Errata exists for this version of the document.

Network traffic and valid application layer Messages may be captured and resent to OPC UA Clients, Servers and Subscribers at a later stage without modification. An attacker could misinform the user or send a valid command such as opening a valve but at an improper time, so as to cause damage or property loss. An attacker may attempt to establish a Session using a recorded Session.

Message replay impacts Authorization and during Session / secure channel establishment Authentication. See 5.1.6 for the reconciliation of this threat.