Security is a critical aspect of software update. The basic requirements can be solved with the existing UA security mechanisms (secure transport, authorization and role based authentication). Only authorized users shall be able to install and manage updates.
The Client needs to verify the identity of the device. This can be complished by identification information provided by OPC UA, by this specification or by companion specifications.
The authenticity (integrity and source) of the Software Package need to be verified. These aspects can be implemented by the device in a vendor specific way e.g. verify a digital signature of the Software Package. These mechanisms are out of scope of this specification.