheat -- and, if not defended by good security, are likely to be targeted by criminals.
Eleven months prior to the attacks, the IETA sent a letter to Jos Delbeke, deputy director general at the EC's directorate general for the environment, Brussels, concerning an earlier value-added-tax fraud associated with the scheme. Among the six measures urged in the letter were: new anti-phishing controls, a centralized monitoring/EU registry system, comprehensive anti-fraud measures, and continuous evaluation of ETS.
In a letter to the EC on Jan. 20, IETA pointed out that the thefts could have been avoided if these recommendations had been implemented properly.
The letter adds: "We would like to invite the Commission and member states to be aware of the damage that this situation is inflicting on market participants. We therefore call on the Commission to urgently and thoroughly close this security gap by reviewing requirements to access accounts, by ensuring the actual implementation of stringent IT security checks by a set date, and by clarifying liability issues once and for all in case of a theft of emission allowances. There must be a deadline by when security upgrades have to occur and progress of implementation must be closely monitored."
Before compiling its letter, the IETA canvassed the views of its own members on a number of issues relating to the registry suspension. It asked, "What mandatory security tests should be used to determine whether registries can re-open?" More than 20 members -- including industrial companies -- replied.
Most respondents considered it necessary for registries to have second authentication in place -- in addition to ID and password -- for all accounts where a transaction can be initiated. Such authentication, they said, could include electronic certificates, electronic ID cards, one-time passwords via short message service (SMS) or tokens.
It was also emphasized that the e-tokens used for second authentication shouldn't restrict operational arrangements. In practice, each designated user of an account should get an e-token for second authentication.
There was much less support for two-person authorization procedures. Here, each access to an account where a transaction can be initiated (or each transaction) would be initiated by one authorized representative through ID and password, then confirmed by a different authorized representative with a different ID and password.
Overall, respondents felt that registry security should respect the following requirements: strong passwords, changed on a monthly basis; personal accounts and follow up of inactive accounts; confirmation of a transaction by both parties before it becomes effective; and encrypted and secure connection to the web server.
Seán Ottewell is Chemical Processing's Editor at Large. You can e-mail him at firstname.lastname@example.org.