NASA Phase 1 site-access contracts are due in the coming 12 to 18 months, and three concrete steps are needed: designate a lead space OT cybersecurity authority in the executive branch, require binding OT security in NASA base contracts, and make cybersecurity standards a condition of congressional funding, potentially expanding Space Force Zero Trust to civil space and nudging NASA to adopt NIST frameworks.

Technical solutions discussed include cryptographic signing, ground-command timestamping (Zero Trust), and ongoing efforts like Space Force Zero Trust and CCSDS Space Data Link Security, though practical implementation is hampered by power, legacy hardware, and deep-space constraints.

Current space cybersecurity standards are limited: Space Data Link Security covers satellite-ground links, Space Force Zero Trust not yet extended to civil space or NASA, and there are no mandatory encryption, edge computing, or AI safety standards for lunar OT.

Institutional gaps worsen risk: the National Space Council is sidelined from its coordinating role, NASA’s CIO lacks spacecraft OT authority, DoD and CISA have limited civil lunar asset jurisdiction, and there is no single standard-setting body for lunar OT.

Geopolitical stakes heighten urgency: U.S. lunar leadership faces China, so robust OT security is both a technical necessity and a national-security signal.

Differences between terrestrial and space OT are significant, including remote operation, possible need for remote ground intervention, and higher risk to human life during maintenance or rescue.

Historical OT vulnerabilities (e.g., Stuxnet) underscore the need for minimum cybersecurity standards, possibly via federal policy or international coalitions before establishing a moon base.

NASA administrator announced a $20 billion plan in March 2026 to build a lunar surface base, repurposing components from a cancelled lunar orbital station, amid competition with China aiming for a 2030 lunar landing.

Advancing a lunar base brings critical infrastructure challenges, especially in operational technology security, cyber risk, space traffic management, and debris in cislunar space.

Past lessons from Stuxnet show air-gapped systems remain vulnerable via portable media or misconfigured interfaces, proving physical isolation does not guarantee lunar OT safety.

A core risk is the absence of mandatory cybersecurity standards for space-based OT that control life-support, power, communications, and construction equipment, making retrofitting security post-deployment very difficult.

The piece argues that security prerequisites should enable, not stifle, innovation and long-term lunar presence, especially in light of the disbanding National Space Council and budget pressures.