OPC UA provides a number of services that do not require security to access. These services require special consideration from a security point of view. These services, also known as Discovery Services, provide capabilities that allow Clients to discover Servers and connect to them. The Discovery Services are available as local services or global services and can be multicast.

Discovery Services can be provided by a Local Discovery Server or by the Server. A Local Discovery Server is used when more than one OPC UA Application could be available on a single platform. If only one dedicated Server is available on a platform, usually that Server also functions as a Discovery Server. The Local Discovery Server exposes the following services that do not require OPC UA security: FindServers, and GetEndpoints. See the recommendations described in OPC 10000-4 related to these unsecured services.

OPC UA can be configured to support discovery in multiple manners. One of the options is a multi-cast discovery. In this type of Discovery, Servers announce themselves on a subnet when they start. Application machines or an actual application can listen and build a list of the available Servers.

Multicast DNS operations are insecure because of their very nature; they allow rogue Servers to broadcast their presence or impersonate another host or Server. Risks from Rogue Servers can be minimized if OPC UA security is enabled and all applications use certificate TrustLists to control access. Also, Clients should cache connection information, minimizing the lookup of Server information. However, even if you use UA security, multicast DNS should be disabled in environments where an attacker can easily access the network.

OPC UA Applications (or Discovery Servers) are built to ensure that they cannot be overloaded or brought down by high broadcast rates on the multi-cast discovery channel or by too large a list of Server applications.