See 4.3.10and 4.3.11for a description of this threat.

OPC UA Clientapplications counter the use of rogue Serversby validating Server Application Instance Certificates. There would still be the possibility that a rogue Serverprovides a Certificatefrom a certified OPC UA Server, but since it does not possess the appropriate Private Key(because this will never be distributed) to decrypt Messages secured with the correct Public Keythe rogue Serverwould never be able to read and misuse secured data sent by a Client. Also, without the Private Keythe Serverwould never be able to sign a response message to a Client.

OPCUASubscriberapplications counter the effect of a rogue Publisherby validating the signature on the published messages.