Errata exists for this version of the document.
See 4.3.6 for a description of this threat.
OPC UA uses SessionIds, SecureChannelIds, Timestamps, sequence numbers and RequestIds for every request and response Message. Messages are signed and cannot be changed without detection therefore it would be very hard to replay a Message, such that the Message would have a valid Session ID, Secure Channel ID, Timestamp, Sequence Numbers and Request ID. (All of which are specified in OPC 10000-4 and OPC 10000-6). The establishment of a secure channel / Session includes the same signature, timestamps and sequence number that are part of all messages and thus cannot be replayed.
OPC UA PubSub uses PublishId, DataSetId, and can use Timestamps, network message numbers, sequence numbers for published messages. Messages can be signed and cannot be changed without detection therefore it would be very hard to replay a message that has all of the fields enabled. It is worth noting that PubSub does allow the disabling of fields in a message. The disabling of the Timestamp, network message number and sequence number, would allow replay attacks. If a replay attack is of concern in a CSMS, then these field should be enabled.