During the past three months, unnamed malware infected two power plants' control systems using unprotected USB drives as an attack vector.

From Threadpost:

n one instance, according to a recent report from the Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), malware was discovered after a power generation plant employee asked IT staff to look into a malfunctioning USB drive he used to back up control systems configurations.

A scan with updated antivirus software turned up three instances of malware, two common and one considered sophisticated.

That discovery prompted a more thorough on-site inspection that revealed "a handful of machines that likely had contact with the tainted USB drive." This included two of 13 workstations in an engineering bay tied to critical systems.

Malware Infects Two Power Plants Lacking Basic Security Controls