How Tosi’s Sakari Suhonen is Rewriting the Rules of Building Automation Security
As remote access becomes the norm, vulnerabilities in building automation security are prompting calls for new standards

PORTFOLIO: Sakari Suhonen, CEO of Tosi, says “scale multiplies risk.” For today’s property managers, the real threat is what you don’t see spreading across your whole portfolio.
Sakari Suhonen, CEO of Tosi United States, has a habit of spotting the cracks most people miss. “Most building operators manage remote access as a patchwork rather than a system,” he said, sitting in Tosi’s Irving, Texas headquarters. “They rely on VPNs that were set up years ago and are often shared across several vendors, while the HVAC controls sit on the same flat network as everything else.”
It’s a problem he’s encountered again and again in his two decades of B2B software leadership, from orchestrating Finland’s first B2B SaaS IPO at Efecte to his current post leading Tosi’s North American push. The numbers back him up: According to Tosi’s own research, one in five real estate organizations can’t fully account for what’s connected to their networks. “An operator cannot control access to systems it cannot see,” Suhonen said. “Most can name their major HVAC vendors, but few can produce a current list of who holds active credentials to the controllers.”
The Old Habits That Die Hard
The building automation sector has always been slow to adapt. Suhonen described a world where shared VPN credentials are still the norm, with a single account often serving multiple contractors – HVAC, elevators, building management – all at once. “Open ports exposed to the internet still appear in the field, usually as a remnant of an early remote-monitoring setup that was never decommissioned,” he said. “A shared login leaves no audit trail of who did what, and an open port is a standing invitation.”
At Tosi, Suhonen’s team designed their platform to remove these perennial weak spots. Every person and vendor connects under an individual identity; access is scoped to a specific system and window of time, and connectivity runs over encrypted outbound tunnels – no open inbound ports, no public attack surface. “Every session is logged and exportable, so the operator has a complete record of who connected, to what, and when,” he said.
When Security Risks Get Real
This matters because the delays in granting or revoking remote access aren’t just an inconvenience – they’re a real security risk. “Revocation can take days or weeks,” Suhonen noted. “Credentials outlive the relationships they were created for. A contractor completes a project, or an employee leaves a vendor, and the access remains live because no one owns the task of closing it. Every dormant credential is a potential entry point.”
With Tosi’s platform, access is granted for the duration of the work and expires automatically. “There’s no manual offboarding step to forget. Granting and revoking are each a single action rather than a process that crosses teams, so access keeps pace with the work instead of lagging behind it,” he said.
A Confidence Game
For most building operators, confidence in their security posture is built on hope more than proof. “Operators express reasonable confidence, but the underlying controls do not support it,” Suhonen said. Shared VPNs, credentials that aren’t regularly reviewed, a lack of OT network monitoring – these are more common than anyone wants to admit. “Confidence should be earned through visibility and audit rather than assumed from a quiet track record,” he said.
Even segmentation between IT and OT environments – a best practice that’s gaining traction – can be undermined by convenience. “The wrong response is to create an exception in the segmentation for convenience, because that undermines the protection. The right response is a remote access method designed for segmented OT environments, one that connects a vendor to a specific controller without exposing the broader network,” he said.
Speed vs. Security: A False Tradeoff
Suhonen is quick to reject the notion that operators must choose between fast vendor access and strong security. “A purpose-built access model removes the tradeoff. When an operator can grant access to a specific vendor, for a specific system, for a defined window, and revoke it instantly, it gains both. The vendor reaches the equipment quickly, and the operator retains tight control with a complete record of the session,” he said.
The Centralization Challenge
Centralization is the new reality for many property managers, with a single team overseeing dozens or hundreds of sites. “Scale multiplies the consequence of weak access control,” Suhonen warned. “A shared credential that was a manageable risk at one building becomes a portfolio-wide exposure once the same practice repeats across every site.” The solution, he said, is true centralization – not just of management, but of visibility and control.
Best Practices for a Safer Industry
Tosi’s research found the same weaknesses in both U.S. and European markets, suggesting an industry-wide problem. Suhonen’s prescription is simple, if not easy:
- Individual identities for every person and vendor, no shared credentials
- Time-bound access, automatically revoked
- Complete and exportable audit trails for every session
- No external IP addresses or open inbound ports
- Access models built specifically for OT environments, respecting IT/OT segmentation
- Asset visibility as the starting point
“None of these force operators to choose between security and serviceability,” he said. “It calls for an access model built for the way buildings actually operate, and that is the conversation our industry should be having.”
For Suhonen, the bottom line is simple: “You can’t protect what you can’t see, and you can’t control what you don’t understand.” In a sector where the stakes are only climbing, that message has never felt more urgent.
Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!









