Commodity Management Blog

Innovative Ideas and Thought Leadership for Volatile Commodity Marketplace

BurglarSpot trading in Europe’s flagship emissions trading scheme (EU ETS) recently ground to a halt, following the theft of 2m Allowances from the Austrian, Czech and Greek National Registries. Valued at around €30m, this theft is the latest in the series of embarrasments for the European Union, following on from a theft of 1.6m Allowances from the Romanian Registry last year. It appears that the thieves managed to acquires the Account passwords of legitimate users and effect transfers to Accounts of their own choosing.  To make matters worse, the EC was aware of an imminent hacking threat, but didn’t order a lockdown of the Registry system before the theft. The EC maintains that Registry security is a matter for individual Member States. That’s technically true, but a little like failing to tell your neighbour he’s left his front door open, and he promptly gets burgled.

There is little doubt that the missing Allowances will be recovered, as each has a unique ID number and no Allowance ever actually leaves the Registry system. The whole Registry system is now on the lookout for the missing IDs, and many have already been found, but at the time of writing, 1m Allowances were still missing from the latest heist.  However, with 27 EU Registries currently operating, plus numerous others which support EU Allowance transfers, the thieves have had plenty of opportunities to cover their escape through a myriad of transfers.  Point Carbon, the leading industry publication on emissions trading, have spoken to a number of Registry officials, and got quotes like :

“We’ve heard the EUAs went to (an account in) Poland, then to Estonia, then to Liechtenstein, and the latest is they have left Liechtenstein, but we have no idea where they went after that.”

This sorry episode calls in to question the security protocols governing the operation of the Registries. For those of us involved in the EU ETS since its inception, the recent spate of thefts is remarkable not because they occurred, but because they did not occur much earlier and on a bigger scale, and the EU only has itself to blame.

The design of many of the EU National Registries have its origin in registries operated by the UK and French governments in the days before the launch of the EU ETS. In those days, both countries operated voluntary emissions trading schemes open to a small number of players trading low-value instruments. Security wasn’t much of an issue because the value of transactions was low, and the rewards of fraud correspondingly small. Also the knowledge required to perpetrate a theft was very specialised, so the authorities could easily track down the perpetrators.

Once the launch of the EU ETS was announced, the UK and French Governments, to the disbelief and horror of the IT industry, gave away their software for registry operation to any member state who wanted it. I was part of a team who complained to the UK’s Department of Trade and Industry, telling them that by giving away the UK registry software, they had deprived the UK software industry of about £10m a year in export revenues. “Ooops, sorry old chap, we never thought of that” was the DTI’s response. Presumably, the reaction  of the French IT industry was similar. In the end, most of Europe ended up with “free” software supplied by the UK or France, written by people who were civil servants first, and code-cutters last. Fortunately many countries produced their own registry software from scratch, using modern standards of security QA.

Except the “free” software wasn’t free from a security perspective. During the launch of the software it became clear that the functionality had not advanced very far from supporting the local emissions schemes of the past. By far the most important shortcoming was the lack of an API for ETRMs to access. This caused howls of protest from the power industry, whose members were expecting to interface their ETRMs with the National Registries, making Allowance transfers and surrender fully automated, and, more importantly, falling under the security protocols enforced by their ETRMs. What they got was a manual system in which all Allowance operations had to be executed using a clumsy GUI designed with a much simpler business process in mind.  The “free” software merely transferred costs and increased risks elsewhere.  The concerns of me and other software vendors were dismissed as the views of self-serving parasites, and the seeds of disaster had been sown.

The security shortcomings of the National Registries have been well known for some time in some corners of the emissions conference circuit, although for obvious reasons knowledge of the security weaknesses wasn’t widely broadcast in the early days. I was at an emissions trading conference at the end of last year where the speaker made it clear he would only effect Allowance transfers on the Irish Registry. When asked why, he explained in great detail the shortcomings of other National Registries, and said that the Irish one was the only one where Allowance transfers away from the Account of the owner had to be backed up by independent written  (yes written, not electronic!) authorisation by the owner.  In retrospect, a simple but effective measure.

The key weakness of the Registry software security is that it has little or no concept of role-based permissions. Unlike Triple Point’s flagship commodity trading and risk solution, Commodity XL, where every user has a role and restrictions on what they can do, Registry users simply have one permission – once they have logged in, they can do anything they like – move Allowances to any external Account of their choosing, or surrender them. To make matters worse, genuinely erroneous transactions could not be easily reversed – mistaken transfers to genuine external Accounts could not be recovered without the full cooperation of the erroneous recipient.  Even worse, erroneous “surrender transactions” in which Allowances are cancelled (= deleted) are virtually irreversible as the Allowance serial numbers are deleted along with the Allowances.  Registry security isn’t even as good as that offered by on-line retail banking.

The rest, as they say, is history. EU National Registries have seen an increasing number of attacks and Allowance thefts by hackers. Then last week, the EU had to suspend all Registry operations pending a review of security, and consequently a  number of emissions exchanges and trading platforms using those Registries have also been forced to closed. The EU estimates that at least 14 Registries are vulnerable, and is only allowing a phased re-opening of the Registries (pending security checks) from the 26th January. The emissions market will resume normal operations soon, although at what cost to its credibility remains to be seen.

Commodity XL does have an EU ETS module, Commodity XL for Emissions, but we too have no API to National Registries. What I recommend to European clients is as follows :

·         They replicate their National Registry Account structure in Commodity XL

·         All Allowance transfers between internal Accounts are treated like any other trade,
and are audited

·         All emissions trades with external counterparties capture all Registry Account
numbers that are involved, both for Internal Company, and Counterparty (where
possible)

·         There is a segregation of duties – traders can trade Allowances but not transfer
them – only Back Office staff have the access to the “real” Registry Accounts to
effect transfer

·         All emissions physical trades resulting in Allowance transfers are notified to Back
Office staff for execution through workflow and/or Alerts

·         Back Office staff are alerted to check Registry Accounts balances to ensure delivery
by the counterparty on the due date

·         There are regular reconciliation reports between the Allowances position as seen
by traders in the Commodity XL Position Manager, and Back Office staff using the
Registries’ own reports. Any discrepancies are reported immediately.

This may seem heavy-handed, and I know some of my colleagues have expressed amusement that my recommended security checks take up so much room in the Commodity XL implementation specs, but when Allowances are around €14 each, and our customers have millions of them, we can’t be too careful.

I will continue to lobby for a proper Registry API through the various industry groups I belong to on behalf of Triple Point. I hope that this latest disaster will be the catalyst for change, as the weaknesses of “free” software produced by civil servants has proved all too apparent.