Deploying the PI System such that knowledge workers access data from PI helps shrink the ICS attack surface as compared to allowing direct access to OT networks. You can think of this approach as both architectural and procedural solution. Collecting all the data, at high fidelity, is a key success factor.

 

Technical solutions for reducing attack surface must also be considered. Making the most of native solutions provided by the operating system can be cost effective and scalable. OSIsoft advice touts Applocker, Windows Firewall, and EMET.

 

As such I like to take notice of independent confirmation from experts.  Check out Jan Seidl's 4SICS presentation "Reducing attack surface on ICS with Windows native solutions".
http://www.slideshare.net/jseidl/reducing-attack-surface-on-ics-with-windows-native-solutions

 

To Jan's credit this is one of the first times I've seen Powershell and just enough administration (JEA) techniques promoted within the ICS community.

 

Similarly, the PI Square community is positioned as the hub for sharing administrative approaches using PI Powershell Tools.  Remote administration using JEA techniques is not only a productivity benefit but can also help reduce attack surface.