Deploying the PI System such that knowledge workers access data from PI helps shrink the ICS attack surface as compared to allowing direct access to OT networks. You can think of this approach as both architectural and procedural solution. Collecting all the data, at high fidelity, is a key success factor.
Technical solutions for reducing attack surface must also be considered. Making the most of native solutions provided by the operating system can be cost effective and scalable. OSIsoft advice touts Applocker, Windows Firewall, and EMET.
To Jan's credit this is one of the first times I've seen Powershell and just enough administration (JEA) techniques promoted within the ICS community.
Similarly, the PI Square community is positioned as the hub for sharing administrative approaches using PI Powershell Tools. Remote administration using JEA techniques is not only a productivity benefit but can also help reduce attack surface.