The US Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has confirmed that two power plants were infected with malware in 2012, resulting in downtime and a delayed recovery period of approximately three weeks.
Of particular concern is the fact that the malware appears to have been unwittingly introduced by a technician using an infected USB hard drive to install software updates.
The employee was apparently unaware that the harmful program was on the USB, and this has fuelled the debate over the safety of removable media and the bring your own device (BYOD) trend in other industries.
Security experts are concerned that the increasing use of personal devices such as tablets and smartphones in the workplace could provide more targets for cyber criminals, with businesses allowing unregulated devices to access their network.
The authority in charge of the power plants in question has said it intends to revise its policy on the use of removable data in order to minimise the threat of employees accidentally infecting IT systems with malware.