Cyber Incident Victim: Gemini Observatory

On the morning of 1 August 2023, NSF’s NOIRLab detected a cybersecurity incident within its computer systems. This event forced the immediate suspension of astronomical observations at the Gemini North telescope located on Maunakea in Hawai‘i. The quick reactions of the NOIRLab cybersecurity team and the observing teams were credited with preventing damage to the observatory facilities. As a precautionary measure, NOIRLab made the decision to isolate the Gemini Observatory computer systems by completely shutting them down. This action also impacted the Gemini South telescope in Chile, which was already in a planned shutdown for scheduled engineering work at the time of the incident. Both telescopes were placed in a safe state; Gemini North was stowed in its zenith-pointing position. The cybersecurity incident resulted in the temporary shutdown of these two major telescopes as well as some of the smaller telescopes located on Cerro Tololo in Chile. It is important to note that the telescopes on Kitt Peak in Arizona were reported as being unaffected by the incident.

The initial response involved disconnecting and isolating affected systems to contain the threat. This isolation led to the Gemini.edu website and associated proposal tools being taken offline, though the main NOIRLab website remained operational. The shutdowns forced a complete halt to astronomical observations conducted at the Gemini North and Gemini South facilities. Other computer functions integral to the observatories' operations, including email and calendar systems, were also impacted. The recovery process was initiated immediately, with the NOIRLab IT team beginning an investigation and starting to develop a comprehensive recovery plan in consultation with NSF’s cybersecurity specialists. The highest priorities for the organization were stated as safely and securely resuming observations and understanding the incident to learn from it.

By 9 August 2023, further precautionary measures were implemented. NOIRLab also disconnected the Mid-Scale Observatories (MSO) network on Cerro Tololo and at the SOAR Telescope. This action meant that remote observations for the Víctor M. Blanco 4-meter Telescope and the SOAR Telescope were rendered unavailable. To mitigate the impact on astronomical research, a temporary workaround was established where observations were carried out by on-site staff in a service mode; affected observers were to be contacted individually. The incident also affected tenant facilities on Cerro Tololo and Cerro Pachón that rely on remote operations. Staff from the Mid-Scale Observatories who were on site assisted in putting these tenant facilities into a safe state following the network disconnection.

An update provided on 24 August 2023 indicated that NOIRLab was continuing its efforts to diligently investigate and resolve the cybersecurity incident. Progress was being made, but the telescopes remained offline. The organization expressed disappointment that some telescopes were not observing but noted that some facilities had been kept online using in-person workarounds to continue collecting data. NOIRLab expressed gratitude for the support of the astronomy community during this period and thanked everyone for their patience as teams worked towards restoring normal operations. The statement highlighted the outstanding effort by the IT team and the staff supporting telescope operations. While emphasizing a commitment to open access and information sharing, NOIRLab explained that because the investigation was ongoing, they were limited in what they could share regarding their cybersecurity controls and specific investigatory findings. They planned to provide more information to the community when able, balancing transparency with their dedication to security. The incident also threatened to impact the scheduling of astronomical research, as NOIRLab was working on launching the Gemini Call for Proposals for the semester starting 1 February 2024 and was considering a delay of up to a week past the nominal opening date of 31 August.

By 5 September 2023, the recovery process was ongoing. A significant milestone was reached as the Gemini.edu website was brought back online. Updates concerning the NOIRLab and Gemini Calls for Proposals were posted on the NOIRLab Science Site and on Gemini.edu. The final update on this incident was provided on 29 September 2023. It announced that the Gemini North and Gemini South telescopes were back on sky and were currently collecting science data. The restoration of remote access for external astronomers was still ongoing at that time, with an anticipation that it would be fully restored over the coming weeks. This update concluded the reporting on the incident, marking a return to normal scientific operations for the telescopes themselves, though some IT functionality was still being gradually reinstated.

The International Gemini Observatory is a facility of the National Science Foundation (NSF), the National Research Council of Canada (NRC–Canada), the Agencia Nacional de Investigación y Desarrollo de Chile (ANID–Chile), the Ministério da Ciência, Tecnologia, Inovações e Comunicações of Brazil (MCTIC–Brazil), the Ministerio de Ciencia, Tecnología e Innovación Productiva of Argentina (MINCyT–Argentina), and the Korea Astronomy and Space Science Institute of the Republic of Korea (KASI–Republic of Korea). NOIRLab, which manages Gemini along with other observatories, is operated by the Association of Universities for Research in Astronomy (AURA) under a cooperative agreement with NSF and is headquartered in Tucson, Arizona. The incident demonstrated the vulnerabilities of large, distributed scientific infrastructures to cyber threats and highlighted the importance of robust incident response protocols. The effective response prevented physical damage to the telescopes, and the implementation of manual workarounds allowed some data collection to continue, minimizing the disruption to the astronomical research community while the digital systems were secured and restored.