Smart Radiator Retrofits for UK Schools & NHS Estates

Smart Radiator Retrofits for UK Schools & NHS Estates

Smart radiator retrofits for UK schools & NHS estates—now secure by design

Keeping classrooms and wards comfortable without burning budgets is hard when you rely on manual TRVs and dated controls. Indiott helps estates teams retrofit wireless, room-level control onto existing hot-water radiators using Milesight devices—no rewiring. You’ll gain predictable comfort, measurable energy reduction and end-to-end security that satisfies public-sector governance.

Why estates teams are moving to wireless (and secure) radiator control

Manual valves get nudged and forgotten, causing overheating, cold spots and wasted spend. Wireless LoRaWAN® control fixes the basics first—accurate sensing, time/temperature schedules, and one-click group control across blocks. At the same time, Indiott designs the architecture securely by default: devices use unique cryptographic keys, gateways run on hardened networks, and data to the platform is TLS-encrypted. That means you can modernise control without widening your attack surface.

The Indiott + Milesight stack (what we fit, and how we keep it secure)

Room devices:
Milesight WT10x smart radiator thermostats provide precise room sensing, local displays and programmable heating plans, with child-lock and open-window detection to curb tampering and waste. Devices are keyed per unit and communicate using AES-128 encryption at the LoRaWAN layer for confidentiality and integrity.

Group control & zone logic:
For wards or open-plan teaching areas, pair WT10x with a Milesight room controller for single-point or multi-unit control. Multicast/group control lets us change setpoints across dozens of radiators in seconds—with role-based permissions so only authorised users can issue global changes.

Backhaul and coverage:
A single UG65/UG67 LoRaWAN® gateway often covers a whole school block or ward floor. Gateways are locked down with strong admin passwords, limited management ports, and outbound-only traffic patterns—no inbound firewall holes.

BMS and protocol bridging:
Need BACnet/KNX/M-Bus? Indiott deploys the EG71 Building IoT Gateway to publish/subscribe points securely. We segment networks (e.g., separate VLANs for OT and corporate IT), offer read-only BACnet where appropriate, and audit all mappings so nothing sensitive is exposed.

Unified management & cloud security:
Indiott provides central dashboards, alerts and policy control. Access is protected with SSO/MFA, RBAC (least-privilege roles for FM, contractors and IT), audit logs, and encrypted data in transit and at rest. We host in UK/EU regions to support UK GDPR requirements, and align with ISO 27001 best practices.

What you get in practice

Room-level schedules you actually keep: Push teaching/clinical timetables to zones; automatic setback out of hours—all over encrypted links.

Rapid site-wide changes, safely: Cold snap? Authorised users can raise setpoints across the estate with audit trails and role-based approval.

Less tampering, fewer call-outs: Child-lock, anti-theft fittings and policy guardrails reduce fiddling; open-window detection cuts waste.

Minimal disruption: Wireless installs avoid rewiring and ceiling work; rooms remain in service.

Secure BMS integration: Start standalone; integrate later via segmented BACnet/KNX/M-Bus with principle-of-least-privilege points.

Typical retrofit pathway with Indiott

  1. Survey & security design – radio plan, valve compatibility, and network/identity plan (VLANs, SSO/MFA, RBAC).
  2. Pilot zone – 10–20 radiators to validate comfort, savings and access controls.
  3. Roll-out by block – quick installs with standardised hardened gateway configs.
  4. Policies & groups – timetables, setbacks and guardrails; approval workflow for global changes.
  5. (Optional) BMS tie-in – publish read-only points first; widen scope once reviewed by IT/OT.

Where this shines

Schools & colleges – timetable-led heating, exam comfort windows, holiday setbacks, fine-grained access for site teams.

NHS & healthcare – ward-level zoning, tamper-resistant controls, data residency in UK/EU, audit trails for governance.

Local government & heritage – non-invasive installs in protected buildings with segmented networks to protect legacy systems.

Why Indiott

We’re a UK industrial IoT specialist. We supply the hardware, design the secure network and identity model, install rapidly, and integrate with your BMS so your team gets a single, secure pane of glass. Outcome: comfort and kWh savings this heating season—with security controls your IT team can sign off.

FAQs

Is the wireless link secure?
Yes. Devices communicate over LoRaWAN with AES-128 encryption and unique keys per device. Gateways are hardened and only make outbound, TLS-encrypted connections to the platform.

Can you meet NHS/education IT requirements?
We align to ISO 27001 best practices, support UK/EU data residency, SSO/MFA, RBAC and full audit logging. We’ll work with your IT on network segmentation and change control. (If you require DSPT or specific frameworks, we’ll map controls during discovery.)

What if someone steals or tampers with a device?
Device keys are unique; a stolen device cannot decrypt estate traffic. We enable child-lock and anti-theft fittings, and alerts flag abnormal behaviour.

Will pupils or staff be able to change setpoints?
Only if permitted. RBAC controls who can change setpoints; child-lock prevents local fiddling.

Can this link to our BMS securely?
Yes. We typically expose a whitelisted, read-only BACnet object set first, on a separate VLAN, and expand scope after review. All traffic between gateways and the platform is TLS-encrypted.

What about data privacy and GDPR?
We store telemetry in UK/EU regions, encrypt at rest, and provide data retention policies you control.

Back to blog