Critical control systems inside two US power generation facilities were found infected with computer malware, according to the US Industrial Control Systems Cyber Emergency Response Team.

Both infections were spread by USB drives that were plugged into critical systems used to control power generation equipment, according to the organization's newsletter for October, November, and December of 2012. The authors didn't identify the owners of the facilities and there's no indication the infections resulted in injuries or equipment failures.

The incidents were reported earlier by Threat Post, and they are the latest to underscore the vulnerabilities posed by so-called supervisory control and data acquisition systems that aren't properly secured. SCADA and industrial control systems use computers to flip switches, turn dials, and manipulate other controls inside dams, power-generation plants, and other critical infrastructure. Computer malware that infects those systems can pose a threat by giving remote attackers the ability to sabotage sensitive equipment. Last year, a backdoor in a widely used piece of industrial software allowed hackers to illegally access a New Jersey company's internal heating and air-conditioning system.

According to one of the articles in the newsletter, one of the infections was discovered after an employee experienced problems with the USB drive and called in IT staff to troubleshoot.

"When the IT employee inserted the drive into a computer with up-to-date antivirus software, the antivirus software produced three positive hits," the newsletter reported. "Initial analysis caused particular concern when one sample was linked to known sophisticated malware."

Based on the article, it's not clear if the control system workstations use any form of antivirus protection.

"While the implementation of an antivirus solution presents some challenges in a control system environment, it could have been effective in identifying both the common and the sophisticated malware discovered on the USB drive and the engineering workstations," it said. The report also noted the workstations had no backup mechanism, so "an ineffective or failed cleanup would have significantly impaired their operations."

The other infection affected 10 computers in a turbine control system. It was also spread by a USB drive and "resulted in downtime for the impacted systems and delayed the plant restart by approximately three weeks," the article stated. It went on to encourage owners and operators of critical infrastructure to "develop and implement baseline security policies for maintaining up-to-date antivirus definitions, managing system patching, and governing the use of removable media."

USB drives have remained the weak link in many industrial control systems, which often lack Internet connections to minimize exposure to malicious software. The Stuxnet worm and the Flame malware—both of which were reportedly developed by the US and Israel to attack and spy on critical systems in Iran—relied on USB drives to propagate attack code and to ferry intercepted communications over air-gapped networks. Microsoft has patched the vulnerabilities that made some of those attacks possible on Windows computers, but it's not clear all users have installed them.

Article updated to change accompanying photo.