Security setup reccomendations

I am deploying 100 XBC units in a HVAC Application. (first of many i hope)
What is the best way to make sure that it secure enough?
I am not worried about data being visible, but i do worry about other nodes connecting to my network and creating havoc, or vandalism.

I’m thinking to do this in every device:
1, Set a fixed secret PAN ID and Channel for each building.
2, Set a password for each device for joining the network, unique to the building.
This should keep other devices from joining i think… Or is this not the best way?

Secondly, since the devices are fitted in thermostats inside hotel rooms, in theory a tech savvy customer could pry the device out (its not soldered to board) and use that node, a breakout board and X-CTU to just shut down the whole network… Is there any way to prevent this? There is no password to the device serial port what i know?
I know its far fetched, but can happen…