SEC's IT transformation
A look at Saudi Electricity Company's multi-faceted IT transformation.
As the company responsible for providing power to the whole of Saudi Arabia, Saudi Electricity Company (SEC) easily ranks as one of the largest organisations in the region, with one of the most important roles to play in the Kingdom. The company handles power generation and transmission for the Kingdom, with 48 power generation plants, 570 transmission substations and over 143 customer service offices, serving 6.7 Million customers across the kingdom.
As could be imagined, providing the information systems to manage such a large organisation is no mean feat in itself. The IT organisation comprises of 450 direct employees and 150 contractors, with over 19,000 desktops serving 28,000 employees. On top of the sheer scale of operations, the IT function also faces increased scrutiny over cyber security, following attacks on other high profile industries in Saudi, and has to prepare for the splitting up of the company into different organisations, as mandated by regulators.
Yahya Ibrahim Abdulrahman, executive director, Information and Communication Technology, Saudi Electricity Company, says that following the cyber attacks on prominent national oil companies last year, security has gone to the top of the agenda across the organisation.
“We had to speed up and accelerate our projects around security,” he explains. “What if this attack had happened to the grid of Saudi Arabia? What would have been the impact on the economy, security and on society? It raised concern among the management and among the executive of the country.”
Abdulrahman says that SEC is placing greater emphasis on IT security for the electricity generation and transmission systems – the operational part of the company, rather than the company’s information systems. The production side of the utility had previously been regarded as separate, closed systems, which were not exposed to threats, as they were not outward facing. This view is no longer valid, he says.
“Every network is interconnected. The business and operations side still think that they are using black boxes, that cannot be penetrated - everything is moving into IP, there are no closed systems anymore. Don’t think ever that you are isolated.”
SEC is taking several different approaches to improving security. The company has contracted consulting company Devoteam, which has extensive experience in delivering information security services, to carry out a comprehensive assessment of SEC’s network security, across all areas of operations. The audit will check all the parts of SEC’s IT infrastructure, to give a 360 degree view of the company and address any vulnerabilities.
SEC has also standardised all of its desktops on Windows 7. The assessment, which will take place this year, will then be used as the basis for a further project for security strategy and IT governance.Abdulrahman also aims to improve security awareness in the operations part of the company, to ensure that employees understand the risks that can affect even ‘isolated’ systems, such as infected USB drives.
“We have very strong awareness for the operations side, to bring them onboard, to benefit from security. On the data side there is more maturity, more than on the operations side, and the risk is high on the operations side - it is my duty really to bring up their maturity and awareness about security.”
Another major strategic focus for the IT organisation is preparing its services for the break up of the company. Saudi’s Electricity and Cogeneration Regulatory Authority plans to divide SEC into several separate companies. The move will create five subsidiaries, four in power generation and one in power transmission, under the Electricity Holding Company, which will mean a considerable shift in the focus of IT, to become a service provider to each of the subsidiaries. The subsidiaries will eventually be free to source IT from outside providers, meaning that Abdulrahman is having to develop a customer-service approach to retain the new companies.
“They will get IT services through the corporate IT, and we will have a three year grace period until they can get IT from outside; which means that we have to reorganise ourselves to be more customer-focused and more service-oriented to make sure that we maintain those customers taking IT from us,” he explains.
SEC already has internal SLAs with the IT organisation, but this is now being expanded and improved on. The company is being audited for ISO 20000, to manage IT service levels, which Abdulrahman says will give the customer organisations reassurance that they are receiving services that follow international best practices and security standards.
The IT organisation is also developing business relations management, based on the ITIL standard, and has a program to develop projects in line with the requirements of the various units, which he says have been successful. To begin with, IT will be offering a limited service catalogue to the new entities, of services such as email, web browsing, user desktop, and so on, with the catalogue expanded further if this initial offering is successful.
The company began server virtualisation around three years ago, and today has around 80% server virtualisation, and is looking to different cloud models as potential means of service delivery in future, Abdulrahman explains. SEC has formed a working group with four vendors - HP, Microsoft, Symantec and VMware – to develop a model for private cloud deployment, and it is also using public cloud services from Microsoft and HP. Microsoft’s Office 365 is being deployed to trainees and retired staff of the company, while SEC is looking at HP’s cloud services as a platform for development.
There are still issues with cloud however: “The issue with deploying cloud in the Gulf is connectivity and security,” Abdulrahman says. These are big issues in deploying cloud. If there is no regulation to ensure the technology providers deliver on the SLA, then it will be a big problem for us. If the connectivity to the internet is not sufficient, cost effective, or reliable, then the cloud will not succeed.”
The company also has an ongoing SAP deployment, begun in 2007, with SEC implementing a gradual deployment of modules, including HR, finance, materials, transportation, fuel transportation, plant maintenance, and contracting. “We are focusing on completing deployment of SAP modules for the rest of the business. We have finished about 70% of our plans, we hope by end of 2013 to have finished deploying the plant maintenance, and next year we will finish the billing project,” Abdulrahman adds.
Another project underway is developing a Project Management Office, also with Devoteam, for the Information Technology & Communication department, which began in January. Abdulrahman says that the aim is to assess and establish a fully functional PMO for the ITC projects and portfolios, to manage the ITC projects that are serving the different SEC business units and subsidies first. After that, the company will then look to bring structured project management practices to raise the project management maturity and implement enterprise PMO to SEC as a whole, with full integration into the company’s project planning and delivery.
There is already interest from across the company in project management, he says, as different business units look to ways to better manage their projects. “In 2011, I started looking seriously at PMO for the company as a whole. Three years ago there was no maturity or know-how within the business about project management. I believe that project management adds value to the company’s operation, in saving money, and linking PMO to the company dashboard and vision,” he explains.
The IT department has previously run weekly workshops, with Microsoft, to explain project management and increase awareness of Microsoft’s Project application, and it also has e-learning courses on project management which had found a lot of interest among users. For future initiatives, SEC has an IT transformation project with Devoteam, and there are a number of other areas of focus for Abdulrahman.
SEC has a very successful GIS deployment, based on ESRI solutions, which it uses to monitor and map systems. The GIS is even shared with police departments, who are able to use mapping of electricity meters to locate incidents, where addresses are not available. Abdulrahman is keen to continue sharing services with government departments – it already has integrated some systems with municipalities for issuing of building permits and ensuring prompt power connection to new buildings – and he believes that more can be done to develop customer-facing services such as these. Mobility is also a focus, particularly in enabling mobile maintenance.
We are developing a new mobility strategy,” he says. “With the revolution of mobility, how can we use it to improve the operations side of the company? How can we use handheld devices for plant maintenance? With this huge electricity network, and people working in the field, then if I can succeed in improving operational efficiency with mobility, then I will add value.”
SEC: Key IT initiatives
- Windows 7 standardisation
- ISO 20000 compliance
- E-security awareness campaign
- Server virtualisation
- Office 365 trials
- Ongoing SAP deployment
- GIS deployment
- Instilling project management culture
- New mobility strategy