NASA’s new moon base project requires operational technology systems in space, but they are vulnerable.

Newly anointed NASA Administrator Jared Isaacman made a $20 billion announcement on March 24, 2026. To the delight of space enthusiasts everywhere, Isaacman said NASA was cancelling its project to deploy a space station in lunar orbit and would reorient to building a $20 billion base on the surface of the moon. The new base, using the parts already created for the now defunct orbital station project, comes as China announced plans to land its taikonauts on the moon in 2030. According to the announcement, the plans for the base include increased deployment of robotic landers and drones as well as a location for a future nuclear power plant. 

The plan is ambitious and motivated, as so many of our off-world activities have been, by competition with a foreign adversary. The injection of energy into the federal government’s space endeavors comes at a curious time. 

NASA’s budget is cut.

The National Space Council is disbanded.

Artemis is woefully behind schedule.

And while so many in the space community undoubtedly cheered the news, we should be careful what we wish for. Building a base on the moon is not simply the next step in humanity’s exploration of the cosmos. It presents a host of new problems that we are not yet ready to contend with, like the critical infrastructure we need to sustain regular trips to the moon and launch a rescue if needed. Cybersecurity, space traffic management and debris in cislunar space also top the list of tomorrow problems this decision will bring. One of the highest priority issues that is receiving some of the least attention is operational technology (OT) security for space systems. 

According to IBM, OT is the “hardware and software that directly monitors, controls and automates physical processes and infrastructure in industrial systems.” On earth, the security of OT, especially for critical infrastructure systems, is a long understood but still not rectified issue. And much like nearly everything else in space, OT for space systems is going to require a different approach. 

Building a base on the moon before 2030 is an ambitious and noble goal that will inherently require industrial processes controlled and monitored remotely by OT systems. It will also require thinking through problems that make for much less clickable headlines such as how we secure OT systems in space. And if they’re not secured, we risk billion dollar failures of deployed equipment and loss of life from a future cyberattack. On Earth, the idea of mandatory minimum cybersecurity standards is one that is so obvious yet so difficult to implement that it frustrates and confounds the cybersecurity community. In space, we have an opportunity. We have the opportunity to make minimum cybersecurity standards for critical systems a baseline requirement from the beginning. If we build the moonbase before we standardize requirements like cybersecurity for uplink and downlink, security of common use infrastructure, and OT devices, it will be nearly impossible to implement after the fact. OT systems for space are edge devices in the extreme. Not only will minimum cybersecurity be paramount, but the security of artificial intelligence systems that will be required to monitor OT at the edge will need to be secured. The idea of a moon base diverges from the reality of a moon base and that delta will be the difference between long-term presence on the moon and just another bright idea.

Differences between terrestrial and space OT

Information Technology or IT are the systems such as laptops, servers and phones that individuals and organizations use to store and communicate information. OT systems, by contrast, do not have manufacturers with household brand names and pass entirely unnoticed to most people. These are systems that control the opening or closing of a valve or the speed of a given piece of machinery in a factory. The same systems can also be subjected to cyberattacks, often with very severe consequences. On earth, some OT systems are kept disconnected from the open internet because of the potential for cyberattacks and the sensitivity of the system. Discovered in 2010, the Stuxnet virus that attacked Iranian nuclear centrifuges targeted Siemens Programmable Logic Controllers used to control the centrifuges’ spin rates. The network where this software operated was not connected to the internet, showing how even a lack of connectivity can still betray vulnerabilities. 

On earth, the mitigation for an OT attack is straightforward. Technicians can be easily deployed to multiple sites if needed to conduct mitigation measures in person. In space, most deployed OT will likely run mostly autonomously, meaning the mitigation processes for an attack against space OT will be inherently different. Many of the mitigation measures will need to be taken from the ground or from a surface station on equipment that may be in orbit or could be deployed away from a habitation, such as a mining facility. Sending personnel to investigate an OT issue on the surface of the moon will expose astronauts to the inherently risky activity of extra vehicular activities away from their habitation, increasing risks to human life. 

Building a moon base before the foundational and more boring issues of OT security are decided is a recipe for failure before the countdown clock begins. Creating a minimum OT security standard is not a function that can be left to industry, as we’ve seen with the cybersecurity industry on earth. This action must be undertaken by the federal government or, preferably, an international coalition. However, the U.S. no longer has a policy making body focused on space strategy and the environment for international cooperation is not ideal. While space tends to be a compatible international issue, even during times of conflict, the signals coming from the US on the future of its space program are mixed, even as Artemis II launched on April 1. Simply stating that we intend to build a moon base is not sufficient. Showing that we are doing the hard work of mandating the protection of OT systems is a signal that shows we are serious. 

Technical solutions

Hacking the ground segment of a satellite (or a future lunar base) using its uplink and downlink frequencies is a highly attractive attack vector for malicious actors. Unlike terrestrial OT, which sends signals through relatively secure cables, space assets must scream into the RF spectrum leaving their signals highly vulnerable to interception, spoofing and jamming. This means that every command sent from a ground station should be cryptographically signed and timestamped, otherwise known as Zero Trust. Implementing Zero Trust for OT in space is close to a prerequisite for establishing the base on the moon. As of 2023, the US Space Force awarded a contract to implement Zero Trust across satellites, mesh networks and ground stations, but the work is still underway and applies to Space Force satellites only, not commercial satellites and not the future moon base. In 2012, the Consultative Committee for Space Data Systems created Space Data Link Security as a standardized method to add authentication and authenticated encryption to satellite data layers. 

Yet, even with these protocols and contracts in place, implementation has been slow. Power constraints create problems with adding additional compute requirements to space systems. Some systems are also still flying legacy hardware that cannot accept these protocols. Finally, the reality of moving into deeper space means that a two-way authentication process between the ground and the object might not be realistic. 

Protecting our investment

For a presidential administration that prides itself on cutting federal budgets, $20 billion for a moon base is a large investment. The trap of this announcement is that we “just get there” and leave the plan for staying there to another day. A moon base that is largely defunct in a decade is not going to produce ongoing research, missions, scientific discovery, or inspire the new generation of STEM talent. Likewise, a moon base that suffers a massive power outage due to an OT attack will have a worse effect. 

Advances in the cybersecurity of current space systems has been slow even as Space-as-a-Service rises as a value creator in space. As we begin to deploy OT, on which human lives will soon depend, we need to have specific technical standards in place for security, mitigation, and deployment. 

These include:

• Minimum encryption standards for uplink and downlink.
• Cybersecurity requirements for connected edge devices.
• Safety testing requirements for any deployed AI.
• Maintenance and security protocols for any common use infrastructure in space.
• Specific security standards for telemetry transmission and remote maintenance channels.

Implementing standards for space companies deploying OT is not doing to stall innovation, it will enable it. Without these standards, the risk of deploying tens of billions of dollars to get to the moon not once, but on a regular schedule will simply be too high. 

The moon base plan is indeed ambitious and could provide the catalyst the space industry needs to move beyond LEO and Artemis 2 paved the way with its launch on April 1, 2026. Doing so more than a small handful of times requires deep thinking and policy making around security, particularly for the OT that will make bases like this work. In a moment where the National Space Council is disbanded and budgets are cut, there is a danger of losing lives and building something without the proper security in place. We have the opportunity to get in front of that now, but only if we focus on the prerequisites to our big dreams.

Nick Reese is the COO of Optica Labs, an artificial intelligence assurance company based in Washington DC. He was the director of emerging technology policy at the U.S. Department of Homeland Security from 2019 to 2023 and is a professor of emerging technology at the NYU Center for Global Affairs.

SpaceNews is committed to publishing our community’s diverse perspectives. Whether you’re an academic, executive, engineer or even just a concerned citizen of the cosmos, send your arguments and viewpoints to opinion (at) spacenews.com to be considered for publication online or in our next magazine. If you have something to submit, read some of our recent opinion articles and our submission guidelines to get a sense of what we’re looking for. The perspectives shared in these opinion articles are solely those of the authors and do not necessarily represent their employers or professional affiliations.