Security in the Communication Layer has to be supported as required for the supported Transport. This includes application authentication and secure communication.
The Server is obligated to minimally support user authentication with UserName/Password.
Clients have to support UserName/Password or X.509 certificates as required by the Server.
Security, including encryption, signing, and user authentication is a core element for OPC UA applications and is therefore part of the OPC Foundation stacks.
OPC UA has defined profiles for lowest-level embedded solutions that will be secured by means outside the scope of OPC UA.