Separate commonly used PI Interfaces into read-only and write-only versions
Currently, it is recommended to use the read-only version of a PI Interface if only reading is required, and to have separate read and write instances of the read-write version of a PI Interface if writing is required. (Reference: page 15 of the PI Interface For OPC HDA user guide, and I assume that the recommendation applies to other PI Interfaces as well)
This approach is unnecessarily complicated and can still be made more secure. Instead of having read-only and read-write versions of a PI Interface, consider having read-only and write-only versions of a PI Interface. That way, the recommendation becomes impossible to violate and is therefore no longer needed, and it avoids the migration from the read-write version to the read-only version if writing is no longer required.
Since PI Interfaces are slowly being replaced with PI Connectors, the implementation of write-only versions makes sense only for commonly used PI Interfaces such as OPC DA, OPC HDA, RDBMS, and SNMP.